Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
The fix is already included in Samba version 4.13.15 and 4.14.11, so I'm opening this issue to be sure that next TrueNAS release will include one of these version and not stay on 4.13.14.
It would be nice if this upgrade was released soon, because currently people using Kerberos authentication in an MIT realm, e.g., FreeIPA, have to stay on a Samba version vulnerable to CVE-2020-25717.
Thanks a lot!
To help discoverability when searching for this issue, here is the related error in {{{}/var/log/{}}}samba4/log.smdb
[2021/12/17 09:06:13.789613, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2021/12/17 09:06:13.803657, 2] ../../auth/kerberos/gssapi_pac.c:169(gssapi_obtain_pac_blob)
obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed: Miscellaneous failure (see text): Ticket have not authorization data of type 128
Since 12.0-U6.1 Samba authentication fails when using Kerberos in an MIT realm.
Upstream bug report: https://bugzilla.samba.org/show_bug.cgi?id=14922
Upstream fix: https://gitlab.com/samba-team/samba/-/commit/1e61de8306604a0d3858342df8a1d2412d8d418b
The fix is already included in Samba version
4.13.15
and4.14.11
, so I'm opening this issue to be sure that next TrueNAS release will include one of these version and not stay on4.13.14
.It would be nice if this upgrade was released soon, because currently people using Kerberos authentication in an MIT realm, e.g., FreeIPA, have to stay on a Samba version vulnerable to CVE-2020-25717.
Thanks a lot!
To help discoverability when searching for this issue, here is the related error in {{{}/var/log/{}}}samba4/log.smdb
[2021/12/17 09:06:13.789613, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2021/12/17 09:06:13.803657, 2] ../../auth/kerberos/gssapi_pac.c:169(gssapi_obtain_pac_blob) obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed: Miscellaneous failure (see text): Ticket have not authorization data of type 128