Samba Domain Member cannot check passwords against Samba AD DC after "Badlock" update
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Fix Released
|
High
|
Ubuntu Security Team |
Bug Description
Hi,
I updated Samba on my old web server which is running a fully updated 12.04.5 LTS, and now I cannot get it to act as a domain member anymore. All password validation requests fail. Only way to access this server once more is to manually add local users with usernames and passwords matching the domain users.
The server is now completely incapable of checking passwords against our 14.04 LTS Samba AD DC. I have verified that upgrading our other 14.04 LTS file server from Samba 4.1.6 to 4.3.8 worked fine, but upgrading our Samba AD DC from 4.1.6 to 4.3.8 BROKE EVERYTHING, so I had to roll that back. I suspect that if I were able to update the AD DC to 4.3.8 perhaps this issue would go away, as I believe the problem is specific to the recently patched "badlock" bug. However, that is a separate issue, one that I will not file a bug for unless I am able to determine that it is not specific to our configuration. I will spin up a new AD DC using the 4.3.8 series and try to make it the new PDC, and if that also fails, I will file a bug for that other issue. I will also come back here and let you know if this issue goes away by doing that or not. I would upgrade this server to 14.04 LTS, if not for the fact that we still have some legacy PHP 5.3 code, and we were not able to compile PHP 5.3 on newer Ubuntu versions because of crazy dependency issues which I will not get into here.
Relevant error messages when trying to use smbclient with a domain username:
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_
Changing the server signing and client signing parameters on any of the involved servers does not seem to fix the issue unfortunately. Below is more debug info, with my true domain name changed to SAMDOM.EXAMPLE.ORG instead of what it actually is. To make it more clear, FILESERV is our 4.3.8 fileserver, FILESERV2 is actually our 4.1.6 Samba AD DC, and DB3 is our 3.6.25 file/web server.
Full debug level 5 output of the smbtree command:
smbtree -d 5 -U administrator
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/
doing parameter netbios name = db3
handle_
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80:
added interface eth0 ip=192.168.6.76 bcast=192.
Enter administrator's password:
Opening cache file at /var/run/
Opening cache file at /var/run/
name SAMDOM#1D found.
Connecting to host=192.168.6.91
Connecting to 192.168.6.91 at port 445
Socket options:
TCP_NODELAY = 1
TCP_KEEPCNT = 9
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
Substituting charset 'UTF-8' for LOCALE
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_
namecache_
Connecting to host=FILESERV
Connecting to 192.168.6.91 at port 445
Connecting to 192.168.6.91 at port 139
Socket options:
TCP_NODELAY = 1
TCP_KEEPCNT = 9
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_
Full debug level 5 output of the smbclient command:
smbclient -d 5 -L localhost -U administrator
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/
doing parameter netbios name = db3
handle_
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80:
added interface eth0 ip=192.168.6.76 bcast=192.
Netbios name list:-
my_netbios_
Client started (version 3.6.25).
Enter administrator's password:
Opening cache file at /var/run/
Opening cache file at /var/run/
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-
no entry for localhost#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
resolve_wins: Attempting wins lookup for name localhost<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name localhost<0x20>
namecache_store: storing 1 address for localhost#20: 127.0.0.1
Connecting to 127.0.0.1 at port 445
Socket options:
TCP_NODELAY = 1
TCP_KEEPCNT = 9
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
session request ok
Substituting charset 'UTF-8' for LOCALE
Doing spnego session setup (blob length=112)
got OID=1.2.
got OID=1.2.
got OID=1.3.
got principal=
Got challenge flags:
Got NTLMSSP neg_flags=
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
NTLMSSP_
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_
Full debug level 5 output of domain join command:
root@db3:
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
params.
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/
doing parameter netbios name = db3
handle_
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_
added interface eth0 ip=fe80:
added interface eth0 ip=192.168.6.76 bcast=192.
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_
Enter administrator's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
os_name : NULL
upn : NULL
ads : NULL
debug : 0x01 (1)
Opening cache file at /var/run/
Opening cache file at /var/run/
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-
ads_dns_lookup_srv: 1 records returned in the answer section.
Connecting to host=fileserv2.
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-
name fileserv2.
Connecting to 192.168.6.92 at port 445
Socket options:
TCP_NODELAY = 1
TCP_KEEPCNT = 9
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
Substituting charset 'UTF-8' for LOCALE
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
dn : NULL
result : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain 'SAMDOM.
return code = -1
tags: | added: regression-update |
Changed in samba (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
importance: | Undecided → High |
Changed in samba (Ubuntu): | |
status: | Confirmed → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.