Samba upgrade to 3.6.25-0ubuntu0.12.04.2 break domain authentication

Also related: https://bugzilla.redhat.com/show_bug.cgi?id=1326918

Started patching our critical servers after badlock alert came out. Broke our fileshares and then trust relationship of win7 clients to domain. Down graded back to original samba version and everything started working again.

Status changed to 'Confirmed' because the bug affects multiple users.

Hello,

We try to change the configuration of samba 2:3.6.25-0ubuntu0.12.04.2 with

    allow dcerpc auth level connect = yes

But it does not work.

Regards.

If it can help, we do not have the issue with package 2:4.3.8+dfsg-0ubuntu0.14.04.2 from Trusty.

Finally we have the solution:

The windows machines must be up-to-date, with the samba up-to-date, without the configuration

    allow dcerpc auth level connect = yes

If the windows machine is not up-to-date, the configuration "allow dcerpc auth level connect = yes" does not permit to connect.

If the windows machine is up-to-date, the configuration "allow dcerpc auth level connect = yes" block the connection.

Thanks.

We can't find a solution, here :(

Our windows machines are up to date.

But we still have the same problem, without "allow dcerpc auth level connect = yes" in our configuration

In response to comment #6, all the Ubuntu 12.04 machines we upgraded to Samba version 3.6.25-0ubuntu0.12.04.2 suffered from this problem and none of them had "allow dcerpc auth level connect = yes" in the smb.conf file. So I think you may be looking at a different problem.

Another test command I have used is running 'net rpc group -S localhost -U Administrator'. On a non-upgraded machine this returns the list of Samba groups in LDAP. On an upgraded machine it returns "Connection failed: NT_STATUS_ACCESS_DENIED".

I should mention that all the servers effected where using the LDAP backend setup via smbldap-tools. Some server were running winbind but not all. Machines were mix of 32-bit and 64-bit installs.

Clients with login problems were both Windows 7 and XP joined to a domain. Sometimes a user could login to a machine using a recently used user account (info probably cached on locally on Windows machine). File access to server was fine. Leaving and rejoining the domain produced no error, but users could still not login.

Example of Samba log file from when the login failed:
[2016/04/19 10:00:37.960814, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_S
erverAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth
request from client WIN7-DATABASE machine account WIN7-DATABASE$
[2016/04/19 10:00:37.978252, 1] rpc_server/srv_pipe.c:1845(api_pipe_request)
  srv_pipe_check_verification_trailer: failed
[2016/04/19 10:00:50.068608, 1] smbd/process.c:457(receive_smb_talloc)
[2016/04/19 10:01:39.597632, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_S
erverAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth
request from client WIN7-DATABASE machine account WIN7-DATABASE$
[2016/04/19 10:01:39.620571, 1] rpc_server/srv_pipe.c:1845(api_pipe_request)
  srv_pipe_check_verification_trailer: failed
[2016/04/19 10:01:55.838151, 1] smbd/process.c:457(receive_smb_talloc)

Why is nothing happening? My users can't login and are beginning to lose faith in Linux/Ubuntu. The first one started to ask for a windows server......

As a quick workaround, you can downgrade samba to previous version and restart service, that is of course not a fix but will allow end-users to connect/authenticate again for time being. After downgrade, client workstation may need reboot before user can connect again. If it still does not work, try remove/readd machine to domain (after downgrade). That has successfully worked for us. After downgrade, of course, make sure samba is not updating until a fix is confirmed and published.

Another quick and dirty solution is to:
- unplug network cable from client computer (disconnecting machine from network)
- ask user to login (if it has connected recently he/her should be authenticated via cache on local machine)
- once logged in and on Desktop, reconnect network cable, to allow acess to network ressources

Hope that help as quick fix...

For reference...

Related Debian bug reports:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820982 (samba: Users cannot open their Windows session anymore)
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821811 (samba: badlock patch breaks trust relationship)

Related others:
- http://osdir.com/ml/general/2016-04/msg18262.html
- https://<email address hidden>/msg1413072.html

In the meantime I downgraded. (First time in 15 years ;-)

apt-get install samba=2:3.6.3-2ubuntu2 samba-common=2:3.6.3-2ubuntu2 smbclient=2:3.6.3-2ubuntu2 samba-common-bin=2:3.6.3-2ubuntu2 samba-doc=2:3.6.3-2ubuntu2 libwbclient0=2:3.6.3-2ubuntu2 libpam-smbpass=2:3.6.3-2ubuntu2 winbind=2:3.6.3-2ubuntu2 libpam-winbind=2:3.6.3-2ubuntu2

The following packages will be DOWNGRADED:
  libpam-smbpass libpam-winbind libwbclient0 samba samba-common samba-common-bin samba-doc smbclient winbind
...

PS on ls -ltr /var/cache/apt/archives you will find the list of actual installed samba packages

I hope this is helpful for other readers.

The subject of this report is way too narrow: A system of mine was affected, downgrade worked immediately: The system is a PDC for an NT style domain; Samba users are system users, no LDAP; windbind not running; Clients are XP, W7 and W10.

Samba server logged quite often:
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client XYZ machine account XYZ$

As a second person has confirm that the problem also effects Windows XP clients I have update the title of the bug. In my experience it seems to only effect domain functions, basic SMB file sharing seems OK.

It looks like a regression fix is available upstream https://git.samba.org/?p=asn/samba.git;a=commit;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5

Contents of Andreas_Schneider patch to srv_pipe.c to fix the regression verifying the security trailer, taken from https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5;hp=ea6f2386611d0a4edd65962a59b3448be976c1bb

--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1552,7 +1552,6 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
 {
        TALLOC_CTX *frame = talloc_stackframe();
        struct dcerpc_sec_verification_trailer *vt = NULL;
- const uint32_t bitmask1 = 0;
        const struct dcerpc_sec_vt_pcontext pcontext = {
                .abstract_syntax = pipe_fns->syntax,
                .transfer_syntax = ndr_transfer_syntax,
@@ -1573,7 +1572,7 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
                goto done;
        }

- ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
+ ret = dcerpc_sec_verification_trailer_check(vt, NULL,
                                                    &pcontext, &header2);
 done:
        TALLOC_FREE(frame);

Contents of Andreas_Schneider patch to srv_pipe.c to fix the regression verifying the security trailer, taken from https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5;hp=ea6f2386611d0a4edd65962a59b3448be976c1bb

--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1552,7 +1552,6 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
 {
        TALLOC_CTX *frame = talloc_stackframe();
        struct dcerpc_sec_verification_trailer *vt = NULL;
- const uint32_t bitmask1 = 0;
        const struct dcerpc_sec_vt_pcontext pcontext = {
                .abstract_syntax = pipe_fns->syntax,
                .transfer_syntax = ndr_transfer_syntax,
@@ -1573,7 +1572,7 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
                goto done;
        }

- ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
+ ret = dcerpc_sec_verification_trailer_check(vt, NULL,
                                                    &pcontext, &header2);
 done:
        TALLOC_FREE(frame);

The attachment "~/temp/firefox-downloads/Andreas_Schneider_srv_pipe.c.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Downgrade as posted by Rob above works. Alternately, add this to your smb.conf file:
client ipc signing = no

One problem with changing "client ipc signing" is that it is not documented in the man pages of these packages for Ubuntu 12.04 and the settings are different to the Samba packages in Ubuntu 14.04 (where the possible settings are "auto", "mandatory" and "disabled").

For additional reference, recent Samba known cybersecurity vulnerabilities report (apply to Samba 3 & 4) indicate a change in default setting for "client ipc signing" as well as the global conf options newly introduced to keep compatibility:

SMB client connections for IPC traffic are not integrity protected
https://www.samba.org/samba/security/CVE-2016-2115.html

As highlighted by John, the only possible settings are "auto", "mandatory" and "disabled"...

This bug needs to be fixed, I don't understand how the importance can be "undecided". It effectively stops users from logging in and it makes me run a version without the latest security fixes.

According the reporter's description "Linux client can authentificate themselves without problems." - this seems NOT to be the case. This upgrade broke the ability for 12.04 linux clients to join a samba managed domain.

Using the usual configuration files and current domain join creds we would get on the linux client:

Connection failed: NT_STATUS_ACCESS_DENIED

After downgrading the 12.04 linux client with

apt-get install samba=2:3.6.3-2ubuntu2 samba-common=2:3.6.3-2ubuntu2 smbclient=2:3.6.3-2ubuntu2 samba-common-bin=2:3.6.3-2ubuntu2 samba-doc=2:3.6.3-2ubuntu2 libwbclient0=2:3.6.3-2ubuntu2 libpam-smbpass=2:3.6.3-2ubuntu2 winbind=2:3.6.3-2ubuntu2 libpam-winbind=2:3.6.3-2ubuntu2

the ability to join is back and everything works normally (nsswitch, pam, etc)

Another problem with "client ipc signing" is that on a machine that has just joined the domain, domain users can not login. Samba logs report:
[2016/05/03 12:37:54.226769, 1] rpc_server/srv_pipe.c:1845(api_pipe_request)
  srv_pipe_check_verification_trailer: failed
[2016/05/03 12:37:54.273670, 1] rpc_server/srv_pipe.c:1845(api_pipe_request)
  srv_pipe_check_verification_trailer: failed

When upgrading our DC from Ubuntu 13.04 to 14.04 we were also upgraded from Samba 3.6.9 to 4.3.8. Now Ubuntu clients cannot authenticate and (as ghomem mentions) Ubuntu member servers are not able to join the domain. Unfortunately downgrading Samba on 14.04 is not as simple as using dpkg or apt. Here is a snippet of debug out put when attempting to join the domain:

Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] CB 5B 1C 2A DC 07 09 6E .[.*...n
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 00 00 00 00 00 00 00 00 ........
smb_signing_good: BAD SIG: seq 1
SPNEGO login failed: Access denied
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name : NULL
            netbios_domain_name : NULL
            dns_domain_name : NULL
            forest_name : NULL
            dn : NULL
            domain_sid : NULL
                domain_sid : (NULL SID)
            modified_config : 0x00 (0)
            error_string : 'failed to lookup DC info for domain 'FOO' over rpc: Access denied'
            domain_is_ad : 0x00 (0)
            result : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain 'FOO' over rpc: Access denied
return code = -1

In response to comment #27, I think that the problem with clients connecting to Samba version 4.3.8 on Ubuntu 14.04 may be a different problem. Some of the discussion in bug #1573221 may be relevant, particular setting "client use spnego = no".
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1573221

Actually, the problem we are having does not appear to be related to bug #1573221. The issue described in the original bug report there does not affect any of our clients. All are able to connect regardless of the setting of 'client use spnego.' We are experiencing a problem more similar to the original description of this bug report: "client can't join the domain" though the client here is a Ubuntu file server.

There is another bug #1572824 which could be related as well. If the consensus is that my issue is significantly different, I will be glad to open an new bug for it. It just appears that all of these issues share a common cause at this point at least.

Christopher,

As indicated here https://www.samba.org/samba/security/CVE-2016-2115.html default settings of Samba may have changed and therefore may require extra new option in global settings to bring back compatibilty... The first I would suggest is try adding the following:

client ipc signing = auto

Alternatively you can also try "disable" instead of "auto"...

Worth a shot...

Regards,

Here is a reference to the exact problem on the Samba list:

https://lists.samba.org/archive/samba/2016-April/199395.html

No answer as of yet, but there is a lot of noise on the list about recent Samba upgrade issues.

Richard,

Setting "client ipc signing = auto" indeed corrected the problem, and I was able to join the file server back to the domain. This may be a fix for others with the particular issue I have.

However, I now have a slightly different issue. This one involved users being denied access to restricted network shares. However, if the share is wide open, there are no problems. This was not a problem prior the upgrade. I'm working through it now and will try to decide where to post about it as I find more.

Thanks!

Today's Samba update may contain the fix for this issue:

http://www.ubuntu.com/usn/usn-2950-2/

Could the original bug reporter please test the update and comment here? Thanks!

For reference...

Samba security regression tracking bug
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

Not the original reporter, but the issue I mention in comment #32 was resolved when this update was applied.

Thanks!

Status still open?

Upgrading samba:amd64 2:3.6.3-2ubuntu2 -> 2:3.6.25-0ubuntu0.12.04.3 fixed the issue for me (nt-style domain logons broken)

Thanks for testing the new version. I am closing this bug. If anyone is still experiencing issues with the new update, please file a new bug. Thanks!

I just make the test and the windows-7 workstation can login with the new 2:3.6.25-0ubuntu0.12.04.3 samba package.

For the record, I made a test with and without the microsoft patch https://www.microsoft.com/en-us/download/confirmation.aspx?id=51829.

Thanks.

I applied to Ubuntu Server 12.04 Samba update 2:3.6.25-0ubuntu0.12.04.3 and am pleased and relieved to see my test Windows XP client once again able to login to the Samba NT4 style domain.

This update appears to resolve the defect I originally opened:
[Bug 1574228] Changes to Samba packages for April 12 prevent legacy Windows clients from logging in to NT4 style domain

Note: I did not make ANY changes to my configuration / settings. Only upgraded to this new build of the Samba packages.

I am thankful,
Michael

I applied the new samba update, problem is fixed.
Windows (XP/7) and Ubuntu clients can now authenticate themselves without problems.

Thanks !

I'm late to comment, anyways: the update fixed all problems that arose.