| 2023-07-13 16:40:22 |
msaxl |
bug |
|
|
added bug |
| 2023-07-14 11:10:47 |
Launchpad Janitor |
samba (Ubuntu): status |
New |
Confirmed |
|
| 2023-07-14 11:15:34 |
Chris Puttick |
bug |
|
|
added subscriber Chris Puttick |
| 2023-07-14 11:43:26 |
Robert Stroetgen |
bug |
|
|
added subscriber Robert Stroetgen |
| 2023-07-14 12:13:22 |
Andreas Hasenack |
samba (Ubuntu): importance |
Undecided |
High |
|
| 2023-07-14 12:13:26 |
Andreas Hasenack |
samba (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2023-07-14 12:13:30 |
Andreas Hasenack |
tags |
|
server-todo |
|
| 2023-07-14 12:16:10 |
Andreas Hasenack |
bug watch added |
|
https://bugzilla.samba.org/show_bug.cgi?id=15418 |
|
| 2023-07-14 12:16:10 |
Andreas Hasenack |
bug task added |
|
samba (Debian) |
|
| 2023-07-16 05:48:05 |
RedScourge |
bug |
|
|
added subscriber RedScourge |
| 2023-07-16 06:12:19 |
Hiroaki Hashi |
bug |
|
|
added subscriber Hiroaki Hashi |
| 2023-07-16 08:03:58 |
Matthew Barratt |
bug |
|
|
added subscriber Matthew Barratt |
| 2023-07-17 09:19:52 |
John Edwards |
bug |
|
|
added subscriber John Edwards |
| 2023-07-17 12:18:57 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
| 2023-07-17 12:20:24 |
Andreas Hasenack |
samba (Ubuntu): status |
Confirmed |
In Progress |
|
| 2023-07-17 12:22:46 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Server |
| 2023-07-17 12:22:53 |
Andreas Hasenack |
bug |
|
|
added subscriber Canonical Server |
| 2023-07-17 12:37:12 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Mantic |
|
| 2023-07-17 12:37:12 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Mantic) |
|
| 2023-07-17 12:59:08 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Lunar |
|
| 2023-07-17 12:59:08 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Lunar) |
|
| 2023-07-17 12:59:13 |
Andreas Hasenack |
samba (Ubuntu Lunar): status |
New |
In Progress |
|
| 2023-07-17 12:59:15 |
Andreas Hasenack |
samba (Ubuntu Lunar): importance |
Undecided |
High |
|
| 2023-07-17 13:15:35 |
Andreas Hasenack |
samba (Ubuntu Lunar): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2023-07-17 13:48:13 |
Sebastian Chrostek |
bug |
|
|
added subscriber Sebastian Chrostek |
| 2023-07-17 13:50:14 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Kinetic |
|
| 2023-07-17 13:50:14 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Kinetic) |
|
| 2023-07-17 13:50:19 |
Andreas Hasenack |
samba (Ubuntu Kinetic): status |
New |
In Progress |
|
| 2023-07-17 13:50:22 |
Andreas Hasenack |
samba (Ubuntu Kinetic): importance |
Undecided |
High |
|
| 2023-07-17 13:50:24 |
Andreas Hasenack |
samba (Ubuntu Kinetic): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2023-07-17 14:13:32 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Jammy |
|
| 2023-07-17 14:13:32 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Jammy) |
|
| 2023-07-17 14:13:36 |
Andreas Hasenack |
samba (Ubuntu Jammy): status |
New |
In Progress |
|
| 2023-07-17 14:13:38 |
Andreas Hasenack |
samba (Ubuntu Jammy): importance |
Undecided |
High |
|
| 2023-07-17 14:13:40 |
Andreas Hasenack |
samba (Ubuntu Jammy): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2023-07-17 14:16:58 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Focal |
|
| 2023-07-17 14:16:58 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Focal) |
|
| 2023-07-17 14:17:04 |
Andreas Hasenack |
samba (Ubuntu Focal): status |
New |
In Progress |
|
| 2023-07-17 14:17:09 |
Andreas Hasenack |
samba (Ubuntu Focal): importance |
Undecided |
High |
|
| 2023-07-17 14:17:11 |
Andreas Hasenack |
samba (Ubuntu Focal): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2023-07-17 19:29:10 |
Peter Meiser |
bug |
|
|
added subscriber Peter Meiser |
| 2023-07-17 20:02:45 |
Tim Ingles |
bug |
|
|
added subscriber Tim Ingles |
| 2023-07-18 12:01:08 |
Rini van Zetten |
bug |
|
|
added subscriber Rini van Zetten |
| 2023-07-18 12:48:16 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/447094 |
|
| 2023-07-18 19:59:09 |
Alex |
bug |
|
|
added subscriber Alex |
| 2023-07-19 10:26:47 |
Miguel Lorenzo Amarelle |
bug |
|
|
added subscriber Miguel Lorenzo Amarelle |
| 2023-07-19 19:09:47 |
RedScourge |
cve linked |
|
2022-37966 |
|
| 2023-07-19 19:24:36 |
RedScourge |
cve linked |
|
2022-26931 |
|
| 2023-07-19 19:32:49 |
Mitchell Potier |
removed subscriber Mitchell Potier |
|
|
|
| 2023-07-19 23:56:57 |
Eli Navarro |
bug |
|
|
added subscriber Eli Navarro |
| 2023-07-20 12:59:15 |
krbvroc1 |
bug |
|
|
added subscriber krbvroc1 |
| 2023-07-20 13:17:29 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/447094 |
|
|
| 2023-07-20 16:26:19 |
Raydel Govea |
bug |
|
|
added subscriber Raydel Govea |
| 2023-07-20 20:13:40 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/447347 |
|
| 2023-07-21 13:06:37 |
Andreas Hasenack |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/447094 |
|
| 2023-07-21 14:08:16 |
Andreas Hasenack |
description |
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
|
| 2023-07-21 14:28:27 |
Andreas Hasenack |
description |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False", indicating the presence of the bug.
With the samba AD DC controller patched with this update, the output will be "True".
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
|
| 2023-07-21 14:31:29 |
Andreas Hasenack |
description |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False", indicating the presence of the bug.
With the samba AD DC controller patched with this update, the output will be "True".
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False", indicating the presence of the bug.
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
PS C:\Users\ubuntu>
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
|
| 2023-07-21 14:35:05 |
Andreas Hasenack |
description |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False", indicating the presence of the bug.
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
PS C:\Users\ubuntu>
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False" and report a broken secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.
"""
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
"""
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
|
| 2023-07-21 14:45:01 |
Andreas Hasenack |
description |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False" and report a broken secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.
"""
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
"""
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
[ Impact ]
Windows update KB5028166[1] broke the secure channel in trust relationships between windows workstations and samba domain controllers.
This manifests itself in widespread domain users authentication problems, including remote desktop access.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False" and report a broken secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.
"""
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
"""
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
|
| 2023-07-21 14:47:49 |
Andreas Hasenack |
description |
[ Impact ]
Windows update KB5028166[1] broke the secure channel in trust relationships between windows workstations and samba domain controllers.
This manifests itself in widespread domain users authentication problems, including remote desktop access.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False" and report a broken secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.
"""
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
"""
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
[ Impact ]
Windows update KB5028166[1] broke the secure channel in trust relationships between windows workstations and samba domain controllers.
This manifests itself in widespread domain users authentication problems, most notably remote desktop access.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False" and report a broken secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.
"""
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
"""
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
|
| 2023-07-21 14:54:04 |
Andreas Hasenack |
description |
[ Impact ]
Windows update KB5028166[1] broke the secure channel in trust relationships between windows workstations and samba domain controllers.
This manifests itself in widespread domain users authentication problems, most notably remote desktop access.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False" and report a broken secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.
"""
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
"""
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
[ Impact ]
Windows update KB5028166[1] broke the secure channel in trust relationships between windows workstations and samba domain controllers.
This manifests itself in widespread domain users authentication problems, most notably remote desktop access.
[ Test Plan ]
This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed.
There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop.
a) Test Secure Channel between windows and the domain controller[2]
- open a powershell window
- run this command:
Test-ComputerSecureChannel -Verbose
With an unpatched samba AD DC controller, the output of the above command will be "False" and report a broken secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.
"""
With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel:
"""
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
"""
b) Access the windows machine via remote desktop
- on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check)
- logout from windows
- from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre:
sudo apt install vinagre
- Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from.
- click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials
With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message:
[11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
The key here is that the trust relationship is broken.
- With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work.
1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
[ Where problems could occur ]
The patches went through some iterations, but have stabilized now and are committed to samba upstream. There is more work to be done (https://bugzilla.samba.org/show_bug.cgi?id=15425), but the more urgent fix is what is presented here and in the latest samba upstream releases.
Problems that can happen here are, in no particular order:
- break domain trust entirely
- Microsoft publishes another patch in reaction to this which changes behavior once again
- more follow-up fixes are necessary
[ Other Info ]
Given the urgency of this fix, I published a PPA and this bug report has comments stating that real life deployments were fixed by this update.
[Original Description]
This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418
The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts
There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon.
For ubuntu we will very probably need a sru for all supported lts releases |
|
| 2023-07-21 14:56:02 |
Andreas Hasenack |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041043 |
|
| 2023-07-21 14:56:02 |
Andreas Hasenack |
samba (Debian): remote watch |
Samba Bugzilla #15418 |
Debian Bug tracker #1041043 |
|
| 2023-07-21 14:56:21 |
Andreas Hasenack |
bug task added |
|
samba |
|
| 2023-07-22 06:15:37 |
Matthew Barratt |
bug watch added |
|
https://bugzilla.samba.org/show_bug.cgi?id=15425 |
|
| 2023-07-23 20:30:35 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/447459 |
|
| 2023-07-23 20:32:52 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/447460 |
|
| 2023-07-24 08:42:28 |
Vasili Belkin |
bug |
|
|
added subscriber Vasili Belkin |
| 2023-07-25 20:12:41 |
Lucas Kanashiro |
samba (Ubuntu Kinetic): status |
In Progress |
Won't Fix |
|
| 2023-07-26 19:35:00 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/447460 |
|
|
| 2023-07-26 19:38:53 |
Andreas Hasenack |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/447460 |
|
| 2023-07-27 01:29:10 |
Launchpad Janitor |
samba (Ubuntu Mantic): status |
In Progress |
Fix Released |
|
| 2023-07-28 10:05:10 |
Timo Aaltonen |
samba (Ubuntu Lunar): status |
In Progress |
Fix Committed |
|
| 2023-07-28 10:05:11 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-07-28 10:05:15 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
| 2023-07-28 10:05:20 |
Timo Aaltonen |
tags |
server-todo |
server-todo verification-needed verification-needed-lunar |
|
| 2023-07-29 19:08:38 |
Steven Westbrook |
bug |
|
|
added subscriber Steven Westbrook |
| 2023-07-31 05:26:32 |
Mirco Vivaldi |
bug |
|
|
added subscriber Mirco Vivaldi |
| 2023-07-31 11:07:12 |
John Hainsworth |
samba (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2023-07-31 11:07:15 |
John Hainsworth |
samba (Ubuntu Jammy): status |
Fix Committed |
In Progress |
|
| 2023-07-31 18:18:20 |
Andreas Hasenack |
tags |
server-todo verification-needed verification-needed-lunar |
server-todo verification-done-lunar verification-needed |
|
| 2023-07-31 19:25:14 |
Bradley Forney |
bug |
|
|
added subscriber Bradley Forney |
| 2023-07-31 23:58:28 |
Dara Poon |
bug |
|
|
added subscriber Dara Poon |
| 2023-08-01 11:07:32 |
Davide Principi |
bug |
|
|
added subscriber Davide Principi |
| 2023-08-02 09:32:01 |
Péter Molnár |
bug |
|
|
added subscriber Péter Molnár |
| 2023-08-02 16:48:55 |
Robie Basak |
samba (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2023-08-02 16:49:01 |
Robie Basak |
tags |
server-todo verification-done-lunar verification-needed |
server-todo verification-done-lunar verification-needed verification-needed-jammy |
|
| 2023-08-02 16:49:25 |
Robie Basak |
samba (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2023-08-02 16:49:31 |
Robie Basak |
tags |
server-todo verification-done-lunar verification-needed verification-needed-jammy |
server-todo verification-done-lunar verification-needed verification-needed-focal verification-needed-jammy |
|
| 2023-08-02 19:15:32 |
Andreas Hasenack |
removed subscriber Andreas Hasenack |
|
|
|
| 2023-08-02 19:15:35 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
| 2023-08-02 19:50:46 |
Andreas Hasenack |
attachment added |
|
setup-dc.sh https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716/+attachment/5690070/+files/setup-dc.sh |
|
| 2023-08-02 19:51:18 |
Andreas Hasenack |
tags |
server-todo verification-done-lunar verification-needed verification-needed-focal verification-needed-jammy |
server-todo verification-done-jammy verification-done-lunar verification-needed verification-needed-focal |
|
| 2023-08-02 20:16:02 |
Andreas Hasenack |
tags |
server-todo verification-done-jammy verification-done-lunar verification-needed verification-needed-focal |
server-todo verification-done-focal verification-done-jammy verification-done-lunar verification-needed |
|
| 2023-08-05 16:36:07 |
Maciej Gołuchowski |
samba (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2023-08-06 20:21:19 |
Andreas Hasenack |
samba (Ubuntu Jammy): status |
Fix Released |
Fix Committed |
|
| 2023-08-08 19:48:16 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2023-08-08 19:49:09 |
Launchpad Janitor |
samba (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
| 2023-08-09 09:34:10 |
Frank Rochlitzer |
bug |
|
|
added subscriber Frank Rochlitzer |
| 2023-08-10 18:15:10 |
XanderCDN |
bug |
|
|
added subscriber XanderCDN |
| 2023-08-15 17:17:56 |
Launchpad Janitor |
samba (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2023-08-15 17:18:41 |
Launchpad Janitor |
samba (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2023-09-03 23:12:54 |
Bug Watch Updater |
samba (Debian): status |
Unknown |
Fix Released |
|
| 2023-09-05 20:25:04 |
Lexa |
attachment added |
|
2023-09-05 16_24_17-CompatWindow.png https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716/+attachment/5697786/+files/2023-09-05%2016_24_17-CompatWindow.png |
|
