Samba upgrade to 3.6.25-0ubuntu0.12.04.2 break domain authentication

Bug #1572122 reported by vincent bonnevialle
80
This bug affects 12 people
Affects Status Importance Assigned to Milestone
samba (CentOS)
Fix Released
Undecided
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
Undecided
Unassigned

Bug Description

Hi,

Problem : The last samba upgrade broke my ldap authentification for windows 7 client.
Upgrade : samba 2:3.6.3-2ubuntu2 -> samba 2:3.6.25-0ubuntu0.12.04.2
Config : Ubuntu serveur, 12.04 with Samba 3 + ldap

Win 7 errors : "The trust relationship between this workstation and the primary domain failed"
windows client can't join the domain

Linux client can authentificate themselves without problems.

Does anyone have similar problems ?

Thanks

    cat /var/log/samba/log.pc075

    [2016/04/19 08:40:30.050073, 2] smbd/sesssetup.c:1291(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
    [2016/04/19 08:40:30.051311, 2] smbd/sesssetup.c:1291(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
    [2016/04/19 08:40:30.051511, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened
    [2016/04/19 08:40:30.059872, 2] rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain) Returning domain sid for domain ENSASE -> S-1-5-21-1348238158-1112093341-1520777740
    [2016/04/19 08:40:30.060329, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: pc075$
    [2016/04/19 08:40:30.069236, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515
    [2016/04/19 08:40:30.069747, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515
    [2016/04/19 08:40:30.070223, 2] ../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal) credentials check failed
    [2016/04/19 08:40:30.070271, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PC075 machine account PC075$
    [2016/04/19 08:40:30.072638, 2] rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
  Returning domain sid for domain ENSASE -> S-1-5-21-1348238158-1112093341-1520777740
    [2016/04/19 08:40:30.073005, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: pc075$
    [2016/04/19 08:40:30.073580, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515
    [2016/04/19 08:40:30.076775, 1] rpc_server/srv_pipe.c:1845(api_pipe_request) srv_pipe_check_verification_trailer: failed

CVE References

Revision history for this message
In , bryan (bryan-redhat-bugs-1) wrote :

Description of problem:
When updating to the latest samba updates:

latest samba updates:

===
=== yum reports available updates:
===

libsmbclient.i386 3.0.33-3.41.el5_11 updates
samba3x.i386 3.6.23-12.el5_11 updates
samba3x-client.i386 3.6.23-12.el5_11 updates
samba3x-common.i386 3.6.23-12.el5_11 updates
samba3x-winbind.i386 3.6.23-12.el5_11 updates

ALL prior required updates have been performed prior to these.

This also comes after a Windows update. However, 2 PCs, one Win7 the other Windows 10, joined the domain and were able to login prior to the update. However, after the update neither Windows 7 or Windows 10 clients can log into the SME 8.2 Server as there is a NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE during attempted login.

I've removed the client by force from the domain and added them back onto the domain and still I get this same error.

Rebooted the server and client PCs and still the same error.

I even performed a yum downgrade to remove these updates and I still see the same trust relationship failure error.

Version-Release number of selected component (if applicable):
All

How reproducible:
replicated on EVERY PC accessing the domain

Steps to Reproduce:
1.reboot
2.login
3.error given = TRUST RELATIONSHIP FAILURE

Actual results:
TRUST RELATIONSHIP FAILURE

Expected results:
Log into domain

Additional info:
in the Messages file I see the following format for multiple users:
Apr 13 09:49:12 icarus smbd[12805]: [2016/04/13 09:49:12.254867, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
Apr 13 09:49:12 icarus smbd[12805]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PC3 machine account PC3$

and still continues for each user logged into the domain

Revision history for this message
In , daniel (daniel-redhat-bugs-1) wrote :

This bug should be against RHEL5. When running as an NT4 domain controller, last samba3x updates (RHSA-2016-0613) break trust relationship. Affects at least Windows 7 and Windows Server 2012R2 clients.
The very same issue also affects RHEL6 (after applying updates from RHSA-2016-0611)
In both cases, downgrading the various samba3x/samba packages makes everything working again

Revision history for this message
In , bryan (bryan-redhat-bugs-1) wrote :

Sorry Daniel, wrong release. I downgraded but nothing has changed. Can you please give me the steps to downgrade?
Thanks,
B

Revision history for this message
In , asn (asn-redhat-bugs) wrote :

Please provide log files with a higher log level. If I understand it correctly you have a Samba server running as a primary domain controller and Windows clients are joined to it.

Please read https://www.samba.org/~asn/reporting_samba_bugs.txt it will explain how to provide the information we need and find it quickly. See the info about the 'date' command.

Revision history for this message
In , bryan (bryan-redhat-bugs-1) wrote :

Andreas,
I found a method to downgrade and roll back to the prior version and which fixed this issue.
The command I used:
yum downgrade samba\* libsmbclient

Workstations and other Microsoft servers can now properly interact with the domain.
Thanks,
Bryan

Revision history for this message
In , ossman (ossman-redhat-bugs) wrote :

We are also seeing this (on RHEL 6) after the upgrade. Downgrading helps. Versions of packages:

libtevent-0.9.26-2.el6_7.x86_64
samba-common-3.6.23-30.el6_7.x86_64
samba4-libs-4.2.10-6.el6_7.x86_64
libtdb-1.3.8-1.el6_7.x86_64
samba-winbind-clients-3.6.23-30.el6_7.x86_64
samba-3.6.23-30.el6_7.x86_64
tdb-tools-1.3.8-1.el6_7.x86_64
samba-client-3.6.23-30.el6_7.x86_64
libtalloc-2.1.5-1.el6_7.x86_64
libldb-1.1.25-2.el6_7.x86_64
pytalloc-2.1.5-1.el6_7.x86_64
samba-winbind-3.6.23-30.el6_7.x86_64

I did a run with the latest samba and the previous one (failing and working) with the logging turned up. I'll attach the files next, but I can point out this suspicious difference in the logs:

> [2016/04/14 15:56:46.986588, 10] ../librpc/rpc/dcerpc_util.c:606(dcerpc_sec_verification_trailer_check)
> SEC_VT check Bitmask1 client_header_signing failed

Revision history for this message
In , ossman (ossman-redhat-bugs) wrote :

Created attachment 1147264
log file (working, 3.6.23-25.el6_7)

Revision history for this message
In , ossman (ossman-redhat-bugs) wrote :

Created attachment 1147265
log file (failing, 3.6.23-30.el6_7)

Revision history for this message
In , ossman (ossman-redhat-bugs) wrote :

The test case here is a RHEL 6 acting as a NT4 DC for a Windows 2008R2 machine. From a Fedora 23 machine I used smbclient to connect to the Windows machine:

> $ smbclient //tezava/C$
> Enter ossman's password:
> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

(same problem occurs for any user authentication, but this was a simple command line test case)

Revision history for this message
In , daniel (daniel-redhat-bugs-1) wrote :

Ok, so here are some more complete information for how to reproduce the problem.

Have a samba3x server running as a PDC, with windows stations joined on the domain

[root@el5 ~]# rpm -qa samba\* \*smb\* \*talloc\* \*tdb\* \*ldb\* \*tevent\* \*wbclient\*
libtevent-0.9.18-2.el5
samba3x-client-3.6.23-9.el5_11
samba3x-common-3.6.23-9.el5_11
libtalloc-2.0.7-2.el5
hsqldb-1.8.0.9-1jpp.3
samba3x-winbind-3.6.23-9.el5_11
libtdb-1.2.10-1.el5
samba3x-3.6.23-9.el5_11
tdb-tools-1.2.10-1.el5
libsmbclient-3.0.33-3.40.el5_10
[root@el5 ~]#

See the attached smb.conf file for the relevant sections of my config (I just removed my shares definition as it most likely is not relevant)

One client is member of the NT4 domain. It's a Windows 7 pro box (name: win7, IP: 192.168.7.12)

I can log into this box with no problem, see the win7_ok.log file, which traces a successful login from this box using a domain account.

I now update the different packages:

yum update samba\* libsmb\*

Full transaction:

Updating:
 libsmbclient i386 3.0.33-3.41.el5_11
 samba3x i386 3.6.23-12.el5_11
 samba3x-client i386 3.6.23-12.el5_11
 samba3x-common i386 3.6.23-12.el5_11
 samba3x-winbind i386 3.6.23-12.el5_11

Now:

[root@el5 ~]# rpm -qa samba\* \*smb\* \*talloc\* \*tdb\* \*ldb\* \*tevent\* \*wbclient\*
libtevent-0.9.18-2.el5
samba3x-client-3.6.23-12.el5_11
samba3x-winbind-3.6.23-12.el5_11
libtalloc-2.0.7-2.el5
hsqldb-1.8.0.9-1jpp.3
libsmbclient-3.0.33-3.41.el5_11
samba3x-3.6.23-12.el5_11
libtdb-1.2.10-1.el5
tdb-tools-1.2.10-1.el5
samba3x-common-3.6.23-12.el5_11
[root@el5 ~]#

After restarting the smbd daemon, I can no longer open a session using a domain account. On the client computer, I get a message stating that the trust relationship between this station and the domain failed (the exacte message in french is "La relation d'approbation entre cette station de travail et le domaine a échoué.")

See the file win7_ko.log for the server-side logs when I try to login.

Revision history for this message
In , daniel (daniel-redhat-bugs-1) wrote :

Created attachment 1147271
smb.conf of the PDC

Revision history for this message
In , daniel (daniel-redhat-bugs-1) wrote :

Created attachment 1147272
Log file during a successful login (3.6.23-9.el5_11)

Revision history for this message
In , daniel (daniel-redhat-bugs-1) wrote :

Created attachment 1147273
Log file during a failed login (3.6.23-12.el5_11)

Revision history for this message
In , bryan (bryan-redhat-bugs-1) wrote :

here is my samba configuration file as well.

[global]

add machine script = /sbin/e-smith/signal-event machine-account-create '%u'

bind interfaces only = yes

case sensitive = no
deadtime = 10080

display charset = ISO8859-1

dns proxy = no

domain logons = yes
domain master = yes
dos charset = 850

encrypt passwords = yes

guest account = public

guest ok = no
hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 192.168.3.0/255.255.255.0 192.168.4.0/255.255.255.0 192.168.9.0/255.255.255.0

interfaces = 127.0.0.1 192.168.1.16/255.255.255.0

log file = /var/log/samba/log.%m
logon drive = Z:

logon path =
logon script = netlogon.bat

map to guest = never

max log size = 50

name resolve order = wins lmhosts bcast

netbios name = icarus
oplocks = true
kernel oplocks = true
level2 oplocks = true

os level = 65
passdb backend = smbpasswd:/etc/samba/smbpasswd

pid directory = /var/run
preferred master = yes

preserve case = yes
private dir = /etc/samba

security = user
server string = SME Server
short preserve case = yes
smb passwd file = /etc/samba/smbpasswd
smb ports = 139

socket options = TCP_NODELAY

strict locking = no
unix charset = UTF8
unix password sync = Yes
pam password change = Yes

passwd program = /usr/bin/passwd %u

Revision history for this message
In , bryan (bryan-redhat-bugs-1) wrote :

(In reply to Bryan from comment #14)
> here is my samba configuration file as well.

This was prior to the downgrade from (3.6.23-9.el5_11)

Revision history for this message
In , gdeschner (gdeschner-redhat-bugs) wrote :

Ok, thanks for the data. I can reproduce it here.

Revision history for this message
In , chekov (chekov-redhat-bugs) wrote :

I've confirmed that this also affects RHEL7 clients (Samba 4.2) where I get either a NT_STATUS_CANT_ACCESS_DOMAIN_INFO reply or an NT_STATUS_ACCESS_DENIED when trying to connect to a RHEL6 PDC.

On the samba 3.6 PDC logs I see a:
"Rejecting auth request from client"
Which seems to indicate that there is a problem with the machine user account entry. Deleting the machine account and trying to re-create it also fails (the machine account is created but "net rpc join" fails). The PDC will also frequently set the flags of the machine account to Disabled, which I then have to manually unset.

I was also unable to connect from other RHEL6 clients until I added:
server signing = auto
to the smb.conf, which fixed that but did not fix connections from samba 4.2
I also tried all of the following to no avail:
raw NTLMv2 auth = yes
allow dcerpc auth level connect = yes
client ipc signing = auto
client signing = auto
server min protocol = LANMAN1

Rolling the PDC back from 3.6.23-30 to 3.6.23-25 completely fixed the problem.

I should note that samba 4.2 was able to accurately retrieve domain info:
net rpc info
but wasn't able to join the domain.
-alan

Revision history for this message
In , asn (asn-redhat-bugs) wrote :

We identified the issue and have a working fix.

Revision history for this message
In , zhenxu (zhenxu-redhat-bugs) wrote :

Anyone got working fix?

Me and my user all cant login to our domain.

Revision history for this message
In , bryan (bryan-redhat-bugs-1) wrote :

All,
If you are using Win 7 or Win 10, just unplug the network cable (or disable WiFi) then login. It's similar to a local login (versus a network login). Once you've logged in you can re-plug in the network cable and use your resources as normal. Also, turn off the sleep mode with password required so you're not forced to log back in each time your system goes to sleep.
-Bryan

Revision history for this message
In , asn (asn-redhat-bugs) wrote :

If you require a hotfix until we are able to roll out an update please talk to your Red Hat support contact!

Revision history for this message
In , bugreports (bugreports-redhat-bugs) wrote :

(In reply to Andreas Schneider from comment #21)
> If you require a hotfix until we are able to roll out an update please talk
> to your Red Hat support contact!

Are there any plans when this is going to be rolled out already? (A rough estimate would be enough, e.g. in two weeks, in a month...)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Jon (securit) wrote :

Started patching our critical servers after badlock alert came out. Broke our fileshares and then trust relationship of win7 clients to domain. Down graded back to original samba version and everything started working again.

Changed in samba (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Revision history for this message
EOLE team (eole-team) wrote :

Hello,

We try to change the configuration of samba 2:3.6.25-0ubuntu0.12.04.2 with

    allow dcerpc auth level connect = yes

But it does not work.

Regards.

Revision history for this message
EOLE team (eole-team) wrote :

If it can help, we do not have the issue with package 2:4.3.8+dfsg-0ubuntu0.14.04.2 from Trusty.

Revision history for this message
EOLE team (eole-team) wrote :

Finally we have the solution:

The windows machines must be up-to-date, with the samba up-to-date, without the configuration

    allow dcerpc auth level connect = yes

If the windows machine is not up-to-date, the configuration "allow dcerpc auth level connect = yes" does not permit to connect.

If the windows machine is up-to-date, the configuration "allow dcerpc auth level connect = yes" block the connection.

Thanks.

Revision history for this message
vincent bonnevialle (vincent-yeshigh) wrote :

We can't find a solution, here :(

Our windows machines are up to date.

But we still have the same problem, without "allow dcerpc auth level connect = yes" in our configuration

Revision history for this message
In , asn (asn-redhat-bugs) wrote :

I have a fix for the issue. Sorting out how to do updates for all released versions.

Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

In response to comment #6, all the Ubuntu 12.04 machines we upgraded to Samba version 3.6.25-0ubuntu0.12.04.2 suffered from this problem and none of them had "allow dcerpc auth level connect = yes" in the smb.conf file. So I think you may be looking at a different problem.

Another test command I have used is running 'net rpc group -S localhost -U Administrator'. On a non-upgraded machine this returns the list of Samba groups in LDAP. On an upgraded machine it returns "Connection failed: NT_STATUS_ACCESS_DENIED".

Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

I should mention that all the servers effected where using the LDAP backend setup via smbldap-tools. Some server were running winbind but not all. Machines were mix of 32-bit and 64-bit installs.

Clients with login problems were both Windows 7 and XP joined to a domain. Sometimes a user could login to a machine using a recently used user account (info probably cached on locally on Windows machine). File access to server was fine. Leaving and rejoining the domain produced no error, but users could still not login.

Example of Samba log file from when the login failed:
[2016/04/19 10:00:37.960814, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_S
erverAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth
request from client WIN7-DATABASE machine account WIN7-DATABASE$
[2016/04/19 10:00:37.978252, 1] rpc_server/srv_pipe.c:1845(api_pipe_request)
  srv_pipe_check_verification_trailer: failed
[2016/04/19 10:00:50.068608, 1] smbd/process.c:457(receive_smb_talloc)
[2016/04/19 10:01:39.597632, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_S
erverAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth
request from client WIN7-DATABASE machine account WIN7-DATABASE$
[2016/04/19 10:01:39.620571, 1] rpc_server/srv_pipe.c:1845(api_pipe_request)
  srv_pipe_check_verification_trailer: failed
[2016/04/19 10:01:55.838151, 1] smbd/process.c:457(receive_smb_talloc)

Revision history for this message
Ron Groen (hardware-c) wrote :

Why is nothing happening? My users can't login and are beginning to lose faith in Linux/Ubuntu. The first one started to ask for a windows server......

Revision history for this message
Richard Leger (richard-leger) wrote :

As a quick workaround, you can downgrade samba to previous version and restart service, that is of course not a fix but will allow end-users to connect/authenticate again for time being. After downgrade, client workstation may need reboot before user can connect again. If it still does not work, try remove/readd machine to domain (after downgrade). That has successfully worked for us. After downgrade, of course, make sure samba is not updating until a fix is confirmed and published.

Revision history for this message
Richard Leger (richard-leger) wrote :

Another quick and dirty solution is to:
- unplug network cable from client computer (disconnecting machine from network)
- ask user to login (if it has connected recently he/her should be authenticated via cache on local machine)
- once logged in and on Desktop, reconnect network cable, to allow acess to network ressources

Hope that help as quick fix...

Revision history for this message
Richard Leger (richard-leger) wrote :

For reference...

Related Debian bug reports:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820982 (samba: Users cannot open their Windows session anymore)
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821811 (samba: badlock patch breaks trust relationship)

Related others:
- http://osdir.com/ml/general/2016-04/msg18262.html
- https://<email address hidden>/msg1413072.html

Revision history for this message
Ron Groen (hardware-c) wrote :

In the meantime I downgraded. (First time in 15 years ;-)

apt-get install samba=2:3.6.3-2ubuntu2 samba-common=2:3.6.3-2ubuntu2 smbclient=2:3.6.3-2ubuntu2 samba-common-bin=2:3.6.3-2ubuntu2 samba-doc=2:3.6.3-2ubuntu2 libwbclient0=2:3.6.3-2ubuntu2 libpam-smbpass=2:3.6.3-2ubuntu2 winbind=2:3.6.3-2ubuntu2 libpam-winbind=2:3.6.3-2ubuntu2

The following packages will be DOWNGRADED:
  libpam-smbpass libpam-winbind libwbclient0 samba samba-common samba-common-bin samba-doc smbclient winbind
...

PS on ls -ltr /var/cache/apt/archives you will find the list of actual installed samba packages

I hope this is helpful for other readers.

Revision history for this message
Hungerburg (pch-myzel) wrote :

The subject of this report is way too narrow: A system of mine was affected, downgrade worked immediately: The system is a PDC for an NT style domain; Samba users are system users, no LDAP; windbind not running; Clients are XP, W7 and W10.

Samba server logged quite often:
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client XYZ machine account XYZ$

Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

As a second person has confirm that the problem also effects Windows XP clients I have update the title of the bug. In my experience it seems to only effect domain functions, basic SMB file sharing seems OK.

summary: - Samba upgrade break LDAP authentification only for my w7 clients
+ Samba upgrade to 3.6.25-0ubuntu0.12.04.2 break domain authentication
Revision history for this message
EOLE team (eole-team) wrote :
Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

Contents of Andreas_Schneider patch to srv_pipe.c to fix the regression verifying the security trailer, taken from https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5;hp=ea6f2386611d0a4edd65962a59b3448be976c1bb

--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1552,7 +1552,6 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
 {
        TALLOC_CTX *frame = talloc_stackframe();
        struct dcerpc_sec_verification_trailer *vt = NULL;
- const uint32_t bitmask1 = 0;
        const struct dcerpc_sec_vt_pcontext pcontext = {
                .abstract_syntax = pipe_fns->syntax,
                .transfer_syntax = ndr_transfer_syntax,
@@ -1573,7 +1572,7 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
                goto done;
        }

- ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
+ ret = dcerpc_sec_verification_trailer_check(vt, NULL,
                                                    &pcontext, &header2);
 done:
        TALLOC_FREE(frame);

Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

Contents of Andreas_Schneider patch to srv_pipe.c to fix the regression verifying the security trailer, taken from https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5;hp=ea6f2386611d0a4edd65962a59b3448be976c1bb

--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1552,7 +1552,6 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
 {
        TALLOC_CTX *frame = talloc_stackframe();
        struct dcerpc_sec_verification_trailer *vt = NULL;
- const uint32_t bitmask1 = 0;
        const struct dcerpc_sec_vt_pcontext pcontext = {
                .abstract_syntax = pipe_fns->syntax,
                .transfer_syntax = ndr_transfer_syntax,
@@ -1573,7 +1572,7 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p,
                goto done;
        }

- ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
+ ret = dcerpc_sec_verification_trailer_check(vt, NULL,
                                                    &pcontext, &header2);
 done:
        TALLOC_FREE(frame);

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "~/temp/firefox-downloads/Andreas_Schneider_srv_pipe.c.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Matt Forrest (matt-forrest+launchpad) wrote :

Downgrade as posted by Rob above works. Alternately, add this to your smb.conf file:
client ipc signing = no

Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

One problem with changing "client ipc signing" is that it is not documented in the man pages of these packages for Ubuntu 12.04 and the settings are different to the Samba packages in Ubuntu 14.04 (where the possible settings are "auto", "mandatory" and "disabled").

Revision history for this message
Richard Leger (richard-leger) wrote :

For additional reference, recent Samba known cybersecurity vulnerabilities report (apply to Samba 3 & 4) indicate a change in default setting for "client ipc signing" as well as the global conf options newly introduced to keep compatibility:

SMB client connections for IPC traffic are not integrity protected
https://www.samba.org/samba/security/CVE-2016-2115.html

As highlighted by John, the only possible settings are "auto", "mandatory" and "disabled"...

Revision history for this message
In , oliver (oliver-redhat-bugs-1) wrote :

I was affected too, my command for downgrade was:

yum downgrade samba3x samba3x-common samba3x-client samba3x-swat samba3x-winbind

I'm on RHEL 5.11 with samba NT4 style, mixed WinXP and Win7 clients.

After downgrade, the clients can login instantly, no reboot necessary.

Revision history for this message
Jan Hübner (jan-huebner) wrote :

This bug needs to be fixed, I don't understand how the importance can be "undecided". It effectively stops users from logging in and it makes me run a version without the latest security fixes.

Revision history for this message
ghomem (gustavo) wrote :

According the reporter's description "Linux client can authentificate themselves without problems." - this seems NOT to be the case. This upgrade broke the ability for 12.04 linux clients to join a samba managed domain.

Using the usual configuration files and current domain join creds we would get on the linux client:

Connection failed: NT_STATUS_ACCESS_DENIED

After downgrading the 12.04 linux client with

apt-get install samba=2:3.6.3-2ubuntu2 samba-common=2:3.6.3-2ubuntu2 smbclient=2:3.6.3-2ubuntu2 samba-common-bin=2:3.6.3-2ubuntu2 samba-doc=2:3.6.3-2ubuntu2 libwbclient0=2:3.6.3-2ubuntu2 libpam-smbpass=2:3.6.3-2ubuntu2 winbind=2:3.6.3-2ubuntu2 libpam-winbind=2:3.6.3-2ubuntu2

the ability to join is back and everything works normally (nsswitch, pam, etc)

Robie Basak (racb)
tags: added: regression-update
Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

Another problem with "client ipc signing" is that on a machine that has just joined the domain, domain users can not login. Samba logs report:
[2016/05/03 12:37:54.226769, 1] rpc_server/srv_pipe.c:1845(api_pipe_request)
  srv_pipe_check_verification_trailer: failed
[2016/05/03 12:37:54.273670, 1] rpc_server/srv_pipe.c:1845(api_pipe_request)
  srv_pipe_check_verification_trailer: failed

Revision history for this message
Christopher Nighswonger (cnighswonger) wrote :

When upgrading our DC from Ubuntu 13.04 to 14.04 we were also upgraded from Samba 3.6.9 to 4.3.8. Now Ubuntu clients cannot authenticate and (as ghomem mentions) Ubuntu member servers are not able to join the domain. Unfortunately downgrading Samba on 14.04 is not as simple as using dpkg or apt. Here is a snippet of debug out put when attempting to join the domain:

Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] CB 5B 1C 2A DC 07 09 6E .[.*...n
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 00 00 00 00 00 00 00 00 ........
smb_signing_good: BAD SIG: seq 1
SPNEGO login failed: Access denied
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name : NULL
            netbios_domain_name : NULL
            dns_domain_name : NULL
            forest_name : NULL
            dn : NULL
            domain_sid : NULL
                domain_sid : (NULL SID)
            modified_config : 0x00 (0)
            error_string : 'failed to lookup DC info for domain 'FOO' over rpc: Access denied'
            domain_is_ad : 0x00 (0)
            result : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain 'FOO' over rpc: Access denied
return code = -1

Revision history for this message
John Edwards (john-cornerstonelinux) wrote :

In response to comment #27, I think that the problem with clients connecting to Samba version 4.3.8 on Ubuntu 14.04 may be a different problem. Some of the discussion in bug #1573221 may be relevant, particular setting "client use spnego = no".
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1573221

Revision history for this message
Christopher Nighswonger (cnighswonger) wrote :

Actually, the problem we are having does not appear to be related to bug #1573221. The issue described in the original bug report there does not affect any of our clients. All are able to connect regardless of the setting of 'client use spnego.' We are experiencing a problem more similar to the original description of this bug report: "client can't join the domain" though the client here is a Ubuntu file server.

There is another bug #1572824 which could be related as well. If the consensus is that my issue is significantly different, I will be glad to open an new bug for it. It just appears that all of these issues share a common cause at this point at least.

Revision history for this message
Richard Leger (richard-leger) wrote :

Christopher,

As indicated here https://www.samba.org/samba/security/CVE-2016-2115.html default settings of Samba may have changed and therefore may require extra new option in global settings to bring back compatibilty... The first I would suggest is try adding the following:

client ipc signing = auto

Alternatively you can also try "disable" instead of "auto"...

Worth a shot...

Regards,

Revision history for this message
Christopher Nighswonger (cnighswonger) wrote :

Here is a reference to the exact problem on the Samba list:

https://lists.samba.org/archive/samba/2016-April/199395.html

No answer as of yet, but there is a lot of noise on the list about recent Samba upgrade issues.

Revision history for this message
Christopher Nighswonger (cnighswonger) wrote :

Richard,

Setting "client ipc signing = auto" indeed corrected the problem, and I was able to join the file server back to the domain. This may be a fix for others with the particular issue I have.

However, I now have a slightly different issue. This one involved users being denied access to restricted network shares. However, if the share is wide open, there are no problems. This was not a problem prior the upgrade. I'm working through it now and will try to decide where to post about it as I find more.

Thanks!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Today's Samba update may contain the fix for this issue:

http://www.ubuntu.com/usn/usn-2950-2/

Could the original bug reporter please test the update and comment here? Thanks!

Revision history for this message
Richard Leger (richard-leger) wrote :

For reference...

Samba security regression tracking bug
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

Revision history for this message
Christopher Nighswonger (cnighswonger) wrote :

Not the original reporter, but the issue I mention in comment #32 was resolved when this update was applied.

Thanks!

Revision history for this message
Hungerburg (pch-myzel) wrote :

Status still open?

Upgrading samba:amd64 2:3.6.3-2ubuntu2 -> 2:3.6.25-0ubuntu0.12.04.3 fixed the issue for me (nt-style domain logons broken)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for testing the new version. I am closing this bug. If anyone is still experiencing issues with the new update, please file a new bug. Thanks!

Changed in samba (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
EOLE team (eole-team) wrote :

I just make the test and the windows-7 workstation can login with the new 2:3.6.25-0ubuntu0.12.04.3 samba package.

For the record, I made a test with and without the microsoft patch https://www.microsoft.com/en-us/download/confirmation.aspx?id=51829.

Thanks.

Revision history for this message
Michael Lueck (mlueck) wrote :

I applied to Ubuntu Server 12.04 Samba update 2:3.6.25-0ubuntu0.12.04.3 and am pleased and relieved to see my test Windows XP client once again able to login to the Samba NT4 style domain.

This update appears to resolve the defect I originally opened:
[Bug 1574228] Changes to Samba packages for April 12 prevent legacy Windows clients from logging in to NT4 style domain

Note: I did not make ANY changes to my configuration / settings. Only upgraded to this new build of the Samba packages.

I am thankful,
Michael

Revision history for this message
vincent bonnevialle (vincent-yeshigh) wrote :

I applied the new samba update, problem is fixed.
Windows (XP/7) and Ubuntu clients can now authenticate themselves without problems.

Thanks !

Revision history for this message
In , elhefe (elhefe-redhat-bugs) wrote :

(In reply to Martin from comment #22)
> (In reply to Andreas Schneider from comment #21)
> > If you require a hotfix until we are able to roll out an update please talk
> > to your Red Hat support contact!
>
> Are there any plans when this is going to be rolled out already? (A rough
> estimate would be enough, e.g. in two weeks, in a month...)

I also would like to know a rough estimate about the release date of this fix...

Revision history for this message
In , Colin.Simpson (colin.simpson-redhat-bugs) wrote :

Is this the same as the RHEL 6 Bug#1327697 ?

Revision history for this message
Jan Hübner (jan-huebner) wrote :

I'm late to comment, anyways: the update fixed all problems that arose.

Revision history for this message
In , charlieb-fedora-bugzilla (charlieb-fedora-bugzilla-redhat-bugs) wrote :

(In reply to elhefe from comment #27)

> I also would like to know a rough estimate about the release date of this
> fix...

Maybe some time this year... :-)

Revision history for this message
In , bugreports (bugreports-redhat-bugs) wrote :

(In reply to Charlie Brady from comment #29)
> (In reply to elhefe from comment #27)
>
> > I also would like to know a rough estimate about the release date of this
> > fix...
>
> Maybe some time this year... :-)

Interestingly this seems to haven been fixed for RHEL 6 only the RHEL 5 updates seems to take a while.

Revision history for this message
In , mlstarling31 (mlstarling31-redhat-bugs) wrote :

(In reply to Martin from comment #30)

> Interestingly this seems to haven been fixed for RHEL 6 only the RHEL 5
> updates seems to take a while.

I'm still having the same issue with 3.6.23-35.el6_8 and there's nothing in the change log that would indicate this is fixed on RHEL6. How are you verifying a fix has been implemented?

Revision history for this message
In , bugreports (bugreports-redhat-bugs) wrote :

(In reply to Michael Starling from comment #31)
> (In reply to Martin from comment #30)
>
> > Interestingly this seems to haven been fixed for RHEL 6 only the RHEL 5
> > updates seems to take a while.
>
>
> I'm still having the same issue with 3.6.23-35.el6_8 and there's nothing in
> the change log that would indicate this is fixed on RHEL6. How are you
> verifying a fix has been implemented?

Strange, the version you mentioned is working for me. Also see the here:
https://rhn.redhat.com/errata/RHBA-2016-0992.html

Revision history for this message
In , big-daniel15 (big-daniel15-redhat-bugs) wrote :

@Michael Starling: Same here 3.6.23-35.el6 does not solve the problem. I think we have to wait or upgrade to Rhel7 to get rid of the problem.

Revision history for this message
In , asn (asn-redhat-bugs) wrote :

If you have regressions in RHEL6 please report them and do not capture other bugs. Thanks!

Revision history for this message
In , mlstarling31 (mlstarling31-redhat-bugs) wrote :

Andreas, I originally reported this for RHEL 6 and opened a case with Red Hat in the first week of April. They then opened a separate bugzilla for RHEL 6 but you marked the bug as a duplicate, closed it and attached attached my case to this bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1328909

I'm still able to join Windows systems to my NT domain but they are unable to authenticate. This isn't a new bug but it's the same issue that's been manifesting itself all along.

Revision history for this message
In , mlstarling31 (mlstarling31-redhat-bugs) wrote :

Update:

For anyone else on this mailing list still having issues with RHEl6.

After some more reading and troubleshooting I was able to fix domain logons by disabling TCP Chimney Offload in Windows

Revision history for this message
In , asn (asn-redhat-bugs) wrote :

I've added the wrong bug id. I fixed it.

Revision history for this message
In , maumar (maumar-redhat-bugs) wrote :

when is it planned to be released samba3x-3.6.23-13.el5_11, roughly?

Revision history for this message
In , charlieb-fedora-bugzilla (charlieb-fedora-bugzilla-redhat-bugs) wrote :

(In reply to Maurizio Marini from comment #40)

> when is it planned to be released samba3x-3.6.23-13.el5_11, roughly?

IMO this should have "security" priority classification, since the regression is preventing the implementation of a critical security update for many users:

https://rhn.redhat.com/errata/RHSA-2016-0613.html

A response > 2 months is pretty disappointing.

Revision history for this message
In , maumar (maumar-redhat-bugs) wrote :

thanks to Andreas patch
https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5;hp=ea6f2386611d0a4edd65962a59b3448be976c1bb

I was able to fix samba3x-3.6.23-12.el5_11.src.rpm and users on win7 clients are able to login again, nevertheless I wait for officially released package

Changed in samba (Debian):
status: New → Fix Released
Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1294

Changed in samba (CentOS):
importance: Unknown → Undecided
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.