Regression with 4.3.8 upgrade, Mac OS X machines can't connect

Bug #1572301 reported by Bryan Quigley on 2016-04-19
120
This bug affects 18 people
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (CentOS)
Fix Released
Undecided
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
High
Ubuntu Security Team

Bug Description

With the recent security update to 4.3.8 on Ubuntu 14.04 some Mac OS X 10.11 were unable to connect to shares. The shares were still accessible fine via Windows 10 machines.

Samba versions that broke: 2:4.3.8+dfsg-0ubuntu0.14.04.2
Samba version that works: 2:4.1.6+dfsg-1ubuntu2.14.04.13

The error message (If you turn up log level to 2) in the /log.IPADDRESSOFMAC:
[2016/04/19 14:06:15.555081, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [GUEST] -> [GUEST] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/04/19 14:06:15.555119, 1] ../auth/ntlmssp/ntlmssp_server.c:910(ntlmssp_server_postauth)
ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[GUEST] domain=[] workstation=[workstation]
[2016/04/19 14:06:15.555134, 1] ../lib/util/util.c:559(dump_data)
[0000] hex removed`
[2016/04/19 14:06:15.555163, 1] ../lib/util/util.c:559(dump_data)
[0000] hex removed
[2016/04/19 14:06:15.555190, 2] ../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_INVALID_PARAMETER

This seems very similar to https://<email address hidden>/msg1414417.html.

The Samba config is a very simple one, with all users just connecting as guest. Some excerpts:
map to guest = bad user
[files]
 public = yes
 delete readonly = yes
 writeable = yes
 path = /removed/

Workaround. Reverting packages worked, but is complicated, make yourself root- sudo -i (because you can break pam!).

Download needed packages from:
https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689
https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294692

You likely should have packages libkdc2-heimdal and libhdb9-heimdal in /var/cache/apt/archive so install the old version of them.

(something like)
wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/libpam-winbind_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/libwbclient0_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/python-samba_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/samba_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/samba-common-bin_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/samba-libs_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/samba-vfs-modules_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/smbclient_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/winbind_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294692/+files/samba-common_4.1.6+dfsg-1ubuntu2.14.04.13_all.deb https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/9294689/+files/samba-dsdb-modules_4.1.6+dfsg-1ubuntu2.14.04.13_amd64.deb

Then sudo dpkg -i *.deb them. Then go through and fix any remaining missing packages, unconfigured packages.

Description of problem:

After upgrading to new samba packages, OS X clients cannot authenticate as guests making local public network shares inaccessible.

Version-Release number of selected component (if applicable):

Apr 18 08:14:06 Updated: samba-libs-4.2.10-6.el7_2.x86_64
Apr 18 08:14:07 Updated: samba-common-tools-4.2.10-6.el7_2.x86_64
Apr 18 08:14:07 Updated: samba-common-4.2.10-6.el7_2.noarch
Apr 18 08:14:07 Updated: samba-client-libs-4.2.10-6.el7_2.x86_64
Apr 18 08:14:07 Updated: samba-common-libs-4.2.10-6.el7_2.x86_64
Apr 18 08:14:09 Updated: samba-4.2.10-6.el7_2.x86_64

How reproducible:

Immediately after upgrade without any configuration changes. Windows and Linux clients can mount and work with the shares as usual.

Steps to Reproduce:
1. Upgrade to latest EL 7.2 samba packages
2. Try to mount a guest mountable network share using OS X Yosemite

Actual results:

OS X clients fail to mount with a generic error: 'There was a problem connecting to the server "<address>".'

Expected results:

Share mountable and browsable.

Additional info:

First encounter on production CentOS 7 server. Downgrading back to following packages works around the problem:

Apr 18 09:08:01 Installed: samba-libs-4.2.3-12.el7_2.x86_64
Apr 18 09:08:01 Installed: samba-common-tools-4.2.3-12.el7_2.x86_64
Apr 18 09:08:01 Installed: samba-common-4.2.3-12.el7_2.noarch
Apr 18 09:08:02 Installed: samba-client-libs-4.2.3-12.el7_2.x86_64
Apr 18 09:08:02 Installed: samba-common-libs-4.2.3-12.el7_2.x86_64
Apr 18 09:08:02 Installed: samba-4.2.3-12.el7_2.x86_64

I have confirmed this on up-to-date RHEL 7 VM with the developer license using identical package versions and epochs including downgrading.

Changed in samba (Debian):
status: Unknown → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Joel Ferris (3-joel) wrote :

Also affects the ability of Windows XP to open, copy, etc. Message of file not found when VLC fails

wrsaw (m8r-as0mdp) wrote :

Same on Windows 8.1, causes VLC to fail with 'Bad file descriptor'

Changed in samba (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
importance: Undecided → High
Marco van Zwetselaar (zwets) wrote :

Also affects smbclient, Windows 12 Server, Windows 7 clients.

$ smbclient -L //dc01 -U Administrator
session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND

Critical issue for shops running Samba as AD domain controller: management of the domain is now impossible as the RSAT tools (ADUC, etc) stop working.

Marc Deslauriers (mdeslaur) wrote :

This bug is about OS X clients attempting to map to guest.

Comments #2, #3 and #4: those are completely different issues, please file new bugs for them.

Marco van Zwetselaar (zwets) wrote :

@Marc Deslauriers have filed comment #4 as new bug #1573221.

Will (ivebeenlinuxed) wrote :

Apr 22 11:43:04 gp-02 smbd[5594]: ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[GUEST] domain=[] workstation=[JASONS-IMAC]
Apr 22 11:43:04 gp-02 smbd[5594]: [2016/04/22 11:43:04.812377, 1, pid=5594, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
Apr 22 11:43:04 gp-02 smbd[5594]: [0000] 0D 0C E0 13 B8 A7 1F A2 BF B6 27 C0 06 B9 9B AE ........ ..'.....
Apr 22 11:43:04 gp-02 smbd[5594]: [2016/04/22 11:43:04.812600, 1, pid=5594, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data)
Apr 22 11:43:04 gp-02 smbd[5594]: [0000] FD 81 3F FA 2C BA CB 1D 0B D8 BE 37 A0 FD 09 53 ..?.,... ...7...S
Apr 22 11:43:04 gp-02 smbd[5594]: [2016/04/22 11:43:04.812825, 2, pid=5594, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
Apr 22 11:43:04 gp-02 smbd[5594]: SPNEGO login failed: NT_STATUS_INVALID_PARAMETER

Wireshark confirms with a response to the NTLMSSP_AUTH packet:
Session Setup AndX Response, Error: STATUS_INVALID_PARAMETER

Downgrade to 2:4.1.6+dfsg-1ubuntu2 fixes this.

Marco van Zwetselaar (zwets) wrote :

The other bug #1573221 was resolved by installing winbind (which is a Suggests of the Samba package). You may want to try if this resolves this bug as well.

WAB (wb221) wrote :
Download full text (5.5 KiB)

Same issue here - connecting with registered user from OSX is fine, but auth as guest fails.

Samba log (level 3):

[2016/04/26 09:57:38.879538, 3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 192.168.1.43 (192.168.1.43)
[2016/04/26 09:57:38.879666, 3] ../source3/smbd/oplock.c:1309(init_oplocks)
  init_oplocks: initializing messages.
[2016/04/26 09:57:38.881429, 3] ../source3/smbd/server_exit.c:252(exit_server_common)
  Server exit (failed to receive smb request)
[2016/04/26 09:57:38.888253, 3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 192.168.1.43 (192.168.1.43)
[2016/04/26 09:57:38.888375, 3] ../source3/smbd/oplock.c:1309(init_oplocks)
  init_oplocks: initializing messages.
[2016/04/26 09:57:38.888470, 3] ../source3/smbd/process.c:1880(process_smb)
  Transaction 0 of length 73 (0 toread)
[2016/04/26 09:57:38.888523, 3] ../source3/smbd/process.c:1490(switch_message)
  switch message SMBnegprot (pid 9589) conn 0x0
[2016/04/26 09:57:38.889573, 3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [NT LM 0.12]
[2016/04/26 09:57:38.889616, 3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [SMB 2.002]
[2016/04/26 09:57:38.889646, 3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [SMB 2.???]
[2016/04/26 09:57:38.889769, 3] ../source3/smbd/smb2_negprot.c:271(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2016/04/26 09:57:38.891967, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2016/04/26 09:57:38.892011, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2016/04/26 09:57:38.892056, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2016/04/26 09:57:38.892092, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'spnego' registered
[2016/04/26 09:57:38.892118, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'schannel' registered
[2016/04/26 09:57:38.892140, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2016/04/26 09:57:38.892173, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2016/04/26 09:57:38.892201, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2016/04/26 09:57:38.892234, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2016/04/26 09:57:38.892256, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'http_basic' registered
[2016/04/26 09:57:38.892288, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2016/04/26 09:57:38.892311, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'krb5' registered
[2016/04/26 09:57:38.892337, 3] ../auth/gensec/gensec_start.c:907(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2016/04/26 09:57:38.892453, 3] ../source3/smbd/negprot.c:684(reply_negprot)
  Selected protocol SMB 2...

Read more...

adasiko (adasiko256) wrote :

@Marco van Zwetselaar (zwets)
apt install winbind
reboot

Still don't work...

Marc Deslauriers (mdeslaur) wrote :

Today's Samba update should contain the fix for this issue:

http://www.ubuntu.com/usn/usn-2950-2/

Could the original bug reporter please test the update and comment here? Thanks!

WAB (wb221) wrote :

Not the original bug reporter but I can confirm that the samba update [sudo apt-get install samba] has fixed the problem on OS X 10.11.4

JB (ubojb) wrote :

Resolved for us also. Not the original reporter, but the update today appears to resolve the issues we were having with our OSX machines. (One OSX 10.9.5 and a few 10.11)

Thanks!

 todays samba updates work! I also can confirm that the samba update [sudo apt-get install samba] has fixed the problem on OS X 10.11.4, using Linux Mint 17.3 with latest updates.

Taehyung Lim (e-me-u) wrote :

It works! Thanks!
I'm using Ubuntu 15.10 and OSX 10.11.2, resolved samba version is...

Unpacking samba (2:4.3.9+dfsg-0ubuntu0.15.10.1) over (2:4.3.8+dfsg-0ubuntu0.15.10.2) ...

Marc Deslauriers (mdeslaur) wrote :

Thanks for testing, I am closing this bug.

Please file a new bug if you still experiencing issues.

Changed in samba (Ubuntu):
status: Confirmed → Fix Released

Hello...

I have the same problem... We use our Samba fileserver for homedirs and profils in our Windows and Mac labs.

With this version of Samba, the Mac login session would lock-up and multiple 'smbd' with 100% CPU usage!

If I haden't notice this so quickly all our labs (Linux, Windows, Mac) would have been unuseable!

I grabbed the SRPMS from Fedora 24 testing and recompiled:

samba-winbind-4.4.3-1.el7.centos.x86_64
samba-client-libs-4.4.3-1.el7.centos.x86_64
samba-winbind-krb5-locator-4.4.3-1.el7.centos.x86_64
samba-common-tools-4.4.3-1.el7.centos.x86_64
samba-client-4.4.3-1.el7.centos.x86_64
samba-common-4.4.3-1.el7.centos.noarch
samba-libs-4.4.3-1.el7.centos.x86_64
samba-common-libs-4.4.3-1.el7.centos.x86_64
samba-4.4.3-1.el7.centos.x86_64
samba-winbind-modules-4.4.3-1.el7.centos.x86_64

Everything works correctly now (CentOS 7.2).

Cheers!

This is affecting me as well. It appears that Debian has committed a fix to their packages last week:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821730

The samba team also has committed a patch for this:
https://attachments.samba.org/attachment.cgi?id=12045
https://bugzilla.samba.org/show_bug.cgi?id=11849

I am experiencing this problem on OS X hosts running 10.9-10.11. In the mean time, I'll need to compile srpms from the Fedora Project, which is not a great solution in the long run.

I have also file a bug report with CentOS, which can be viewed here:
https://bugs.centos.org/view.php?id=10935

Thanks!

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2468.html

victor00000 (vict1971) wrote :

"NT_STATUS_INVALID_PARAMETER"
command "smbclient" -> http://forum.ubuntu.ru/index.php?topic=289277.0

Changed in samba (Debian):
status: New → Fix Released
Changed in samba (CentOS):
importance: Unknown → Undecided
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.