Samba Domain Member cannot check passwords against Samba AD DC after "Badlock" update

Bug #1572824 reported by RedScourge on 2016-04-21
52
This bug affects 10 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
High
Ubuntu Security Team

Bug Description

Hi,

I updated Samba on my old web server which is running a fully updated 12.04.5 LTS, and now I cannot get it to act as a domain member anymore. All password validation requests fail. Only way to access this server once more is to manually add local users with usernames and passwords matching the domain users.

The server is now completely incapable of checking passwords against our 14.04 LTS Samba AD DC. I have verified that upgrading our other 14.04 LTS file server from Samba 4.1.6 to 4.3.8 worked fine, but upgrading our Samba AD DC from 4.1.6 to 4.3.8 BROKE EVERYTHING, so I had to roll that back. I suspect that if I were able to update the AD DC to 4.3.8 perhaps this issue would go away, as I believe the problem is specific to the recently patched "badlock" bug. However, that is a separate issue, one that I will not file a bug for unless I am able to determine that it is not specific to our configuration. I will spin up a new AD DC using the 4.3.8 series and try to make it the new PDC, and if that also fails, I will file a bug for that other issue. I will also come back here and let you know if this issue goes away by doing that or not. I would upgrade this server to 14.04 LTS, if not for the fact that we still have some legacy PHP 5.3 code, and we were not able to compile PHP 5.3 on newer Ubuntu versions because of crazy dependency issues which I will not get into here.

Relevant error messages when trying to use smbclient with a domain username:

cli_negprot: SMB signing is mandatory and the server doesn't support it.

failed negprot: NT_STATUS_ACCESS_DENIED

Changing the server signing and client signing parameters on any of the involved servers does not seem to fix the issue unfortunately. Below is more debug info, with my true domain name changed to SAMDOM.EXAMPLE.ORG instead of what it actually is. To make it more clear, FILESERV is our 4.3.8 fileserver, FILESERV2 is actually our 4.1.6 Samba AD DC, and DB3 is our 3.6.25 file/web server.

Full debug level 5 output of the smbtree command:

smbtree -d 5 -U administrator
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter netbios name = db3
handle_netbios_name: set global_myname to: DB3
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
Enter administrator's password:
Opening cache file at /var/run/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
name SAMDOM#1D found.
Connecting to host=192.168.6.91
Connecting to 192.168.6.91 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
namecache_status_fetch: key NBT/*#00.00.192.168.6.91 -> FILESERV
Connecting to host=FILESERV
Connecting to 192.168.6.91 at port 445
Connecting to 192.168.6.91 at port 139
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED

Full debug level 5 output of the smbclient command:

smbclient -d 5 -L localhost -U administrator
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter netbios name = db3
handle_netbios_name: set global_myname to: DB3
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
Netbios name list:-
my_netbios_names[0]="DB3"
Client started (version 3.6.25).
Enter administrator's password:
Opening cache file at /var/run/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
no entry for localhost#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
resolve_wins: Attempting wins lookup for name localhost<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name localhost<0x20>
namecache_store: storing 1 address for localhost#20: 127.0.0.1
Connecting to 127.0.0.1 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
 session request ok
Substituting charset 'UTF-8' for LOCALE
Doing spnego session setup (blob length=112)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS

Full debug level 5 output of domain join command:

root@db3:/var/lib/samba# net -d 5 ads join -U administrator
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter netbios name = db3
handle_netbios_name: set global_myname to: DB3
doing parameter workgroup = SAMDOM
doing parameter security = ADS
doing parameter realm = samdom.example.org
doing parameter encrypt passwords = true
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config SAMDOM:backend = ad
doing parameter idmap config SAMDOM:schema_mode = rfc2307
doing parameter idmap config SAMDOM:range = 10000-80000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter inherit permissions = yes
doing parameter store dos attributes = Yes
doing parameter unix extensions = yes
doing parameter inherit acls = yes
doing parameter inherit owner = yes
doing parameter acl group control = yes
doing parameter server string = A+ webserver
pm_process() returned Yes
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="DB3"
added interface eth0 ip=fe80::a00:27ff:fef1:af6%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.6.76 bcast=192.168.255.255 netmask=255.255.0.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter administrator's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name : NULL
            machine_name : 'DB3'
            domain_name : *
                domain_name : 'SAMDOM.EXAMPLE.ORG'
            account_ou : NULL
            admin_account : 'administrator'
            machine_password : NULL
            join_flags : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version : NULL
            os_name : NULL
            create_upn : 0x00 (0)
            upn : NULL
            modify_config : 0x00 (0)
            ads : NULL
            debug : 0x01 (1)
            use_kerberos : 0x00 (0)
            secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/run/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
ads_dns_lookup_srv: 1 records returned in the answer section.
Connecting to host=fileserv2.samdom.example.org
sitename_fetch: Returning sitename for SAMDOM.EXAMPLE.ORG: "Default-First-Site-Name"
name fileserv2.samdom.example.org#20 found.
Connecting to 192.168.6.92 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 372480
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name : NULL
            netbios_domain_name : NULL
            dns_domain_name : NULL
            forest_name : NULL
            dn : NULL
            domain_sid : NULL
                domain_sid : (NULL SID)
            modified_config : 0x00 (0)
            error_string : 'failed to lookup DC info for domain 'SAMDOM.EXAMPLE.ORG' over rpc: Access denied'
            domain_is_ad : 0x00 (0)
            result : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain 'SAMDOM.EXAMPLE.ORG' over rpc: Access denied
return code = -1

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Are you running winbind on your AD DC?

Marc Deslauriers (mdeslaur) wrote :

You've tried setting server signing = disabled on your 12.04 LTS server?

RedScourge (redscourge) wrote :

I am not running winbind on the DC. The options I have tried in their various combinations are server signing = off, server signing = auto, and client signing = off. I have tried them on just the 12.04 server, and also on both the 12.04 server and the AD DC. Nothing seems to resolve the problem for the 12.04 server.

RedScourge (redscourge) wrote :

Here is my current samba AD DC config, after removing the signing option:

# Global parameters
[global]
        workgroup = SAMDOM
        realm = samdom.example.com
        netbios name = FILESERV2
        server role = active directory domain controller
        server services = -dns

        os level = 70

        idmap_ldb:use rfc2307 = yes
        allow dns updates = nonsecure
        #dns forwarder = 192.168.6.3
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        panic action = /usr/share/samba/panic-action %d

[netlogon]
        path = /var/lib/samba/sysvol/samdom.example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Very simple, as you can see. I use bind9.9 and samba_dlz, and DNS resolution has worked perfectly for over a year.

RedScourge (redscourge) wrote :

Whoops, that's supposed to be example.org, to match with the above. I was changing my organization name.

RedScourge (redscourge) wrote :

To be clear, neither example.org or example.com are my actual samba domain.

Mikko Kortelainen (kortsi) wrote :

I also ran into a problem looking like this one. My smb.conf global section looks like this:

[global]
  netbios name = SERVER
  realm = EXAMPLE.COM
  workgroup = EXAMPLE
  security = ADS
  kerberos method = system keytab
  mangled names = no
  log level = 2

I have a feeling Kerberos authentication worked since I could log in from Windows clients in the same domain but password auth failed using smbclient and also Windows from another network which does not have access to domain controllers.

These packages were upgraded automatically a while ago:
- libwbclient0 2:3.6.3-2ubuntu2.17 -> libwbclient0_2%3a3.6.25-0ubuntu0.12.04.2_amd64.deb
- smbclient 2:3.6.3-2ubuntu2.17 -> smbclient_2%3a3.6.25-0ubuntu0.12.04.2_amd64.deb
- samba-common 2:3.6.3-2ubuntu2.17 -> samba-common_2%3a3.6.25-0ubuntu0.12.04.2_all.deb
- samba-common-bin 2:3.6.3-2ubuntu2.17 -> samba-common-bin_2%3a3.6.25-0ubuntu0.12.04.2_amd64.deb

I decided to downgrade to older versions. But accidentally I restored samba instead of samba-common-bin from the backup server so my downgrade command looked like this:

dpkg -i \
  libwbclient0_2%3a3.6.3-2ubuntu2.17_amd64.deb \
  samba_2%3a3.6.3-2ubuntu2.17_amd64.deb \
  samba-common_2%3a3.6.3-2ubuntu2.17_all.deb \
  smbclient_2%3a3.6.3-2ubuntu2.17_amd64.deb

Anyway, after I ran that, authentication worked again. My package version are now as follows:

# dpkg-query -l | egrep 'samba|libwbclient|smbclient'

ii libsmbclient 2:3.6.25-0ubuntu0.12.04.2 shared library for communication with SMB/CIFS servers
ii libsmbclient-dev 2:3.6.25-0ubuntu0.12.04.2 development files for libsmbclient
hi libwbclient0 2:3.6.3-2ubuntu2.17 Samba winbind client library
ii samba 2:3.6.3-2ubuntu2.17 SMB/CIFS file, print, and login server for Unix
hi samba-common 2:3.6.3-2ubuntu2.17 common files used by both the Samba server and client
ii samba-common-bin 2:3.6.25-0ubuntu0.12.04.2 common files used by both the Samba server and client
hi smbclient 2:3.6.3-2ubuntu2.17 command-line SMB/CIFS clients for Unix

Chris Ronk (k-chais-t) wrote :

Adding a "Me Too".:

I have the exact issue.

I have tried various things to no avail. Here is my Global section of my SMB.CONF:

[global]
        workgroup = BNB
        realm = BNB.LAN
        netbios name = DC1
        server role = active directory domain controller
        #dns forwarder = 12.127.16.68
        #dns forwarder = 12.127.17.71
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes
        server string = BNB Corporate Server
# server signing = disabled
# ntlm auth = yes

Chris Ronk (k-chais-t) wrote :

Here are my package versions:

libsmbclient:amd64 2:4.3.8+dfsg-0ubuntu0.14.04.2amd64
libwbclient0:amd64 2:4.3.8+dfsg-0ubuntu0.14.04.2amd64
python-samba2:4.3.8+dfsg-0ubuntu0.14.04.2amd64
python-smbc 1.0.14.1-0ubuntu2 amd64
samba2:4.3.8+dfsg-0ubuntu0.14.04.2amd64
samba-common2:4.3.8+dfsg-0ubuntu0.14.04.2all
samba-common-bin 2:4.3.8+dfsg-0ubuntu0.14.04.2amd64
samba-dsdb-modules 2:4.3.8+dfsg-0ubuntu0.14.04.2amd64
samba-libs:amd64 2:4.3.8+dfsg-0ubuntu0.14.04.2amd64
samba-vfs-modules 2:4.3.8+dfsg-0ubuntu0.14.04.2amd64

Chris Ronk (k-chais-t) wrote :

A portion of the log file from when a Windows Workstation tries to connect to the server.

Chris Ronk (k-chais-t) wrote :

Here is a wireshark capture of the connection attempt.

RedScourge (redscourge) wrote :

Hi all,

I appear to have solved this issue for myself by setting up an entirely new AD DC today based on 16.04 LTS, and joining it to the existing domain. I took no action at all on the affected system, and yet today after setting that new system up, the affected system seems to be connecting properly as before, so I suspect that this might very well be the solution. As I said before, I was not able to upgrade any of my 4.1.6 DCs to 4.3.8 as something would get horribly corrupted, but setting up a new one seems to have worked with only minor complications and confusion.

I more or less followed the instructions at the Samba AD Wiki for joining a new DC to an existing domain, except that they seem to specify a few strange things, such as that you MUST set up bind DLZ first before provisioning, which I actually think is impossible, and switching to bind after joining worked fine. The whole process was not too hard, though it was confusing at times, especially since it seemed to not be working until after I rebooted after the join was done.

I had a few problems with it at first giving me lots of errors about NT_STATUS_INVALID_SID and such, especially with commands like "smbclient -L localhost -U%", but output of the "samba-tool drs showrepl" command and all the DNS commands looked like they were connecting to the other DC properly, so at one point I rebooted and it seemed to work after that. I suspect that leaving out "idmap_ldb:use rfc2307 = yes" out of my smb.conf might have contributed to fixing stuff, but I suspect it was mostly just the reboot that took care of things, possibly because of the network settings changes involved during the samba config process. I can't confirm for sure what it was, as I did a lot of stuff between reboots and samba restarts, all I can confirm for sure is that my previously affected server is no longer throwing a fit now that it can contact my new DC, even though it cannot contact any of the others.

Also, apparently you can have winbind running on an AD DC now since 4.3.X, so I did that, and I can do id username queries from the command line of the DC and they all work. This seems to be a new feature, I think because they replaced the special winbind they were using with AD DCs before with the original winbind daemon.

RedScourge (redscourge) wrote :

Since it only took me 3-5 hours to build a 16.04 LTS AD DC running 4.3.8 and the bind DNS backend, I suspect that this might just be the easiest way to go.

Just to repeat as a warning, upgrading my existing DC from 4.1.6 to 4.3.8 on 14.04 LTS resulted in a broken DC for me, so rather than just upgrading, I highly recommend building a new server. And since you probably shouldn't have much else running on your DC anyway, there seems to be no good reason so far to not build it on 16.04 LTS, as minimal software means minimal chance that you will encounter any problems from any new 16.04 bugs.

Chris Ronk (k-chais-t) wrote :

Does anyone have anything better than do a fresh install from a new version of Ubuntu?

There's got to be a better option...

The RPC errors make me think this may be related to the DCERPC problems that were causing problems with domain trust functions in bug #1572122 . A source code patch is available in Samba but has not been applied or tested in Ubuntu.

This should be fixed ASAP as it is causing large scale issues.

Robie Basak (racb) on 2016-05-03
tags: added: regression-update
Changed in samba (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
importance: Undecided → High
Marc Deslauriers (mdeslaur) wrote :

Today's Samba update may contain the fix for this issue:

http://www.ubuntu.com/usn/usn-2950-2/

Could the original bug reporter please test the update and comment here? Thanks!

Alexander Skiba (ghostlyrics) wrote :

For what it's worth, I saw the same symptoms as the original reporter and there has not been any change after upgrading to 2:3.6.25-0ubuntu0.12.04.3

Download full text (18.6 KiB)

It seems to have fixed it for me for both W7 and XP clients. I had to add client ipc signing = auto to the global section of the smb.conf file too.

----- Original Message -----
From: "Alexander Skiba" <email address hidden>
To: <email address hidden>
Sent: Wednesday, 4 May, 2016 20:15:04
Subject: [Bug 1572824] Re: Samba Domain Member cannot check passwords against Samba AD DC after "Badlock" update

For what it's worth, I saw the same symptoms as the original reporter
and there has not been any change after upgrading to
2:3.6.25-0ubuntu0.12.04.3

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1572824

Title:
  Samba Domain Member cannot check passwords against Samba AD DC after
  "Badlock" update

Status in samba package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  I updated Samba on my old web server which is running a fully updated
  12.04.5 LTS, and now I cannot get it to act as a domain member
  anymore. All password validation requests fail. Only way to access
  this server once more is to manually add local users with usernames
  and passwords matching the domain users.

  The server is now completely incapable of checking passwords against
  our 14.04 LTS Samba AD DC. I have verified that upgrading our other
  14.04 LTS file server from Samba 4.1.6 to 4.3.8 worked fine, but
  upgrading our Samba AD DC from 4.1.6 to 4.3.8 BROKE EVERYTHING, so I
  had to roll that back. I suspect that if I were able to update the AD
  DC to 4.3.8 perhaps this issue would go away, as I believe the problem
  is specific to the recently patched "badlock" bug. However, that is a
  separate issue, one that I will not file a bug for unless I am able to
  determine that it is not specific to our configuration. I will spin up
  a new AD DC using the 4.3.8 series and try to make it the new PDC, and
  if that also fails, I will file a bug for that other issue. I will
  also come back here and let you know if this issue goes away by doing
  that or not. I would upgrade this server to 14.04 LTS, if not for the
  fact that we still have some legacy PHP 5.3 code, and we were not able
  to compile PHP 5.3 on newer Ubuntu versions because of crazy
  dependency issues which I will not get into here.

  Relevant error messages when trying to use smbclient with a domain username:

  cli_negprot: SMB signing is mandatory and the server doesn't support it.

  failed negprot: NT_STATUS_ACCESS_DENIED

  Changing the server signing and client signing parameters on any of the involved servers does not seem to fix the issue unfortunately. Below is more debug info, with my true domain name changed to SAMDOM.EXAMPLE.ORG instead of what it actually is. To make it more clear, FILESERV is our 4.3.8 fileserver, FILESERV2 is actually our 4.1.6 Samba AD DC, and DB3 is our 3.6.25 file/web server.

  Full debug level 5 output of the smbtree command:

  smbtree -d 5 -U administrator
  INFO: Current debug levels:
    all: 5
    tdb: 5
    printdrivers: 5
    lanman: 5
    smb: 5
    rpc_parse: 5
    rpc_srv: 5
    rpc_cli: 5
    passdb: 5
    sam: 5
    auth: 5
    winbind: 5
    vfs: 5
    i...

Alexander Skiba (ghostlyrics) wrote :

>I had to add client ipc signing = auto to the global section of the smb.conf file too.

This fixed it for me too (not sure if this was only a configuration issue or the regression combined with config issue).

RedScourge (redscourge) wrote :

Hi all,

I will try to remember to test the samba update after the users leave for the day, as I have to take the new PDC which works offline in order to test this. The "libsoup" thing referred to in the link that Marc provided does not seem relevant to us, as we did not even have that package installed to begin with.

RedScourge (redscourge) wrote :

Good news!

I installed the update and rebooted and it did not work, smbclient commands returned NT_STATUS_NO_LOGON_SERVERS. But after also adding "client ipc signing = auto" to smbd.conf as per Tony Haley's recommendation in comment #20, and after another reboot, it is working as expected with just the 4.1.6 DCs in service (it worked with the 4.3.8 servers even before this update).

I'm relieved to know that if I have to take down my new PDC for maintenance, this old 12.04.5 server will not suddenly stop working when it has to authenticate against the other DCs.

Alexander Skiba (ghostlyrics) wrote :

Do you want to mark this as resolved/closed/fixed/whatever the correct status on launchpad is?

RedScourge (redscourge) on 2016-05-08
Changed in samba (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers