Windows 11 22H2 and Samba-AD login issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Andreas Hasenack | ||
Focal |
Fix Released
|
High
|
Andreas Hasenack | ||
Jammy |
Fix Released
|
High
|
Andreas Hasenack | ||
Kinetic |
Invalid
|
High
|
Unassigned | ||
Lunar |
Invalid
|
High
|
Unassigned |
Bug Description
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test, in a VM or bare metal (not lxc/lxd):
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/
samba-tool domain provision \
--domain=EXAMPLE --realm=
--server-role=dc --use-rfc2307 --dns-backend=
dns=$(resolvectl status | grep -E "^[[:blank:
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https:/
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https:/
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12
Related branches
- git-ubuntu bot: Approve
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 168 lines (+146/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/win-22H2-fix.patch (+138/-0)
- git-ubuntu bot: Approve
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 324 lines (+302/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/win-22H2-fix.patch (+294/-0)
- git-ubuntu bot: Approve
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 324 lines (+302/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/win-22H2-fix.patch (+294/-0)
Changed in samba (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | Triaged → In Progress |
Changed in samba (Ubuntu Jammy): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in samba (Ubuntu Focal): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in samba (Ubuntu Bionic): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: |
added: verification-done-jammy removed: verification-needed-jammy |
description: | updated |
description: | updated |
Thanks. Looks like we need to find a way to get windows 11 22H2 running on a VM to test this...