Windows 11 22H2 and Samba-AD login issue

Bug #1993934 reported by msaxl
120
This bug affects 18 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Status tracked in Lunar
Bionic
Fix Released
High
Andreas Hasenack
Focal
Fix Released
High
Andreas Hasenack
Jammy
Fix Released
High
Andreas Hasenack
Kinetic
Invalid
High
Unassigned
Lunar
Invalid
High
Unassigned

Bug Description

[ Impact ]

An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.

Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.

[ Test Plan ]

The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.

For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test, in a VM or bare metal (not lxc/lxd):

Become root for the rest of the session:
sudo -i

apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}

samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL

dns=$(resolvectl status | grep -E "^[[:blank:]]*Current DNS Server:" | awk '{print $4}')

[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf

unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc

# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off

# Create a samba user in the domain:
samba-tool user create ubuntu

# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated

apt install krb5-user -y

# Test the ubuntu user can obtain a ticket
kinit ubuntu

This is ready for testing now.

a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".

b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.

[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.

Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.

[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.

Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.

The samba test suite is not run at package build time, because it requires a different, non-production, build.

[Original Description]

This is an advisor for an upcoming fix for samba ADDC servers.

Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process

see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15

a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12

Related branches

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks. Looks like we need to find a way to get windows 11 22H2 running on a VM to test this...

Changed in samba (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Looks like there is a similar situation with Windows 10 now, which is also getting a "22H2" upgrade

Revision history for this message
Andrew Bartlett (abartlet) wrote :

As mentioned on the Samba bug, the easiest way to test in a VM is with a download of the vNext release of Windows server.

The patch is actually quite low-risk as these things go, and has a regression test. I tested it manually on 4.12 for our customer and 4.15.

Changed in samba (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
Revision history for this message
Michael D Labriola (veggiemike) wrote :

Any chance this gets backported to Ubuntu 18.04?

Revision history for this message
Marcel Wagner (wagnerma) wrote (last edit ):

After updating to Windows 11 22H2 I can't login anymore to our Samba-AD domain on Ubuntu 22.04. I have to pull out the network cable to login to my notbook. Using any resources on file servers, etc. is not possible. VERY annoying.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I hear you. I'm working on this now.

tags: added: server-todo
Revision history for this message
msaxl (saxl) wrote :

@wagnerma this issue will not get fixed "immediately" as for a released ubuntu version every update has to go through a SRU process. That takes some time.

If you really need a fix "right now" you have 3.5 options
1) upgrade the dc to ubuntu 22.10
2) compile samba with the patch provided upstream yourself
3) use a ppa that has a version with that patch included (this is what I did, although the ppa is my own; see ppa:saxl/samba)
3.5) use the workarounds mentioned on some forums. note that this workarounds are not adequate security wise. This is why I don't count it as a full option

Changed in samba (Ubuntu Jammy):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Focal):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

kinetic and later are not affected, as they have samba 4.16

https://github.com/heimdal/heimdal/issues/1011#issuecomment-1284971166

Changed in samba (Ubuntu Lunar):
status: In Progress → Invalid
Changed in samba (Ubuntu Kinetic):
status: New → Invalid
Changed in samba (Ubuntu Lunar):
assignee: Andreas Hasenack (ahasenack) → nobody
Changed in samba (Ubuntu Kinetic):
importance: Undecided → High
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

While I prepare the official stable release update (SRU), here is the PPA I have been using to test these patches for bionic, focal and jammy, if somebody wants to try out a pre-release build:

https://launchpad.net/~ahasenack/+archive/ubuntu/samba-22h2/

There will be another opportunity for testing from the official *-proposed pocket once the MPs I'm about to file are approved and the SRU team accepts the upload.

description: updated
description: updated
description: updated
Revision history for this message
Alejandro G. García (neopad) wrote :

In my case.

Tested on:

AD: Zentyal 7.0 based on Ubuntu 20.04.5 LTS x64.
Client: Windows 11 x64 22H2 (updated, not clean install, already added to the domain).

Result:

Domain users can login.
Elevation requiring domain admin user creadentials is ok.
RSAT tool for manage domain users and groups apparently works fine (create, delete, modify, change groups, etc, but not tested intensibly).

Thanks!!

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for the feedback. The PRs were approved and I just uploaded the packages to the respective unapproved queues of bionic, focal and jammy. It's now in the SRU team's queue waiting for approval.

Revision history for this message
Markus (abisko00) wrote :

Thank you very much for your efforts! Greatly appreciated.

Revision history for this message
Bruce Elrick (virtuous-sloth) wrote :

Fixed typo in test recipe: server-dole -> server-role.

description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello msaxl, or anyone else affected,

Accepted samba into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.15.9+dfsg-0ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello msaxl, or anyone else affected,

Accepted samba into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.13.17~dfsg-0ubuntu1.20.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hey Andreas! I approved focal and jammy, but in bionic I see that the patch is different (misses 1/3 and 2/3) - is it because the test changes were not applicable to samba version on bionic?

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (samba/2:4.15.9+dfsg-0ubuntu0.3)

All autopkgtests for the newly accepted samba (2:4.15.9+dfsg-0ubuntu0.3) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.48.2-0ubuntu1 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> Hey Andreas! I approved focal and jammy, but in bionic I see that the patch is different
> (misses 1/3 and 2/3) - is it because the test changes were not applicable to samba version
> on bionic?

Hi,

yes, and I added this note[1] to the bionic patch about it:

    Ubuntu backport note: removed diff for files that do not exist in this version

1. https://git.launchpad.net/~ahasenack/ubuntu/+source/samba/tree/debian/patches/win-22H2-fix.patch?h=bionic-samba-win-22h2-fixes#n21

Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

The gvfs failing dep8 test on jammy passed after a retry, and all tests are green now.

Revision history for this message
Andrew Bartlett (abartlet) wrote :

Per comment #19 it would be clearer to say: Removed diff chunks in the patch for the Kerberos protocol tests that are not present in this older version of Samba.

These tests have no role in the runtime operation of the system, so this is safe, particularly if the change has been manually verified.

Revision history for this message
Andrew Bartlett (abartlet) wrote :

Thanks ahasenack for your work to get this fix backported for our users, it is much appreciated.

Revision history for this message
Garrett E. Culver (nuangel) wrote :

Thrilled to see that this backport is imminent. No-Coding-Experience SysAdmins everywhere appreciate your hard work. I'll be updating my jammy-updates feed frequently and eagerly await this fix on my 22.04.1 server. Thank you all!

description: updated
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello msaxl, or anyone else affected,

Accepted samba into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.29 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.29)

All autopkgtests for the newly accepted samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.29) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.36.1-0ubuntu1.3.3 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Mario (marioqxy) wrote :

Just wanted to say thank you! Currently I rolled back the Win 11 22H2-update and stayed with 22.04.1. Was about to upgrade to 22.10 and tested it already successfully in the VM. Your work prevented me to do this, so I can stay with the LTS-branch.I'll wait for the update to show up after 30.11 +7 days and then update to Win11 22H2! Once again, thank you!

Revision history for this message
Jeff Glancy (jeffglancy) wrote :

I had to revert Windows 11 22H2 updates weeks ago after being unable to log into AD and coming across this bug. This afternoon I updated my Ubuntu 22.04 AD servers with the 2:4.15.9+dfsg-0ubuntu0.3/jammy-proposed update. After installing 22H2 again I have no issues logging in and accessing AD resources.

Revision history for this message
Garrett E. Culver (nuangel) wrote :

I downloaded to a test environment (Hyper-V Ubuntu 21.04 and Windows 10 22H2 machines) last night and had no issues joining my Windows machine to my Ubuntu machine and browsing file shares.

Seems solid to me. Any idea when we can expect this thing to go live? Looking forward to patching my production machines without having to resort to the "proposed" branch.

description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Jammy verification

AD DC installed and configured on jammy, ubuntu user created.

Using the jammy samba packages, trying to join a windows 11 22H2 machine to the domain fails.

root@j-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.15.9+dfsg-0ubuntu0.2
  Candidate: 2:4.15.9+dfsg-0ubuntu0.2
  Version table:
 *** 2:4.15.9+dfsg-0ubuntu0.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status

I then updated to the packages in proposed:
root@j-ad:~# dpkg -l | grep 4.15.9
ii libsmbclient:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba winbind client library
ii python3-samba 2:4.15.9+dfsg-0ubuntu0.3 amd64 Python 3 bindings for Samba
ii samba 2:4.15.9+dfsg-0ubuntu0.3 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.9+dfsg-0ubuntu0.3 all common files used by both the Samba server and client
ii samba-common-bin 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.15.9+dfsg-0ubuntu0.3 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.15.9+dfsg-0ubuntu0.3 amd64 service to resolve user and group information from Windows NT servers
root@j-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.15.9+dfsg-0ubuntu0.3
  Candidate: 2:4.15.9+dfsg-0ubuntu0.3
  Version table:
 *** 2:4.15.9+dfsg-0ubuntu0.3 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.9+dfsg-0ubuntu0.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     2:4.15.5~dfsg-0ubuntu5 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

And the join worked immediately afterwards:

root@j-ad:~# samba-tool computer list
J-AD$
WIN11H22$ <-----

And a domain user can login in windows 11 just fine.

I still need to join a Windows 10 to the domain for that part of the test plan.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Removed the win11 machine, joined a windows 10 one:

root@j-ad:~# samba-tool computer list
DESKTOP-QDCU1C5$
J-AD$

Jammy verification succeeded.

tags: added: verification-done-jammy
removed: verification-needed-jammy
description: updated
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm having hilarious problems with windows 10 just trying to change some local configs, prior to trying a domain join

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm having hilarious problems with windows 10 just trying to change some local configs, prior to trying a domain join

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

And apparently launchpad also thinks it's funny

Revision history for this message
Garrett E. Culver (nuangel) wrote :

@Andreas - that's prior to joining a domain?? Oh lord. hahaha... I'm tempted to ask if your Win10 user is a local administrator, but even if they weren't I don't think THAT is what the screen would normally look like. That's more of a display/graphics issue of some kind? Is your Windows 10 running inside a VM? I'd be tempted to check device manager and see if it's showing any issues with hardware, or run Windows Update and see if it offers a generic graphics driver update?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Focal verification

With focal samba packages installed:
root@f-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.13.17~dfsg-0ubuntu1.20.04.1
  Candidate: 2:4.13.17~dfsg-0ubuntu1.20.04.1
  Version table:
 *** 2:4.13.17~dfsg-0ubuntu1.20.04.1 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status

Domain join from windows 11 does not work.
Then, while windows 11 was still showing the error in its gui, I updated the samba packages to the versions in proposed:
root@f-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.13.17~dfsg-0ubuntu1.20.04.2
  Candidate: 2:4.13.17~dfsg-0ubuntu1.20.04.2
  Version table:
 *** 2:4.13.17~dfsg-0ubuntu1.20.04.2 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.13.17~dfsg-0ubuntu1.20.04.1 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages

And just tried again in windows 11, and this time the join worked.

root@f-ad:~# samba-tool computer list
WIN11H22$
F-AD$

I won´t be doing the windows 10 join test, as it was done already for jammy, and for some reason it's a pain to reset a win10 machine to the pre-join state (and I can't use VM snapshots because it's UEFI boot, for some reason that is not supported).

Focal verification succeeded.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Bionic verification

Domain join from windows 11 fails when the bionic samba AD DC is provisioned with the normal bionic packages:

root@b-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.7.6+dfsg~ubuntu-0ubuntu2.28
  Candidate: 2:4.7.6+dfsg~ubuntu-0ubuntu2.28
  Version table:
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.28 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status

Updating to bionic-proposed packages:
root@b-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.7.6+dfsg~ubuntu-0ubuntu2.29
  Candidate: 2:4.7.6+dfsg~ubuntu-0ubuntu2.29
  Version table:
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.29 500
        500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.7.6+dfsg~ubuntu-0ubuntu2.28 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
     2:4.7.6+dfsg~ubuntu-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

And just trying again in windows 11 after the bionic update worked.

The samba-tool script in bionic does not have the option to list domain computers unfortunately, so I can't paste its output here. But I tested a domain logon from that windows 11 machine, and that worked.

Bionic verification succeeded.

tags: added: verification-done-bionic verification-done-focal
removed: verification-needed-bionic verification-needed-focal
Revision history for this message
Ron Garcia-Vidal (r3n) wrote (last edit ):
Download full text (6.1 KiB)

Apologies if this is the wrong place to post this, but I have upgraded to Samba 4.16.4 on Kinetic (Server is the sole AD on the domain). Previously, I was on Jammy and 4.15.9 in Jammy.

I'm able to join my Win11 22H2, and log in as a domain user, but any other domain activities, such as running the Active Directory Users & Groups app or even trying to select a domain user when changing ownership of a file (I'm a Domain Admin) fails. I was able to do this successfully before upgrading to Win11 and am still able to do it from a Win10 computer. I updated because I thought 4.16 had corrected this. Is there anything else I need to do/enable?

The samba log shows the following:

[2022/12/07 11:20:06.399155, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2022/12/07 11:20:06.408246, 5] ../../source4/ldap_server/ldap_backend.c:783(ldapsrv_SearchRequest)
  ldb_request BASE dn= filter=(objectclass=*)
[2022/12/07 11:20:06.411301, 5] ../../source4/ldap_server/ldap_backend.c:975(ldapsrv_SearchRequest)
  ldapsrv_SearchRequest: LDAP Query: Duration was 0.00s, SearchRequest by S-1-5-7 from ipv4:192.168.3.230:62160 filter: [(objectclass=*)] basedn: [] scope: [
BASE] result: Success
[2022/12/07 11:20:06.418530, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for AS-REQ
[2022/12/07 11:20:06.418728, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Not a FAST request
[2022/12/07 11:20:06.418843, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ <email address hidden> from ipv4:XXX.XXX.XXX.XXX:62161 for <email address hidden>
[2022/12/07 11:20:06.421842, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.423682, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.424602, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.426264, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.427052, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.427650, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Client (<email address hidden>) from ipv4:XXX.XXX.XXX.XXX:62161 has no common enctypes with KDC to use for the session key
[2022/12/07 11:20:06.427770, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: as-req: sending error: -1765328370 to client
[2022/12/07 11:20:06.427866, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Making non-FAST KRB-ERROR
[2022/12/07 11:20:06.428124, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.009605
[2022/12/07 11:20:06.428245, 3] ../../source4/auth/kerberos/krb5_ini...

Read more...

Revision history for this message
Garrett E. Culver (nuangel) wrote :

@R3N - has your Windows 10 computer upgraded to the 22H2 release yet, or not? It likely has not, which would explain why it still works, but I want to be sure.

Revision history for this message
Ron Garcia-Vidal (r3n) wrote (last edit ):

@nuangel, you are correct, the Win10 machine is still at 21H2

Revision history for this message
Ron Garcia-Vidal (r3n) wrote :

I want to add, I found this reddit thread that details the root cause:

https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/

But it says that the Heimdal 8.0pre used in Samba 4.16 and higher has fixed the issue. That's what's making me think that there's something wrong in my installation.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.15.9+dfsg-0ubuntu0.3

---------------
samba (2:4.15.9+dfsg-0ubuntu0.3) jammy; urgency=medium

  * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
    clients (LP: #1993934)

 -- Andreas Hasenack <email address hidden> Tue, 08 Nov 2022 10:59:27 -0300

Changed in samba (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for samba has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.13.17~dfsg-0ubuntu1.20.04.2

---------------
samba (2:4.13.17~dfsg-0ubuntu1.20.04.2) focal; urgency=medium

  * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
    clients (LP: #1993934)

 -- Andreas Hasenack <email address hidden> Tue, 08 Nov 2022 11:35:28 -0300

Changed in samba (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.29

---------------
samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.29) bionic; urgency=medium

  * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
    clients (LP: #1993934)

 -- Andreas Hasenack <email address hidden> Wed, 09 Nov 2022 11:42:14 -0300

Changed in samba (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Ron Garcia-Vidal (r3n) wrote :

POsting this for others who encounter my issue, I'd found a workaround for adding my Win11 22H2 laptop to the Samba 4.15.X AD and for logging into the computer as a domain user. That entailed modifying Local Security Policy> Local Policies> Security Options> Network security: Configure encryption types allowed for Kerberos Check only DES_CBC_CRC and DES_CBC_MD5. This worked for those two functions.

The reason the problem opening AD tools and getting user listings from my Win11 box was that I hadn't reversed that change when I upgraded to Samba 4.16.X. I did so and now everything works flawlessly. Thanks all.

Revision history for this message
Jan Bubík (jbubik) wrote :

Anyone having login issues even after applying this fix please read this:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/linux-accounts-cannot-get-aes-tickets

It may be your Samba host's LDAP entry operatingSystemVersion attribute causing this.
Numerical values less than 6 are interpreted as "not AES capable OS" by recent Windows updates.
Change value "4.x.x" to "Samba 4.x.x" and reboot Windows machine. Did the trick for me.

Revision history for this message
Frank Rochlitzer (f-rochlitzer) wrote :

We've tried the solution from @Jan Bubik and checked the "operatingSystemVersion" of the DCs.
Both DCs (one is Zentyal 7, the other is Ubuntu 20.04) haven't this setting set. We've set this to "Samba 4.x.x" like @Jan suggested. While we checked this we've recognized, that on Zentyal DC, the value for "msDS-SupportedEncryptionTypes" was not set, while the settings was set on the Ubuntu 20.04 DC. Maybe this was caused, because the Zentyal is an upgraded system from Ubuntu 18.04 and the Ubuntu 20.04 was an fresh installation. Maybe this can be checked by someone?. We've set "msDS-SupportedEncryptionTypes" to (int) 31, which seems to be the default value for samba.

It seems to be, that "operatingSystemVersion" is a mandatory setting because of "schemaFlagsEx: FLAG_ATTR_IS_CRITICAL" in https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/linux-accounts-cannot-get-aes-tickets

If we now set the Local Security Policy or in a GPO > Local Policies> Security Options> Network security: "Configure encryption types allowed for Kerberos" and disallow DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD a login seems to be work, but if you start an application with run as administrator and enter some domain credentials the authentication fails. Also the run of 'gpupdate' fails with:
```
Die Computerrichtlinie konnte nicht erfolgreich aktualisiert werden. Folgende Probleme sind aufgetreten:

Fehler bei der Verarbeitung der Gruppenrichtlinie. Es wurde versucht, registrierungsbasierte Richtlinieneinstellungen für das Gruppenrichtlinienobjekt "LDAP://CN=Machine,CN={xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx},CN=Policies,CN=System,DC=xxxxx,DC=xx" zu lesen. Die Gruppenrichtlinieneinstellungen dürfen nicht erzwungen werden, bis dieses Ereignis behoben ist. Weitere Informationen über den Dateinamen und -pfad, der den Fehler verursacht hat, können den Ereignisdetails entnommen werden.
Die Benutzerrichtlinie konnte nicht erfolgreich aktualisiert werden. Folgende Probleme sind aufgetreten:

Fehler bei der Verarbeitung der Gruppenrichtlinie. Es wurde versucht, registrierungsbasierte Richtlinieneinstellungen für das Gruppenrichtlinienobjekt "LDAP://CN=User,CN={xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx},CN=Policies,CN=System,DC=xxxxx,DC=xx" zu lesen. Die Gruppenrichtlinieneinstellungen dürfen nicht erzwungen werden, bis dieses Ereignis behoben ist. Weitere Informationen über den Dateinamen und -pfad, der den Fehler verursacht hat, können den Ereignisdetails entnommen werden.
```
Only if we additional allow RC4_HMAC_MD and above (only disabled DES_CBC_CRC, DES_CBC_MD5) all seems to be working properly (gpupdate, runas administrator, login).

System info:
Server: Ubuntu 20.04 LTS with samba 2:4.13.17~dfsg-0ubuntu1.20.04.5
Clients: Windows 10 22H2 latest updates installed, Windows 11 22H2 latest updates installed

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.