2022-10-23 09:37:55 |
msaxl |
bug |
|
|
added bug |
2022-10-24 14:26:50 |
Andreas Hasenack |
samba (Ubuntu): status |
New |
Triaged |
|
2022-10-24 14:26:52 |
Andreas Hasenack |
samba (Ubuntu): importance |
Undecided |
High |
|
2022-10-24 14:27:01 |
Andreas Hasenack |
bug |
|
|
added subscriber Canonical Server |
2022-10-24 14:27:08 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Server |
2022-10-28 20:17:50 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2022-10-28 20:17:55 |
Andreas Hasenack |
samba (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
2022-10-28 20:17:58 |
Andreas Hasenack |
samba (Ubuntu): status |
Triaged |
In Progress |
|
2022-11-01 10:04:45 |
Sebastian Chrostek |
bug |
|
|
added subscriber Sebastian Chrostek |
2022-11-04 11:01:36 |
brot |
bug |
|
|
added subscriber brot |
2022-11-04 13:39:53 |
Markus |
bug |
|
|
added subscriber Markus |
2022-11-05 15:02:16 |
Marco Querci |
bug |
|
|
added subscriber Marco Querci |
2022-11-07 11:27:25 |
Kevin de Bie |
bug |
|
|
added subscriber Kevin de Bie |
2022-11-07 14:30:07 |
Andreas Hasenack |
tags |
|
server-todo |
|
2022-11-08 14:01:40 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Jammy |
|
2022-11-08 14:01:40 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Jammy) |
|
2022-11-08 14:01:56 |
Andreas Hasenack |
samba (Ubuntu Jammy): status |
New |
In Progress |
|
2022-11-08 14:01:58 |
Andreas Hasenack |
samba (Ubuntu Jammy): importance |
Undecided |
High |
|
2022-11-08 14:02:00 |
Andreas Hasenack |
samba (Ubuntu Jammy): assignee |
|
Andreas Hasenack (ahasenack) |
|
2022-11-08 14:16:21 |
Jonathan Kaulard |
bug |
|
|
added subscriber Jonathan Kaulard |
2022-11-09 14:17:23 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Focal |
|
2022-11-09 14:17:23 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Focal) |
|
2022-11-09 14:17:30 |
Andreas Hasenack |
samba (Ubuntu Focal): status |
New |
In Progress |
|
2022-11-09 14:17:32 |
Andreas Hasenack |
samba (Ubuntu Focal): importance |
Undecided |
High |
|
2022-11-09 14:17:34 |
Andreas Hasenack |
samba (Ubuntu Focal): assignee |
|
Andreas Hasenack (ahasenack) |
|
2022-11-09 15:55:24 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Bionic |
|
2022-11-09 15:55:24 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Bionic) |
|
2022-11-09 15:55:31 |
Andreas Hasenack |
samba (Ubuntu Bionic): status |
New |
In Progress |
|
2022-11-09 15:55:34 |
Andreas Hasenack |
samba (Ubuntu Bionic): importance |
Undecided |
High |
|
2022-11-09 15:55:36 |
Andreas Hasenack |
samba (Ubuntu Bionic): assignee |
|
Andreas Hasenack (ahasenack) |
|
2022-11-09 18:17:11 |
Andreas Hasenack |
bug watch added |
|
https://github.com/heimdal/heimdal/issues/1011 |
|
2022-11-09 18:17:20 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Kinetic |
|
2022-11-09 18:17:20 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Kinetic) |
|
2022-11-09 18:17:20 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Lunar |
|
2022-11-09 18:17:20 |
Andreas Hasenack |
bug task added |
|
samba (Ubuntu Lunar) |
|
2022-11-09 18:18:23 |
Andreas Hasenack |
samba (Ubuntu Lunar): status |
In Progress |
Invalid |
|
2022-11-09 18:18:26 |
Andreas Hasenack |
samba (Ubuntu Kinetic): status |
New |
Invalid |
|
2022-11-09 18:18:36 |
Andreas Hasenack |
samba (Ubuntu Lunar): assignee |
Andreas Hasenack (ahasenack) |
|
|
2022-11-09 18:18:41 |
Andreas Hasenack |
samba (Ubuntu Kinetic): importance |
Undecided |
High |
|
2022-11-09 19:42:34 |
Andreas Hasenack |
description |
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-11-09 20:03:55 |
Andreas Hasenack |
description |
[ Impact ]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
TBD
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-11-09 20:18:55 |
Andreas Hasenack |
description |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
TBD
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test:
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-dole=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-11-09 20:28:44 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/432766 |
|
2022-11-09 20:29:04 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/432767 |
|
2022-11-09 20:29:24 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/432768 |
|
2022-11-16 16:56:35 |
Sebastian Chrostek |
removed subscriber Sebastian Chrostek |
|
|
|
2022-11-19 12:03:06 |
mkaraki |
bug |
|
|
added subscriber mkaraki |
2022-11-29 22:02:53 |
Bruce Elrick |
bug |
|
|
added subscriber Bruce Elrick |
2022-11-29 22:09:02 |
Bruce Elrick |
description |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test:
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-dole=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test:
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-11-30 08:19:41 |
Łukasz Zemczak |
samba (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-11-30 08:19:43 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-11-30 08:19:44 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2022-11-30 08:19:52 |
Łukasz Zemczak |
tags |
server-todo |
server-todo verification-needed verification-needed-jammy |
|
2022-11-30 08:30:20 |
Łukasz Zemczak |
samba (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2022-11-30 08:30:31 |
Łukasz Zemczak |
tags |
server-todo verification-needed verification-needed-jammy |
server-todo verification-needed verification-needed-focal verification-needed-jammy |
|
2022-12-01 20:05:43 |
Andreas Hasenack |
description |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test:
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test either in an actual machine, or a VM (LXD may not work out of the box, see https://github.com/lxc/lxd/issues/3442#issuecomment-312560949):
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-12-01 22:39:49 |
Bruce Elrick |
description |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test either in an actual machine, or a VM (LXD may not work out of the box, see https://github.com/lxc/lxd/issues/3442#issuecomment-312560949):
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test:
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-12-02 12:43:41 |
Timo Aaltonen |
samba (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2022-12-02 12:44:13 |
Timo Aaltonen |
tags |
server-todo verification-needed verification-needed-focal verification-needed-jammy |
server-todo verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy |
|
2022-12-06 20:05:57 |
Andreas Hasenack |
description |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test:
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test, in a VM or bare metal (not lxc/lxd):
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-12-07 13:00:08 |
Andreas Hasenack |
tags |
server-todo verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy |
server-todo verification-done-jammy verification-needed verification-needed-bionic verification-needed-focal |
|
2022-12-07 13:14:09 |
Andreas Hasenack |
description |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test, in a VM or bare metal (not lxc/lxd):
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep ^Current | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test, in a VM or bare metal (not lxc/lxd):
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep -E "^[[:blank:]]*Current" | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-12-07 13:16:55 |
Andreas Hasenack |
description |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test, in a VM or bare metal (not lxc/lxd):
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep -E "^[[:blank:]]*Current" | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
[ Impact ]
An updated Windows 11 22H2 system fails to obtain kerberos tickets from an affected Samba AD DC server. This impacts joining such windows machines to a Samba Active Directory server, or even continued usage of already joined windows 11 22H2 machines.
Note that the fix is in the Heimdal Kerberos code, which is embedded inside Samba.
[ Test Plan ]
The test involves joining an up-to-date Windows 11 22H2 system to a Samba AD DC installation on the affected Ubuntu release being tested. And similarly, join a different windows system (for example, windows 10) to the same samba domain, to ensure it keeps working unaffected by the fix.
For all instances of this test, you need a samba AD DC. Install a samba AD DC server on the Ubuntu release under test, in a VM or bare metal (not lxc/lxd):
Become root for the rest of the session:
sudo -i
apt update
apt install -y samba winbind smbclient
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
mv /etc/samba/smb.conf{,orig}
samba-tool domain provision \
--domain=EXAMPLE --realm=EXAMPLE.SAMBA --adminpass=Passw0rd \
--server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL
dns=$(resolvectl status | grep -E "^[[:blank:]]*Current DNS Server:" | awk '{print $4}')
[ -n "$dns" ] && \
sed -r -i "s,dns forwarder = .*,dns forwarder = ${dns}," \
/etc/samba/smb.conf
unlink /etc/resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
echo "search example.samba" >> /etc/resolv.conf
systemctl stop systemd-resolved
systemctl disable systemd-resolved
mv /var/lib/samba/private/krb5.conf /etc/
systemctl start samba-ad-dc
# relax the password settings to make it easier to test
samba-tool domain passwordsettings set --min-pwd-age=0 --complexity=off
# Create a samba user in the domain:
samba-tool user create ubuntu
# install krb5-user, to test with kinit. There should be no debconf prompts, since we have an /etc/krb5.conf already populated
apt install krb5-user -y
# Test the ubuntu user can obtain a ticket
kinit ubuntu
This is ready for testing now.
a) Join Windows 11 22H2 to the samba domain
In windows, change the DNS server to point at the samba AD DC IP. Then go to accounts, select connect with work or school account, and find the "join to active directory" link.
Type in the "example.samba" domain, and it should prompt you for credentials to join the domain. Use Administrator for the user, and Passw0rd for the password.
With the affected samba AD DC version, the join should fail. You can then upgrade the samba packages on the AD DC, and then the join will work.
Windows will then prompt you for a user that this workstation will use, select "ubuntu". After a reboot, you should be able to login using the domain credentials of the "ubuntu" user you created earlier with "samba-tool".
b) Join Windows 10 to the domain
Follow the same steps as in (a), but using Windows 10.
[ Where problems could occur ]
The upstream Heimdal issue is not yet closed, so things could still change. I did check the commit history and didn't spot any further changes in this area.
Nonetheless, the change is in a critical part of the code used for authentication. If there are problems here, the impact could range from failures to authenticate, to actual security vulnerabilities.
[ Other Info ]
What can be a bit confusing to someone reading this bug is that the commit (https://github.com/heimdal/heimdal/commit/ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e) that fixed the issue was done prior to the bug (https://github.com/heimdal/heimdal/issues/1011) being opened. This is probably because there has been no new upstream heimdal release with the fix yet, so users experiencing the bug had no new official version to test.
Furthermore, samba vendors a snapshot of Heimdal in its source tree, and samba versions 4.16 and later have a recent enough snapshot that is not affected by this problem.
The samba test suite is not run at package build time, because it requires a different, non-production, build.
[Original Description]
This is an advisor for an upcoming fix for samba ADDC servers.
Without this fix samba 4.15 (ubuntu 22.04) will not be able to work with win11 22h2 clients.
Microsoft is rolling out this version now. Since upstream has prepared a fix I think someone should start backporting this as soon as possible since this has to go through a sru process
see https://bugzilla.samba.org/show_bug.cgi?id=15197#c15
a 20.04 backport should be doable since Catalyst apparently backported it down to samba 4.12 |
|
2022-12-07 13:22:39 |
Andreas Hasenack |
attachment added |
|
Screenshot from 2022-12-07 10-19-29.png https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934/+attachment/5635087/+files/Screenshot%20from%202022-12-07%2010-19-29.png |
|
2022-12-07 13:22:41 |
Andreas Hasenack |
attachment added |
|
Screenshot from 2022-12-07 10-19-29.png https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934/+attachment/5635088/+files/Screenshot%20from%202022-12-07%2010-19-29.png |
|
2022-12-07 13:22:43 |
Andreas Hasenack |
attachment added |
|
Screenshot from 2022-12-07 10-19-29.png https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934/+attachment/5635089/+files/Screenshot%20from%202022-12-07%2010-19-29.png |
|
2022-12-07 14:10:47 |
Andreas Hasenack |
tags |
server-todo verification-done-jammy verification-needed verification-needed-bionic verification-needed-focal |
server-todo verification-done-bionic verification-done-focal verification-done-jammy verification-needed |
|
2022-12-07 18:04:26 |
Ron Garcia-Vidal |
bug |
|
|
added subscriber Ron Garcia-Vidal |
2022-12-07 20:20:59 |
Launchpad Janitor |
samba (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-12-07 20:21:05 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-12-07 20:21:26 |
Launchpad Janitor |
samba (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2022-12-07 20:21:46 |
Launchpad Janitor |
samba (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2022-12-08 03:36:37 |
RedScourge |
bug |
|
|
added subscriber RedScourge |
2022-12-08 07:00:45 |
Rini van Zetten |
removed subscriber Rini van Zetten |
|
|
|
2023-02-10 23:53:57 |
Jérémie Faucher-Goulet |
bug |
|
|
added subscriber Jérémie Faucher-Goulet |
2023-11-30 21:46:23 |
Rafał Niewiński |
bug |
|
|
added subscriber Rafał Niewiński |