Can not authenticate on Windows after upgrading samba AD packages to version 2:4.13.17~dfsg-0ubuntu1.20.04.4

Status changed to 'Confirmed' because the bug affects multiple users.

Also seeing this regression, but can't find a way to downgrade to 2:4.13.17~dfsg-0ubuntu1.20.04.2

@tomjudge: indeed, packages 2:4.13.17~dfsg-0ubuntu1.20.04.2 was still available on http://archive.ubuntu.com/ubuntu/pool/main/s/samba/ yesterday, but not today.

Well, this was a fun way to spend ~10 hours debugging something.

This worked for me, YMMV
apt-get install samba=2:4.11.6+dfsg-0ubuntu1 samba-common=2:4.11.6+dfsg-0ubuntu1 samba-common-bin=2:4.11.6+dfsg-0ubuntu1 libwbclient0=2:4.11.6+dfsg-0ubuntu1 samba-libs=2:4.11.6+dfsg-0ubuntu1 python3-samba=2:4.11.6+dfsg-0ubuntu1 samba-dsdb-modules=2:4.11.6+dfsg-0ubuntu1 samba-vfs-modules=2:4.11.6+dfsg-0ubuntu1 libldb2=2:2.0.8-2 python3-ldb=2:2.0.8-2 smbclient=2:4.11.6+dfsg-0ubuntu1 winbind=2:4.11.6+dfsg-0ubuntu1 libsmbclient=2:4.11.6+dfsg-0ubuntu1 libnss-winbind=2:4.11.6+dfsg-0ubuntu1 libpam-winbind=2:4.11.6+dfsg-0ubuntu1

Do you have any logs of the failures you were seeing?

Yes, in attached file "smb_fail.txt", logs from /var/log/samba/log.samba when authentication fails (samba 2:4.13.17~dfsg-0ubuntu1.20.04.4), "log level = 3" in "[global]" in /etc/samba/smb.conf

Same logs when authentication succeeds with samba 2:4.13.17~dfsg-0ubuntu1.20.04.2

When authentication fails, I can see errors in Security section of Windows Event Viewer related to "Negotiate"

With my Samba 4, I get the same issue.
Is there a quick fix to eliminate the problem? or is downgrading the packages the only option?

Thank you

I will be releasing an update later today with the security fixes reverted until we track down the regression.

This bug was fixed in the package samba - 2:4.13.17~dfsg-0ubuntu1.20.04.5

---------------
samba (2:4.13.17~dfsg-0ubuntu1.20.04.5) focal-security; urgency=medium

  * SECURITY UPDATE: Multiple regressions (LP: #2003867) (LP: #2003891)
    - debian/patches/series: disable all security fixes from the previous
      update pending further investigation. This reverts the following
      CVEs: CVE-2022-3437, CVE-2022-42898, CVE-2022-45141, CVE-2022-38023,
      CVE-2022-37966, CVE-2022-37967.

 -- Marc Deslauriers <email address hidden> Thu, 26 Jan 2023 09:03:40 -0500

I have reverted the update for now, but am reopening this bug so we can fix the regression and publish a new update soon.

This bug was fixed in the package samba - 2:4.13.17~dfsg-0ubuntu1.20.04.5

---------------
samba (2:4.13.17~dfsg-0ubuntu1.20.04.5) focal-security; urgency=medium

  * SECURITY UPDATE: Multiple regressions (LP: #2003867) (LP: #2003891)
    - debian/patches/series: disable all security fixes from the previous
      update pending further investigation. This reverts the following
      CVEs: CVE-2022-3437, CVE-2022-42898, CVE-2022-45141, CVE-2022-38023,
      CVE-2022-37966, CVE-2022-37967.

 -- Marc Deslauriers <email address hidden> Thu, 26 Jan 2023 09:03:40 -0500

I have updated to 2:4.13.17~dfsg-0ubuntu1.20.04.5 and I confirm it fixes the bug.

Reopening this bug to track the progress in locating the regression.

The following update that was published today should fix the security issues without reintroducing this bug:

https://ubuntu.com/security/notices/USN-5936-1

I am closing this bug, if the issue persists with the new version, please don't hesitate to reopen it again.