[SRU] winbind authentication fails after karmic upgrade

Bug #479955 reported by Chris Allen on 2009-11-10
40
This bug affects 6 people
Affects Status Importance Assigned to Milestone
samba
Fix Released
Unknown
samba (Ubuntu)
High
Unassigned
Nominated for Lucid by r12056
Karmic
High
Unassigned

Bug Description

Binary package hint: samba

One of our users upgraded their Ubuntu workstation to 9.10 and they can no longer authenticate via pam_winbind with the domain controller (Samba 3.3.7).

# apt-cache policy winbind
winbind:
  Installed: 2:3.4.0-3ubuntu5
  Candidate: 2:3.4.0-3ubuntu5
  Version table:
 *** 2:3.4.0-3ubuntu5 0
        500 http://gb.archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status

After the upgrade, the following messages appear in the winbind log every five minutes:

[2009/11/10 11:45:01, 0] libsmb/ntlmssp_sign.c:208(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2009/11/10 11:45:01, 0] rpc_client/cli_pipe.c:620(cli_pipe_verify_ntlmssp)
  cli_pipe_verify_ntlmssp: failed to unseal packet from host SKIPPY. Error was NT_STATUS_ACCESS_DENIED.

Attempting to authenticate results in the following:

# wbinfo -a chrisa
Enter chrisa's password:
plaintext password authentication failed
Could not authenticate user chrisa with plaintext password
Enter chrisa's password:
challenge/response password authentication failed
error code was NT code 0x1c010002 (0x1c010002)
error messsage was: NT code 0x1c010002
Could not authenticate user chrisa with challenge/response

And this message appears in the winbind log:

[2009/11/10 11:44:58, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host SKIPPY!

This appears to match the behaviour mentioned in the upstream bug #6646 which was fixed in Samba 3.4.1:
  https://bugzilla.samba.org/show_bug.cgi?id=6646

Patch looks quite trivial. Would it be possible to backport it?

Thanks,
Chris

Thierry Carrez (ttx) wrote :

Fixed in Lucid (3.4.2). Nominating for Karmic.

Changed in samba (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in samba (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → High
Changed in samba:
status: Unknown → Fix Released
Chuck Short (zulcss) on 2010-02-05
Changed in samba (Ubuntu Karmic):
status: Triaged → In Progress
Chuck Short (zulcss) on 2010-02-05
summary: - winbind authentication fails after karmic upgrade
+ [SRU] winbind authentication fails after karmic upgrade
Chuck Short (zulcss) wrote :

Statement of Impact: Karmic shipped a samba bug that when trying to authenticate with a bidirectional Samba PDC, winbind authentication will fail with the following error message " NT code 0x1c010002".

How this has been addressed: This has been fixed in upstream and in lucid. The bug report was https://bugzilla.samba.org/show_bug.cgi?id=6646. I have backported the patch, attached to this bug report.

How to reproduce:

1. Setup a Samba PDC
2. Try to authenticate by doing the following: wbinfo -a <username>%<domain>

There should not be any regressions with this patch.

If you have any questions please let me know.

Regards
chuck

Accepted samba into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in samba (Ubuntu Karmic):
status: In Progress → Fix Committed
tags: added: verification-needed
Konna77 (konsta) on 2010-03-02
description: updated
Chris Allen (bazza) wrote :

Tested update from karmic-proposed - appears to work now. Thanks guys!

Martin Pitt (pitti) on 2010-03-16
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:3.4.0-3ubuntu5.5

---------------
samba (2:3.4.0-3ubuntu5.5) karmic-proposed; urgency=low

  * debian/patches/fix-libsmb-keepalive-packets.patch: Fix winbind authentication
    due to an invalid NTML2 signature. (LP: #479955)
    (https://bugzilla.samba.org/show_bug.cgi?id=6646)
  * debian/patches/fix-samba-point-and-print.patch: Allow automatic download
    of printer drivers from a Samba PDC (LP: #500457)
    (https://bugzilla.samba.org/show_bug.cgi?id=6568)
  * debian/patches/fix-too-many-openfiles.patch: When connecting to a Windows
    7 share users will get an error message "Too many open files are in use"
    after a certain number of files are copied. (LP: #462172 )
    (https://bugzilla.samba.org/show_bug.cgi?id=6837)
  * debian/patches/fix-win98-failed-connect.patch: Allow win98 clients to
    connect a samba server. Users will get an "Error 66" message. (LP: #502878)
    (https://bugzilla.samba.org/show_bug.cgi?id=6551)
 -- Chuck Short <email address hidden> Fri, 05 Feb 2010 15:03:50 -0500

Changed in samba (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in samba:
importance: Unknown → Critical
Changed in samba:
importance: Critical → Unknown
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.