[Pkg-samba-maint] Bug#1041037: bookworm-pu: package samba/2:4.17.9+dfsg-0+deb12u3

Michael Tokarev mjt at tls.msk.ru
Fri Jul 14 10:52:04 BST 2023 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: samba at packages.debian.org, pkg-samba-devel at lists.alioth.debian.org
Control: affects -1 + src:samba

[ Reason ]
Microsoft released Jul-2023 updates for current windows versions,
with some changes in the auth/trust process. This revealed a bug
in samba, which result in a serious loss of service not only within
samba itself but also within whole windows domain network, resulting
in users not being able to log in to their windows computers anymore.

This is tracked in the samba bug tracker, see
https://bugzilla.samba.org/show_bug.cgi?id=15418
and on the samba mailing list. A lot of users are affected worldwide.

The problem is that with this update, windows started trying to negotiate
a new security level (l2) which isn't documented.  Per the specs, an
implementation should reject unknown security levels with "unsupported"
error, so the client trying a new level knows it not supported.  But
samba does not reject it immediately and tries to process, just to reject
it later with a different error.  As a result, windows treats this as
actual trust error instead of an unsupported optional feature.

[ Impact ]
Many users are affected worldwide after the current windows update has
been installed, being unable to log in to their windows computers.

[ Tests ]
The fix has been verified by multiple independent users. I can confirm
the updated package fixes the issue on our site too.

[ Risks ]
The change is rather simple, - it is just moving the check for unsupported
level to be one of the first checks and return correct code immediately
instead of trying to process an unknown-format request.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
(See debdiff below)

[ Other info ]
The same fix is already uploaded to sid (for the version of samba in sid)
and is released by other major distributions.  The fix is on top of a previous
bookworm-pu update which has been discussed and accepted previously.

I'm uploading the updated package while sending this email,
hopefully it is okay.

Thanks,

/mjt

diff -Nru samba-4.17.9+dfsg/debian/changelog samba-4.17.9+dfsg/debian/changelog
--- samba-4.17.9+dfsg/debian/changelog	2023-07-09 09:44:29.000000000 +0300
+++ samba-4.17.9+dfsg/debian/changelog	2023-07-14 12:34:30.000000000 +0300
@@ -1,3 +1,11 @@
+samba (2:4.17.9+dfsg-0+deb12u3) bookworm; urgency=medium
+
+  * +fix-unsupported-netr_LogonGetCapabilities-l2.patch
+    Fix windows logon/trust issues with 2023-07 windows updates:
+    https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+ -- Michael Tokarev <mjt at tls.msk.ru>  Fri, 14 Jul 2023 12:34:30 +0300
+
 samba (2:4.17.9+dfsg-0+deb12u2) bookworm; urgency=medium
 
   * link with -latomic explicitly on a few architectures where gcc misses it
diff -Nru samba-4.17.9+dfsg/debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch samba-4.17.9+dfsg/debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch
--- samba-4.17.9+dfsg/debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.9+dfsg/debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch	2023-07-14 12:33:32.000000000 +0300
@@ -0,0 +1,68 @@
+From af355243e55a4baf17126339eb66432d438c4f16 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Fri, 14 Jul 2023 10:20:05 +0200
+Subject: [PATCH] s3+s3/rpc_server: fix unsupported netr_LogonGetCapabilities
+ level 2
+Origin: upstream, https://bugzilla.samba.org/attachment.cgi?id=17983
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c   | 9 +++++----
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++----
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 3ba58e61206f..2018dc28eb67 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ 	struct netlogon_creds_CredentialState *creds;
+ 	NTSTATUS status;
+ 
++	if (r->in.query_level != 1) {
++		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
++		return NT_STATUS_NOT_SUPPORTED;
++	}
++
+ 	become_root();
+ 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
+ 						p->mem_ctx,
+@@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ 		return status;
+ 	}
+ 
+-	if (r->in.query_level != 1) {
+-		return NT_STATUS_NOT_SUPPORTED;
+-	}
+-
+ 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+ 
+ 	return NT_STATUS_OK;
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index 6ccba65d3bf0..c869a6d3c791 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ 	struct netlogon_creds_CredentialState *creds;
+ 	NTSTATUS status;
+ 
++	if (r->in.query_level != 1) {
++		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
++	}
++
+ 	status = dcesrv_netr_creds_server_step_check(dce_call,
+ 						     mem_ctx,
+ 						     r->in.computer_name,
+@@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ 	}
+ 	NT_STATUS_NOT_OK_RETURN(status);
+ 
+-	if (r->in.query_level != 1) {
+-		return NT_STATUS_NOT_SUPPORTED;
+-	}
+-
+ 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+ 
+ 	return NT_STATUS_OK;
+-- 
+2.41.0
diff -Nru samba-4.17.9+dfsg/debian/patches/series samba-4.17.9+dfsg/debian/patches/series
--- samba-4.17.9+dfsg/debian/patches/series	2023-07-09 09:44:29.000000000 +0300
+++ samba-4.17.9+dfsg/debian/patches/series	2023-07-14 12:33:32.000000000 +0300
@@ -24,3 +24,4 @@
 meaningful-error-if-no-python3-markdown.patch
 ctdb-use-run-instead-of-var-run.patch
 heimdal-to-support-KEYRING-ccache.patch
+fix-unsupported-netr_LogonGetCapabilities-l2.patch

More information about the Pkg-samba-maint mailing list