Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: sa...@packages.debian.org, pkg-samba-de...@lists.alioth.debian.org Control: affects -1 + src:samba
[ Reason ] Microsoft released Jul-2023 updates for current windows versions, with some changes in the auth/trust process. This revealed a bug in samba, which result in a serious loss of service not only within samba itself but also within whole windows domain network, resulting in users not being able to log in to their windows computers anymore. This is tracked in the samba bug tracker, see https://bugzilla.samba.org/show_bug.cgi?id=15418 and on the samba mailing list. A lot of users are affected worldwide. The problem is that with this update, windows started trying to negotiate a new security level (l2) which isn't documented. Per the specs, an implementation should reject unknown security levels with "unsupported" error, so the client trying a new level knows it not supported. But samba does not reject it immediately and tries to process, just to reject it later with a different error. As a result, windows treats this as actual trust error instead of an unsupported optional feature. [ Impact ] Many users are affected worldwide after the current windows update has been installed, being unable to log in to their windows computers. [ Tests ] The fix has been verified by multiple independent users. I can confirm the updated package fixes the issue on our site too. [ Risks ] The change is rather simple, - it is just moving the check for unsupported level to be one of the first checks and return correct code immediately instead of trying to process an unknown-format request. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] (See debdiff below) [ Other info ] The same fix is already uploaded to sid (for the version of samba in sid) and is released by other major distributions. The fix is on top of a previous bookworm-pu update which has been discussed and accepted previously. I'm uploading the updated package while sending this email, hopefully it is okay. Thanks, /mjt diff -Nru samba-4.17.9+dfsg/debian/changelog samba-4.17.9+dfsg/debian/changelog --- samba-4.17.9+dfsg/debian/changelog 2023-07-09 09:44:29.000000000 +0300 +++ samba-4.17.9+dfsg/debian/changelog 2023-07-14 12:34:30.000000000 +0300 @@ -1,3 +1,11 @@ +samba (2:4.17.9+dfsg-0+deb12u3) bookworm; urgency=medium + + * +fix-unsupported-netr_LogonGetCapabilities-l2.patch + Fix windows logon/trust issues with 2023-07 windows updates: + https://bugzilla.samba.org/show_bug.cgi?id=15418 + + -- Michael Tokarev <m...@tls.msk.ru> Fri, 14 Jul 2023 12:34:30 +0300 + samba (2:4.17.9+dfsg-0+deb12u2) bookworm; urgency=medium * link with -latomic explicitly on a few architectures where gcc misses it diff -Nru samba-4.17.9+dfsg/debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch samba-4.17.9+dfsg/debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch --- samba-4.17.9+dfsg/debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.17.9+dfsg/debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch 2023-07-14 12:33:32.000000000 +0300 @@ -0,0 +1,68 @@ +From af355243e55a4baf17126339eb66432d438c4f16 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <me...@samba.org> +Date: Fri, 14 Jul 2023 10:20:05 +0200 +Subject: [PATCH] s3+s3/rpc_server: fix unsupported netr_LogonGetCapabilities + level 2 +Origin: upstream, https://bugzilla.samba.org/attachment.cgi?id=17983 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 9 +++++---- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 3ba58e61206f..2018dc28eb67 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + struct netlogon_creds_CredentialState *creds; + NTSTATUS status; + ++ if (r->in.query_level != 1) { ++ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; ++ return NT_STATUS_NOT_SUPPORTED; ++ } ++ + become_root(); + status = dcesrv_netr_creds_server_step_check(p->dce_call, + p->mem_ctx, +@@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + return status; + } + +- if (r->in.query_level != 1) { +- return NT_STATUS_NOT_SUPPORTED; +- } +- + r->out.capabilities->server_capabilities = creds->negotiate_flags; + + return NT_STATUS_OK; +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 6ccba65d3bf0..c869a6d3c791 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c + struct netlogon_creds_CredentialState *creds; + NTSTATUS status; + ++ if (r->in.query_level != 1) { ++ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); ++ } ++ + status = dcesrv_netr_creds_server_step_check(dce_call, + mem_ctx, + r->in.computer_name, +@@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c + } + NT_STATUS_NOT_OK_RETURN(status); + +- if (r->in.query_level != 1) { +- return NT_STATUS_NOT_SUPPORTED; +- } +- + r->out.capabilities->server_capabilities = creds->negotiate_flags; + + return NT_STATUS_OK; +-- +2.41.0 diff -Nru samba-4.17.9+dfsg/debian/patches/series samba-4.17.9+dfsg/debian/patches/series --- samba-4.17.9+dfsg/debian/patches/series 2023-07-09 09:44:29.000000000 +0300 +++ samba-4.17.9+dfsg/debian/patches/series 2023-07-14 12:33:32.000000000 +0300 @@ -24,3 +24,4 @@ meaningful-error-if-no-python3-markdown.patch ctdb-use-run-instead-of-var-run.patch heimdal-to-support-KEYRING-ccache.patch +fix-unsupported-netr_LogonGetCapabilities-l2.patch