** Description changed: [ Impact ] Windows update KB5028166[1] broke the secure channel in trust relationships between windows workstations and samba domain controllers. This manifests itself in widespread domain users authentication problems, most notably remote desktop access. [ Test Plan ] This testplan requires a windows 10 or 11 machine joined to a samba AD DC controller. Windows should be fully up-do-date. In particular, KB5028166[1] must be installed. There are two test cases described here: a simple one, with a very specific check that requires just one command on the windows powershell interface, and a more elaborate one that contains a user story involving remote desktop. a) Test Secure Channel between windows and the domain controller[2] - open a powershell window - run this command: Test-ComputerSecureChannel -Verbose With an unpatched samba AD DC controller, the output of the above command will be "False" and report a broken secure channel: """ Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11". False VERBOSE: The secure channel between the local computer and the domain samba.example is broken. """ With the samba AD DC controller patched with this update, the output will be "True" and report a good secure channel: """ Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Users\ubuntu> Test-ComputerSecureChannel -Verbose VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "win11". True VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition. """ b) Access the windows machine via remote desktop - on the windows machine, enable remote desktop services for the domain users. Be sure to allow it for the user you want to use for the test. Also make sure NLA (Network Level Authentication) is enabled (it's the default, but check) - logout from windows - from another ubuntu system that can reach the windows machine on port 3389, and it doesn't have to have any relationship with the domain, install vinagre: sudo apt install vinagre - Launch it from the terminal (not the desktop launcher). We want to see its log messates, and they will show up in the terminal it was launched from. - click connect, select the RDP protocol, and type in the IP of the windows machine and the domain user credentials With an unpatched samba AD DC controller, the connection will fail, and the terminal where vinagre was launched from will print this error message: [11:02:48:250] [2029009:2029009] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server The key here is that the trust relationship is broken. - With a patched samba AD DC controller, the remote desktop connection will accept the credentials and work. 1. https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20 2. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1 [ Where problems could occur ] - * Think about what the upload changes in the software. Imagine the change is - wrong or breaks something else: how would this show up? + The patches went through some iterations, but have stabilized now and + are committed to samba upstream. There is more work to be done + (https://bugzilla.samba.org/show_bug.cgi?id=15425), but the more urgent + fix is what is presented here and in the latest samba upstream releases. - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. + Problems that can happen here are, in no particular order: + - break domain trust entirely + - Microsoft publishes another patch in reaction to this which changes behavior once again + - more follow-up fixes are necessary - * This must '''never''' be "None" or "Low", or entirely an argument as to why - your upload is low risk. - - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. [ Other Info ] - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + Given the urgency of this fix, I published a PPA and this bug report has + comments stating that real life deployments were fixed by this update. [Original Description] This bug is just a reminder/link to upstream bug https://bugzilla.samba.org/show_bug.cgi?id=15418 The impact of this issue is that a windows 10/11 machine joined to a samba ad dc domain will not allow ntlm based logins (ex. freerdp, shared folders on the windows 10 machine) using domain accounts There is already a solution to this problem. The importance is tagged as critical, so I guess a possible fix will land in master soon. For ubuntu we will very probably need a sru for all supported lts releases
** Bug watch added: Debian Bug tracker #1041043 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041043 ** Changed in: samba (Debian) Remote watch: Samba Bugzilla #15418 => Debian Bug tracker #1041043 ** Also affects: samba via https://bugzilla.samba.org/show_bug.cgi?id=15418 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2027716 Title: samba dc ntlm netlogin issue with windows 10/11 2023-07 cumulative update To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/2027716/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
