5

Today I updated our Ubuntu server which is also the primary (and only) domain controller to the latest Samba packages which fixed a few security vulnerabilities. The following packages were updated:

  • libpam-winbind:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
  • smbclient:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
  • libwbclient0:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
  • libpam-smbpass:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
  • samba-common:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
  • samba:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)

  • winbind:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)

  • samba-common-bin:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)

(from /var/log/apt/history.log)

After the update, everybody who rebooted his Windows 7 or 8.1 PC could no longer log into the domain. The error message displayed is "the trust relationship between this workstation and the primary domain failed".

The first thing I tried was removing the affected computer from the domain and adding it again. This used to solve this kind of issues, but not this time. There was no error during this process, but it didn't help either: Logging in with a domain account still fails.

Logging in with a local account and then accessing the shares works fine.

The following error is written repeatedly to /var/log/samba/log.

[2016/04/19 11:49:09.975677, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $

Googling and Binging (using Bing) so far only found two hits without a solution.

I urgently need a solution, because the number of affected workstations will probably grow fast.

Any hints?

Edit:

I'm not alone: https://askubuntu.com/questions/759123/samba-23-6-25-0ubuntu0-12-04-2-as-pdc-samba3-nt4-domain-windows-machines-lost

But as of now, there are no answers there either.

Community
  • 1
dummzeuch
  • 607
  • 1
  • 9
  • 20
  • I would imagine that all your clients and samba servers belong to the same domain, yeah? – koullislp Apr 20 '16 at 08:30
  • Yes. Added this information to the question. – dummzeuch Apr 20 '16 at 11:46
  • Ok, in this case since you updated all your samba packages including winbind I would re-join the server to the domain and restart the smb/winbind processes. This will kill all active connections though, so keep that in mind. – koullislp Apr 20 '16 at 12:00

5 Answers5

3

What helped so far as a temporary workaround was installing the old packages again. The method I chose was downloading the files from the appropriate links from https://launchpad.net/ubuntu/+source/samba/2:3.6.3-2ubuntu2 and then installing them using

dpkg -i libpam-smbpass_3.6.3-2ubuntu2.17_amd64.deb libpam-winbind_3.6.3-2ubuntu2.17_amd64.deb libwbclient0_3.6.3-2ubuntu2.17_amd64.deb samba-common_3.6.3-2ubuntu2.17_all.deb samba_3.6.3-2ubuntu2.17_amd64.deb winbind_3.6.3-2ubuntu2.17_amd64.deb samba-common-bin_3.6.3-2ubuntu2.17_amd64.deb

This restored the previous state, all workstations could authenticate the users again.

As I said: This is a temporary workaround. Since the update was a security update, I still need a solution that works with the update.

dummzeuch
  • 607
  • 1
  • 9
  • 20
1

This is a regression introduced with the latest Samba updates (the ones which also fixed the Badlock vulnerability).

A temporary solution (other than downgrading) might be to set 

server signing = auto

in your smb.conf (don't forget to restart the samba service after that). Unfortunately this only fixed logins for existing users for me. It didn't help for new users which never had logged into the domain before (if I remember it right I got a "No logon servers available..." for these).

One Samba guy working at RedHat says they have a working fix for that problem. I guess RedHat will release that fix soon and I would expect it will be distributed for other distributions too.

0x80
  • 121
  • 4
1

Ubuntu seems to have fixed this problem with the following update:

http://www.ubuntu.com/usn/usn-2950-3/

released on 2016-05-04.

USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues.

This update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. Backported regression fixes were added to Samba 3.6.25 in Ubuntu 12.04 LTS."

I installed it today and the problem is gone.

dummzeuch
  • 607
  • 1
  • 9
  • 20
0

possibly related and see my answer there: Samba Share user/password error after update

I will update this answer, if this is indeed the solution.

Community
  • 1
stack_horst
  • 101
  • client use spneg=no should only affect smbclient, according to the smb.conf documentation. Winbind is already installed on that server, so it might be related (same cause), but the answers didn't solve my problem. Thanks anyway. – dummzeuch Apr 20 '16 at 19:15
  • yes, I would have put it as a comment instead of an answer but could not because of reputation ;) -- I was hoping that it might lead in the right direction. did you check whether any other standard values changed in smb.conf (and therefore would need to be set explicitly back to the old default value)? – stack_horst Apr 21 '16 at 12:30
0

There is another workaround I got from redhat:

If you are using Win 7 or Win 10, just unplug the network cable (or disable WiFi) then login. It's similar to a local login (versus a network login). Once you've logged in you can re-plug in the network cable and use your resources as normal. Also, turn off the sleep mode with password required so you're not forced to log back in each time your system goes to sleep.

I haven't tried it but it might just work. (It probably also works for Windows 8(.1).)

dummzeuch
  • 607
  • 1
  • 9
  • 20