Bug 1327761

Summary: Domain authentication broken after 4.2.11/4.3.8/4.4.2 security update
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: abokovoy, asn, eliadevito, frederic.lebel, gdeschner, jarrpa, jeff, jlayton, lmohanty, madam, mark, sbose, ssorce
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: samba-4.4.3-1.fc24 samba-4.3.9-0.fc23 samba-4.2.12-0.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-15 05:31:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Cronenworth 2016-04-15 21:27:34 UTC
Description of problem: When a share is accessed Windows clients reports a strange message about location is mounted somewhere else and does not show the share.

On the file share system side this message is output to the log and repeated every time a share is accessed.

Apr 15 15:51:12 miracle smbd[6205]: [2016/04/15 15:51:12.432258,  0] ../source3/auth/auth_domain.c:265(domain_client_validate)
Apr 15 15:51:12 miracle smbd[6205]:  domain_client_validate: Domain password server not available.


Version-Release number of selected component (if applicable):
samba-4.2.11-0.fc22


Rolling back to 4.2.9-0.fc22 allows shares to work again. No errors are emitted to the system log.

The file share system is running as a client. It has a "password server = " entry pointing to a real Windows Server 2012 system.

Comment 1 Michael Cronenworth 2016-04-18 15:01:12 UTC
This also occurs with the 4.3.8 update between two domain members. Downgrading to 4.3.6 fixes it.

security = ads

Comment 2 Jeffrey C. Ollie 2016-04-18 19:50:00 UTC
Could the badlock patches also account for why I'm unable to access CIFS shares on a NetApp?  I get the following from both Fedora 23 and Fedora 24 servers:

smbclient -U jcollie -W DMACC '//10.21.144.70/Depts'
Enter jcollie's password: 
ntlmssp_handle_neg_flags: Got challenge flags[0x60898205] - possible downgrade detected! missing_flags[0x00000010] - NT code 0x80090302
  NTLMSSP_NEGOTIATE_SIGN
SPNEGO(ntlmssp) login failed: NT code 0x80090302
session setup failed: NT code 0x80090302

But the same command works just fine from from a Fedora 20 system I still have (which obviously doesn't have the badlock patches).  I need to verify with our NetApp admins but I don't believe that any patches for badlock have been applied to our NetApps.

Comment 3 Jeffrey C. Ollie 2016-04-18 20:10:38 UTC
Verified that downgrading the Samba packages to 4.4.0-0.7.rc4.fc24 allows me to connect to our NetApp CIFS shares.  I've verified with our NetApp admin that the BadLock patches available from NetApp have not been applied.

Comment 4 Andreas Schneider 2016-04-19 07:01:17 UTC
Jeffrey: You have a completely different issue. Please don't take over bug reports. Talk to NetApp and tell them they should support packet integrity for NTLMSSP. See CVE-2016-2110

Michael: The issue is known, I linked the upstream Samba bug.

Comment 5 Michael Cronenworth 2016-04-19 13:06:57 UTC
(In reply to Andreas Schneider from comment #4)
> Michael: The issue is known, I linked the upstream Samba bug.

Is this the correct bug report? The comments do not describe any of the behavior I am seeing. I've tried searching the upstream bugzilla and I cannot find any similar reports.

Comment 6 Andreas Schneider 2016-04-22 07:05:39 UTC
I've linked the wrong one, sorry.

Comment 7 Fedora Update System 2016-05-03 07:21:43 UTC
samba-4.4.3-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-027ba01a67

Comment 8 Fedora Update System 2016-05-03 07:28:09 UTC
samba-4.3.9-0.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-3c32a2067e

Comment 9 Fedora Update System 2016-05-03 11:23:24 UTC
samba-4.4.3-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-027ba01a67

Comment 10 Fedora Update System 2016-05-03 15:18:08 UTC
samba-4.2.12-0.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-828f77de70

Comment 11 Fedora Update System 2016-05-04 06:52:50 UTC
samba-4.2.12-0.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-828f77de70

Comment 12 Fedora Update System 2016-05-07 11:41:00 UTC
samba-4.4.3-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-05-13 05:32:37 UTC
samba-4.3.9-0.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3c32a2067e

Comment 14 Fedora Update System 2016-05-15 05:31:34 UTC
samba-4.3.9-0.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-05-31 19:52:57 UTC
samba-4.2.12-0.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.