Bug 2222250

Summary: The trust relationship between this workstation and the primary domain failed
Product: Red Hat Enterprise Linux 7 Reporter: bunkobugsy <admin>
Component: sambaAssignee: Andreas Schneider <asn>
Status: VERIFIED --- QA Contact: Denis Karpelevich <dkarpele>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.9CC: aboscatt, asn, atikhono, dkarpele, jwboyer, msugaya, pfilipen, rvdwees, snagar
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---Flags: asn: needinfo? (snagar)
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: samba-4.10.16-25.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2222883 2222884 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2222883, 2222884    
Attachments:
Description Flags
srv_netlog_nt.patch
none
dcerpc_netlogon.patch
none
correct patch built and tested for samba-4.10.16-24.el7_9.src.rpm none

Description bunkobugsy 2023-07-12 12:09:49 UTC 
Description of problem:

"The trust relationship between this workstation and the primary domain failed." on domain logon or net connect to Windows 10/11 PDC joined workstations since July 2023 updates KB5028166 / KB5028185

https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25#timing5021130

Version-Release number of selected component (if applicable): samba-4.10.16-24.el7_9.x86_64

How reproducible: every time


Steps to Reproduce:
1. apply KB5028166 / KB5028185 on Windows 10/11
2. restart Windows 10/11
3. try to login with domain user

Actual results: 

Error message: "The trust relationship between this workstation and the primary domain failed."

Expected results: Successful login of domain user.

Additional info: No connection to PDC will let user login for now.

Samba log shows:
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PC machine account PC$
rpc_server/srv_pipe.c:1925(api_rpcTNP)
  api_rpcTNP: \netlogon: NETR_LOGONGETCAPABILITIES failed.
Comment 4 bunkobugsy 2023-07-13 06:52:15 UTC 
https://bugzilla.samba.org/show_bug.cgi?id=15418#c3

Actually this might be CVE-2023-21526  Windows Netlogon Information Disclosure Vulnerability

For now only solution seems to be removing and blocking KB5028166 (Win10) or KB5028185 (Win11)
Comment 5 bunkobugsy 2023-07-14 05:23:21 UTC 
There’s a patch available that seems to work https://bugzilla.samba.org/show_bug.cgi?id=15418#c25
https://cpaste.org/?df0494cac0063e2e#Cx69G684EBPQ71S6sAUVXSYburgV6gPyKHfPSbfmHZPJ

 source3/rpc_server/netlogon/srv_netlog_nt.c   | 9 +++++----
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++----
 2 files changed, 9 insertions(+), 8 deletions(-)
 
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 3ba58e61206f..2018dc28eb67 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
 	struct netlogon_creds_CredentialState *creds;
 	NTSTATUS status;
 
+	if (r->in.query_level != 1) {
+		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
+		return NT_STATUS_NOT_SUPPORTED;
+	}
+
 	become_root();
 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
 						p->mem_ctx,
@@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
 		return status;
 	}
 
-	if (r->in.query_level != 1) {
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
 
 	return NT_STATUS_OK;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 6ccba65d3bf0..c869a6d3c791 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
 	struct netlogon_creds_CredentialState *creds;
 	NTSTATUS status;
 
+	if (r->in.query_level != 1) {
+		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
+	}
+
 	status = dcesrv_netr_creds_server_step_check(dce_call,
 						     mem_ctx,
 						     r->in.computer_name,
@@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
 	}
 	NT_STATUS_NOT_OK_RETURN(status);
 
-	if (r->in.query_level != 1) {
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
 
 	return NT_STATUS_OK;
Comment 6 bunkobugsy 2023-07-14 06:19:52 UTC 
Created attachment 1975683 [details]
srv_netlog_nt.patch

srv_netlog_nt.patch for samba-4.10.16-24.el7_9.src.rpm
Comment 7 bunkobugsy 2023-07-14 06:20:43 UTC 
Created attachment 1975684 [details]
dcerpc_netlogon.patch

dcerpc_netlogon.patch for samba-4.10.16-24.el7_9.src.rpm
Comment 10 bunkobugsy 2023-07-17 06:08:40 UTC 
Created attachment 1976122 [details]
correct patch built and tested for samba-4.10.16-24.el7_9.src.rpm