Bug 885089

Summary: Samba netlogon AES support incorrect
Product: Red Hat Enterprise Linux 6 Reporter: Guenther Deschner <gdeschner>
Component: samba4Assignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: jgalipea, sbose, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: samba4-4.0.0-49.el6.rc4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:46:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 886216    

Description Guenther Deschner 2012-12-07 13:44:01 UTC 
Description of problem:
Samba recently got support for AES crypto for various netlogon operations. There are couple of important dcerpc calls that do not correctly deal with AES though. These include the samlogon calls for authentication and PAC verification and some interdomain trust related calls that set or change the trust password. One consequence is that user session keys are not correctly encrypted and decrypted. This causes SMB signing to fail, among other things. 

Version-Release number of selected component (if applicable):
All samba4 rc versions.

How reproducible:
always.

Steps to Reproduce:

1. setup two-way interdomain trust with AD, samba domain "SAMBA", AD domain "ADDOMAIN". call "smbclient -L ADSERVER -U SAMBA\\user%password -S required".

2. call the "rpc.schannel" testsuite against samba: "smbtorture ncacn_np:SAMBASERVER[] -U SAMBA\\user%password -W SAMBA rpc.schannel

3. call nltest.exe from windows: "nltest.exe /sc_change_pwd:SAMBA"
  
Actual results:
failures w/o patchset

Expected results:
success

Additional info:
Currently the existing patchset https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-netlogon-aes) is reviewed upstream and is a blocker bug for the final samba 4.0 release (currently planned for Tuesday, Dec. 11th).
Comment 4 Steeve Goveas 2013-01-31 17:43:12 UTC 
C:\Users\Administrator.WIN2K8R2.000>tracert wazwan.ipalab.qe
 
Tracing route to wazwan.ipalab.qe [10.65.201.162]
over a maximum of 30 hops:
 
  1     1 ms    <1 ms    <1 ms  10.65.201.162
 
Trace complete.
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_change_pwd:IPALAB
I_NetLogonControl failed: Status = 1 0x1 ERROR_INVALID_FUNCTION
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_verify:IPALAB
Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\wazwan.ipalab.qe
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 86 0x56 ERROR_INVALID_PASSWORD
The command completed successfully
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_change_pwd:IPALAB
I_NetLogonControl failed: Status = 1 0x1 ERROR_INVALID_FUNCTION
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /dsgetdc:IPALAB
           DC: \\WAZWAN
      Address: \\10.65.201.162
     Dom Guid: b6172dfd-6025-4ebb-9c7f-f06ac88f2716
     Dom Name: IPALAB
  Forest Name: ipalab.qe
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S
ITE
The command completed successfully
Comment 5 Steeve Goveas 2013-01-31 17:59:26 UTC 
Im using latest available version of samba in this test
samba4-4.0.0-55.el6.rc4.x86_64
Comment 6 Sumit Bose 2013-01-31 20:29:32 UTC 
ERROR_INVALID_FUNCTION very much looks like that the related call is either not implemented or somehow broken in the Samba IPA backend. I will check this during the next days and open bugs if needed, It should be fixed for FreeIPA but I think it's not a major issue.

For verifying the the this fix a plain samba server with trust to the AD server is needed. Maybe Günther can give some instructions or give a link about how to set it up.
Comment 7 Guenther Deschner 2013-02-01 13:35:51 UTC 
Ok, for the change trust word path we can leave that for later. Its the sc_verify result that worries me.

nltest.exe /sc_verify:IPALAB

must not return ERROR_INVALID_PASSWORD. Regardless of what backend samba uses (e.g. ipasam or ldapsam). 

Steeve, can you re-setup the trust and only run the sc_verify command above?
Comment 8 Guenther Deschner 2013-02-04 13:04:16 UTC 
Steeve, running the "nltest.exe /sc_verify:IPALAB" command with a final 

Trust Verification Status = 0 0x0 NERR_Success

is a sufficient prove the fix of this bug.
Comment 9 Steeve Goveas 2013-02-04 13:24:33 UTC 
Verified as per comments 4 and 8
Comment 10 Guenther Deschner 2013-02-04 13:47:52 UTC 
Just to be 100% sure, you did also run the smbclient -S query successfully ?
Comment 11 errata-xmlrpc 2013-02-21 08:46:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0506.html