Description of problem: "The trust relationship between this workstation and the primary domain failed." on domain logon or net connect to Windows 10/11 PDC joined workstations since July 2023 updates KB5028166 / KB5028185 https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25#timing5021130 Version-Release number of selected component (if applicable): samba-4.10.16-24.el7_9.x86_64 How reproducible: every time Steps to Reproduce: 1. apply KB5028166 / KB5028185 on Windows 10/11 2. restart Windows 10/11 3. try to login with domain user Actual results: Error message: "The trust relationship between this workstation and the primary domain failed." Expected results: Successful login of domain user. Additional info: No connection to PDC will let user login for now. Samba log shows: rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PC machine account PC$ rpc_server/srv_pipe.c:1925(api_rpcTNP) api_rpcTNP: \netlogon: NETR_LOGONGETCAPABILITIES failed.
https://bugzilla.samba.org/show_bug.cgi?id=15418#c3 Actually this might be CVE-2023-21526 Windows Netlogon Information Disclosure Vulnerability For now only solution seems to be removing and blocking KB5028166 (Win10) or KB5028185 (Win11)
There’s a patch available that seems to work https://bugzilla.samba.org/show_bug.cgi?id=15418#c25 https://cpaste.org/?df0494cac0063e2e#Cx69G684EBPQ71S6sAUVXSYburgV6gPyKHfPSbfmHZPJ source3/rpc_server/netlogon/srv_netlog_nt.c | 9 +++++---- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 3ba58e61206f..2018dc28eb67 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, struct netlogon_creds_CredentialState *creds; NTSTATUS status; + if (r->in.query_level != 1) { + p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; + return NT_STATUS_NOT_SUPPORTED; + } + become_root(); status = dcesrv_netr_creds_server_step_check(p->dce_call, p->mem_ctx, @@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, return status; } - if (r->in.query_level != 1) { - return NT_STATUS_NOT_SUPPORTED; - } - r->out.capabilities->server_capabilities = creds->negotiate_flags; return NT_STATUS_OK; diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 6ccba65d3bf0..c869a6d3c791 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c struct netlogon_creds_CredentialState *creds; NTSTATUS status; + if (r->in.query_level != 1) { + DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); + } + status = dcesrv_netr_creds_server_step_check(dce_call, mem_ctx, r->in.computer_name, @@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c } NT_STATUS_NOT_OK_RETURN(status); - if (r->in.query_level != 1) { - return NT_STATUS_NOT_SUPPORTED; - } - r->out.capabilities->server_capabilities = creds->negotiate_flags; return NT_STATUS_OK;
Created attachment 1975683 [details] srv_netlog_nt.patch srv_netlog_nt.patch for samba-4.10.16-24.el7_9.src.rpm
Created attachment 1975684 [details] dcerpc_netlogon.patch dcerpc_netlogon.patch for samba-4.10.16-24.el7_9.src.rpm
Created attachment 1976122 [details] correct patch built and tested for samba-4.10.16-24.el7_9.src.rpm