Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 885089 - Samba netlogon AES support incorrect
Samba netlogon AES support incorrect
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: samba4 (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Andreas Schneider
Namita Soman
:
Depends On:
Blocks: 886216
  Show dependency treegraph
 
Reported: 2012-12-07 08:44 EST by Guenther Deschner
Modified: 2013-02-21 03:46 EST (History)
3 users (show)

See Also:
Fixed In Version: samba4-4.0.0-49.el6.rc4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:46:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 9438 None None None Never
Red Hat Product Errata RHSA-2013:0506 normal SHIPPED_LIVE Moderate: samba4 security, bug fix and enhancement update 2013-02-20 16:30:25 EST

  None (edit)
Description Guenther Deschner 2012-12-07 08:44:01 EST 
Description of problem:
Samba recently got support for AES crypto for various netlogon operations. There are couple of important dcerpc calls that do not correctly deal with AES though. These include the samlogon calls for authentication and PAC verification and some interdomain trust related calls that set or change the trust password. One consequence is that user session keys are not correctly encrypted and decrypted. This causes SMB signing to fail, among other things. 

Version-Release number of selected component (if applicable):
All samba4 rc versions.

How reproducible:
always.

Steps to Reproduce:

1. setup two-way interdomain trust with AD, samba domain "SAMBA", AD domain "ADDOMAIN". call "smbclient -L ADSERVER -U SAMBA\\user%password -S required".

2. call the "rpc.schannel" testsuite against samba: "smbtorture ncacn_np:SAMBASERVER[] -U SAMBA\\user%password -W SAMBA rpc.schannel

3. call nltest.exe from windows: "nltest.exe /sc_change_pwd:SAMBA"
  
Actual results:
failures w/o patchset

Expected results:
success

Additional info:
Currently the existing patchset https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-netlogon-aes) is reviewed upstream and is a blocker bug for the final samba 4.0 release (currently planned for Tuesday, Dec. 11th).
Comment 4 Steeve Goveas 2013-01-31 12:43:12 EST 
C:\Users\Administrator.WIN2K8R2.000>tracert wazwan.ipalab.qe
 
Tracing route to wazwan.ipalab.qe [10.65.201.162]
over a maximum of 30 hops:
 
  1     1 ms    <1 ms    <1 ms  10.65.201.162
 
Trace complete.
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_change_pwd:IPALAB
I_NetLogonControl failed: Status = 1 0x1 ERROR_INVALID_FUNCTION
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_verify:IPALAB
Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\wazwan.ipalab.qe
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 86 0x56 ERROR_INVALID_PASSWORD
The command completed successfully
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_change_pwd:IPALAB
I_NetLogonControl failed: Status = 1 0x1 ERROR_INVALID_FUNCTION
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /dsgetdc:IPALAB
           DC: \\WAZWAN
      Address: \\10.65.201.162
     Dom Guid: b6172dfd-6025-4ebb-9c7f-f06ac88f2716
     Dom Name: IPALAB
  Forest Name: ipalab.qe
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S
ITE
The command completed successfully
Comment 5 Steeve Goveas 2013-01-31 12:59:26 EST 
Im using latest available version of samba in this test
samba4-4.0.0-55.el6.rc4.x86_64
Comment 6 Sumit Bose 2013-01-31 15:29:32 EST 
ERROR_INVALID_FUNCTION very much looks like that the related call is either not implemented or somehow broken in the Samba IPA backend. I will check this during the next days and open bugs if needed, It should be fixed for FreeIPA but I think it's not a major issue.

For verifying the the this fix a plain samba server with trust to the AD server is needed. Maybe Günther can give some instructions or give a link about how to set it up.
Comment 7 Guenther Deschner 2013-02-01 08:35:51 EST 
Ok, for the change trust word path we can leave that for later. Its the sc_verify result that worries me.

nltest.exe /sc_verify:IPALAB

must not return ERROR_INVALID_PASSWORD. Regardless of what backend samba uses (e.g. ipasam or ldapsam). 

Steeve, can you re-setup the trust and only run the sc_verify command above?
Comment 8 Guenther Deschner 2013-02-04 08:04:16 EST 
Steeve, running the "nltest.exe /sc_verify:IPALAB" command with a final 

Trust Verification Status = 0 0x0 NERR_Success

is a sufficient prove the fix of this bug.
Comment 9 Steeve Goveas 2013-02-04 08:24:33 EST 
Verified as per comments 4 and 8
Comment 10 Guenther Deschner 2013-02-04 08:47:52 EST 
Just to be 100% sure, you did also run the smbclient -S query successfully ?
Comment 11 errata-xmlrpc 2013-02-21 03:46:24 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0506.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.