885089 – Samba netlogon AES support incorrect

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 885089 - Samba netlogon AES support incorrect

Summary: Samba netlogon AES support incorrect

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	samba4
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Andreas Schneider
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	886216
TreeView+	depends on / blocked

Reported:	2012-12-07 13:44 UTC by Guenther Deschner
Modified:	2013-02-21 08:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:	samba4-4.0.0-49.el6.rc4
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 08:46:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0506	0	normal	SHIPPED_LIVE	Moderate: samba4 security, bug fix and enhancement update	2013-02-20 21:30:25 UTC
Samba Project	9438	0	None	None	None	Never

Description Guenther Deschner 2012-12-07 13:44:01 UTC

Description of problem:
Samba recently got support for AES crypto for various netlogon operations. There are couple of important dcerpc calls that do not correctly deal with AES though. These include the samlogon calls for authentication and PAC verification and some interdomain trust related calls that set or change the trust password. One consequence is that user session keys are not correctly encrypted and decrypted. This causes SMB signing to fail, among other things. 

Version-Release number of selected component (if applicable):
All samba4 rc versions.

How reproducible:
always.

Steps to Reproduce:

1. setup two-way interdomain trust with AD, samba domain "SAMBA", AD domain "ADDOMAIN". call "smbclient -L ADSERVER -U SAMBA\\user%password -S required".

2. call the "rpc.schannel" testsuite against samba: "smbtorture ncacn_np:SAMBASERVER[] -U SAMBA\\user%password -W SAMBA rpc.schannel

3. call nltest.exe from windows: "nltest.exe /sc_change_pwd:SAMBA"
  
Actual results:
failures w/o patchset

Expected results:
success

Additional info:
Currently the existing patchset https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-netlogon-aes) is reviewed upstream and is a blocker bug for the final samba 4.0 release (currently planned for Tuesday, Dec. 11th).

Comment 4 Steeve Goveas 2013-01-31 17:43:12 UTC

C:\Users\Administrator.WIN2K8R2.000>tracert wazwan.ipalab.qe
 
Tracing route to wazwan.ipalab.qe [10.65.201.162]
over a maximum of 30 hops:
 
  1     1 ms    <1 ms    <1 ms  10.65.201.162
 
Trace complete.
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_change_pwd:IPALAB
I_NetLogonControl failed: Status = 1 0x1 ERROR_INVALID_FUNCTION
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_verify:IPALAB
Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\wazwan.ipalab.qe
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 86 0x56 ERROR_INVALID_PASSWORD
The command completed successfully
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /sc_change_pwd:IPALAB
I_NetLogonControl failed: Status = 1 0x1 ERROR_INVALID_FUNCTION
 
C:\Users\Administrator.WIN2K8R2.000>nltest.exe /dsgetdc:IPALAB
           DC: \\WAZWAN
      Address: \\10.65.201.162
     Dom Guid: b6172dfd-6025-4ebb-9c7f-f06ac88f2716
     Dom Name: IPALAB
  Forest Name: ipalab.qe
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S
ITE
The command completed successfully

Comment 5 Steeve Goveas 2013-01-31 17:59:26 UTC

Im using latest available version of samba in this test
samba4-4.0.0-55.el6.rc4.x86_64

Comment 6 Sumit Bose 2013-01-31 20:29:32 UTC

ERROR_INVALID_FUNCTION very much looks like that the related call is either not implemented or somehow broken in the Samba IPA backend. I will check this during the next days and open bugs if needed, It should be fixed for FreeIPA but I think it's not a major issue.

For verifying the the this fix a plain samba server with trust to the AD server is needed. Maybe Günther can give some instructions or give a link about how to set it up.

Comment 7 Guenther Deschner 2013-02-01 13:35:51 UTC

Ok, for the change trust word path we can leave that for later. Its the sc_verify result that worries me.

nltest.exe /sc_verify:IPALAB

must not return ERROR_INVALID_PASSWORD. Regardless of what backend samba uses (e.g. ipasam or ldapsam). 

Steeve, can you re-setup the trust and only run the sc_verify command above?

Comment 8 Guenther Deschner 2013-02-04 13:04:16 UTC

Steeve, running the "nltest.exe /sc_verify:IPALAB" command with a final 

Trust Verification Status = 0 0x0 NERR_Success

is a sufficient prove the fix of this bug.

Comment 9 Steeve Goveas 2013-02-04 13:24:33 UTC

Verified as per comments 4 and 8

Comment 10 Guenther Deschner 2013-02-04 13:47:52 UTC

Just to be 100% sure, you did also run the smbclient -S query successfully ?

Comment 11 errata-xmlrpc 2013-02-21 08:46:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0506.html

Note You need to log in before you can comment on or make changes to this bug.