Ubuntu
samba package

Merge ~ahasenack/ubuntu/+source/samba:jammy-samba-win-22h2-fixes into ubuntu/+source/samba:ubuntu/jammy-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/samba
  3. jammy-samba-win-22h2-fixes
  4. Merge into ubuntu/jammy-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: f8095f8db4568de30a82fff5c7da3257504ff2d8
Proposed branch: ~ahasenack/ubuntu/+source/samba:jammy-samba-win-22h2-fixes
Merge into: ubuntu/+source/samba:ubuntu/jammy-devel
Diff against target: 324 lines (+302/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/win-22H2-fix.patch (+294/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+432766@code.launchpad.net

Description of the change

Fix for Windows 11 22H2 failing to join a Samba AD DC domain. The linked SRU bug has a test plan and more details on the bug.

If you want to follow that test plan, we have the necessary VM created on diglett. You can point virt-manager at qemu+ssh://<youruser>@diglett/system and see:

- win11H22: the Windows 11 22H22 VM that shows the bug. Creds: ubuntu_local/Passw0rd!ub (is an admin) for when NOT joined to a domain. This is on DHCP, current IP is 10.0.18.201 and RDP is enabled.
Note that after joining the domain, RDP access is cut off. You have to login as Administrator and allow the "Domain Users" group to use RDP. I didn't find a way to allow this from the samba AD DC, but didn't search really hard.

Ubuntu VMs, where you can (re)install samba packages at will. They are pointing at my PPA with the fix, so if you want to see the bug, you have to downgrade them to the non-ppa version. These all can be logged in via the virt-manager console, creds ubuntu/ubuntu, and from there you can ssh-import your key.
- ad: jammy AD. Fixed IP at 10.0.18.5
- b-ad: bionic AD. Fixed IP at 10.0.18.3
- f-ad: focal AD. Fixed IP at 10.0.18.2

Libvirt network: 10.0.18.0/24

If you want, we can have a hangout where I can show all of this.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-22h2/

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

This is missing the new changelog entry.

review: Needs Fixing
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

The patch DEP-3 headers are missing as well.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hmpf, forgot to push

$ git push ahasenack jammy-samba-win-22h2-fixes --force-with-lease
Enumerating objects: 15, done.
Counting objects: 100% (15/15), done.
Delta compression using up to 4 threads
Compressing objects: 100% (10/10), done.
Writing objects: 100% (10/10), 4.46 KiB | 652.00 KiB/s, done.
Total 10 (delta 7), reused 0 (delta 0), pack-reused 0
remote:
remote: Create a merge proposal for 'jammy-samba-win-22h2-fixes' on Launchpad by visiting:
remote: https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+ref/jammy-samba-win-22h2-fixes/+register-merge
remote:
To ssh://git.launchpad.net/~ahasenack/ubuntu/+source/samba
 + dcf4cec77b0...f8095f8db45 jammy-samba-win-22h2-fixes -> jammy-samba-win-22h2-fixes (forced update)

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks Andreas, LGTM.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded:

Uploading samba_4.15.9+dfsg-0ubuntu0.3.dsc
Uploading samba_4.15.9+dfsg-0ubuntu0.3.debian.tar.xz
Uploading samba_4.15.9+dfsg-0ubuntu0.3_source.buildinfo
Uploading samba_4.15.9+dfsg-0ubuntu0.3_source.changes

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve

Update scan failed

At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 3a44200..878e4f3 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+samba (2:4.15.9+dfsg-0ubuntu0.3) jammy; urgency=medium
7+
8+ * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
9+ clients (LP: #1993934)
10+
11+ -- Andreas Hasenack <andreas@canonical.com> Tue, 08 Nov 2022 10:59:27 -0300
12+
13 samba (2:4.15.9+dfsg-0ubuntu0.2) jammy-security; urgency=medium
14
15 * Updated to 2.15.9 to fix multiple security issues.
16diff --git a/debian/patches/series b/debian/patches/series
17index d2d04e9..e411ebc 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -9,3 +9,4 @@ heimdal-rfc3454.txt
21 smbd.service-Run-update-apparmor-samba-profile-befor.patch
22 fix-nfs-service-name-to-nfs-kernel-server.patch
23 ctdb-config-enable-syslog-by-default.patch
24+win-22H2-fix.patch
25diff --git a/debian/patches/win-22H2-fix.patch b/debian/patches/win-22H2-fix.patch
26new file mode 100644
27index 0000000..615ab44
28--- /dev/null
29+++ b/debian/patches/win-22H2-fix.patch
30@@ -0,0 +1,294 @@
31+From 5b7d8363ce6a3ac8bcec707c4fe318770213dc32 Mon Sep 17 00:00:00 2001
32+From: Joseph Sutton <josephsutton@catalyst.net.nz>
33+Date: Tue, 4 Oct 2022 12:25:08 +1300
34+Subject: [PATCH 1/3] tests/krb5: Add test requesting a service ticket expiring
35+ post-2038
36+
37+Windows 11 22H2 performs such requests, with year 9999.
38+The test fails with KDC_ERR_BAD_INTEGRITY on older
39+Heimdal versions, which are unable to verify a checksum
40+over the modified request body (due to a re-encoding failure).
41+
42+REF: https://github.com/heimdal/heimdal/issues/1011
43+
44+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
45+
46+[abartlet@samba.org Add knownfail for backport - as Samba
47+ 4.15 and earlier fail this test, adapted commit
48+ 67811e121fbef08337675d473390160793544719 to test
49+ paraemters in 4.15]
50+
51+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
52+Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
53+(backported from commit 67811e121fbef08337675d473390160793544719)
54+
55+Origin: https://attachments.samba.org/attachment.cgi?id=17595
56+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934
57+Last-Update: 2022-11-08
58+---
59+ python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++
60+ selftest/knownfail.d/windows11-22h2 | 2 ++
61+ 2 files changed, 16 insertions(+)
62+ create mode 100644 selftest/knownfail.d/windows11-22h2
63+
64+diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
65+index e52f46152fa..a4bc48e587a 100755
66+--- a/python/samba/tests/krb5/kdc_tgs_tests.py
67++++ b/python/samba/tests/krb5/kdc_tgs_tests.py
68+@@ -2099,6 +2099,18 @@ class KdcTgsTests(KDCBaseTest):
69+ self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED,
70+ KDC_ERR_C_PRINCIPAL_UNKNOWN))
71+
72++ # Test making a TGS request for a ticket expiring post-2038.
73++ def test_tgs_req_future_till(self):
74++ creds = self._get_creds()
75++ tgt = self._get_tgt(creds)
76++
77++ target_creds = self.get_service_creds()
78++ self._tgs_req(
79++ tgt=tgt,
80++ expected_error=0,
81++ target_creds=target_creds,
82++ till='99990913024805Z')
83++
84+ def _modify_renewable(self, enc_part):
85+ # Set the renewable flag.
86+ enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True)
87+@@ -2469,6 +2481,7 @@ class KdcTgsTests(KDCBaseTest):
88+ sname=None,
89+ srealm=None,
90+ use_fast=False,
91++ till=None,
92+ expect_claims=True,
93+ expect_pac=True,
94+ expect_pac_attrs=None,
95+@@ -2580,6 +2593,7 @@ class KdcTgsTests(KDCBaseTest):
96+ cname=None,
97+ realm=srealm,
98+ sname=sname,
99++ till_time=till,
100+ etypes=etypes,
101+ additional_tickets=additional_tickets)
102+ if expected_error:
103+diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2
104+new file mode 100644
105+index 00000000000..69980ce763a
106+--- /dev/null
107++++ b/selftest/knownfail.d/windows11-22h2
108+@@ -0,0 +1,2 @@
109++# This tests shows the new timestamp from Windows 11 22H2 which fails in this version
110++^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till
111+\ No newline at end of file
112+--
113+2.25.1
114+
115+
116+From e8a1c05847618c1c4b83d92757c928484dc172e9 Mon Sep 17 00:00:00 2001
117+From: Joseph Sutton <josephsutton@catalyst.net.nz>
118+Date: Thu, 20 Oct 2022 12:36:44 +1300
119+Subject: [PATCH 2/3] tests/krb5: Add test requesting a TGT expiring post-2038
120+
121+This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
122+which changed to use a year 9999 date for a forever timetime in
123+tickets.
124+
125+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
126+
127+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
128+Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
129+
130+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
131+Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
132+
133+(backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
134+
135+[abartlet@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2
136+ as the kerberos tests have changed parameters in newer versions
137+ breaking the context]
138+---
139+ python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++--
140+ 1 file changed, 11 insertions(+), 2 deletions(-)
141+
142+diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
143+index 054a49b64aa..aa4bc2370c4 100755
144+--- a/python/samba/tests/krb5/as_req_tests.py
145++++ b/python/samba/tests/krb5/as_req_tests.py
146+@@ -42,7 +42,7 @@ global_hexdump = False
147+
148+ class AsReqBaseTest(KDCBaseTest):
149+ def _run_as_req_enc_timestamp(self, client_creds, sname=None,
150+- expected_error=None):
151++ expected_error=None, till=None):
152+ client_account = client_creds.get_username()
153+ client_as_etypes = self.get_default_enctypes()
154+ client_kvno = client_creds.get_kvno()
155+@@ -62,7 +62,8 @@ class AsReqBaseTest(KDCBaseTest):
156+ expected_sname = sname
157+ expected_salt = client_creds.get_salt()
158+
159+- till = self.get_KerberosTime(offset=36000)
160++ if till is None:
161++ till = self.get_KerberosTime(offset=36000)
162+
163+ initial_etypes = client_as_etypes
164+ initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
165+@@ -241,6 +242,14 @@ class AsReqKerberosTests(AsReqBaseTest):
166+ sname=wrong_krbtgt_princ,
167+ expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
168+
169++ # Test that we can make a request for a ticket expiring post-2038.
170++ def test_future_till(self):
171++ client_creds = self.get_client_creds()
172++
173++ self._run_as_req_enc_timestamp(
174++ client_creds,
175++ till='99990913024805Z')
176++
177+
178+ if __name__ == "__main__":
179+ global_asn1_print = False
180+--
181+2.25.1
182+
183+
184+From 7bcbe9428438ee9fed60af133b1863e150001d35 Mon Sep 17 00:00:00 2001
185+From: Luke Howard <lukeh@padl.com>
186+Date: Thu, 20 Oct 2022 13:27:31 +1300
187+Subject: [PATCH 3/3] kdc: avoid re-encoding KDC-REQ-BODY
188+
189+Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
190+re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
191+
192+[abartlet@samba.org adapted from Heimdal commit
193+ ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
194+ by removing references to FAST and GSS-pre-auth.
195+
196+ This fixes the Windows 11 22H2 issue with TGS-REQ
197+ as seen at https://github.com/heimdal/heimdal/issues/1011 and so
198+ removes the knownfail file for this test]
199+
200+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
201+
202+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
203+---
204+ selftest/knownfail.d/windows11-22h2 | 2 --
205+ source4/heimdal/kdc/krb5tgs.c | 24 ++----------------------
206+ source4/heimdal/kdc/pkinit.c | 16 ++--------------
207+ source4/heimdal/lib/asn1/krb5.opt | 1 +
208+ 4 files changed, 5 insertions(+), 38 deletions(-)
209+ delete mode 100644 selftest/knownfail.d/windows11-22h2
210+
211+diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2
212+deleted file mode 100644
213+index 69980ce763a..00000000000
214+--- a/selftest/knownfail.d/windows11-22h2
215++++ /dev/null
216+@@ -1,2 +0,0 @@
217+-# This tests shows the new timestamp from Windows 11 22H2 which fails in this version
218+-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till
219+\ No newline at end of file
220+diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
221+index 15be136496f..fa7755a4e3d 100644
222+--- a/source4/heimdal/kdc/krb5tgs.c
223++++ b/source4/heimdal/kdc/krb5tgs.c
224+@@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context,
225+ krb5_keyblock *key)
226+ {
227+ krb5_authenticator auth;
228+- size_t len = 0;
229+- unsigned char *buf;
230+- size_t buf_size;
231+ krb5_error_code ret;
232+ krb5_crypto crypto;
233+
234+@@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context,
235+ goto out;
236+ }
237+
238+- /* XXX should not re-encode this */
239+- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
240+- if(ret){
241+- const char *msg = krb5_get_error_message(context, ret);
242+- kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
243+- krb5_free_error_message(context, msg);
244+- goto out;
245+- }
246+- if(buf_size != len) {
247+- free(buf);
248+- kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
249+- *e_text = "KDC internal error";
250+- ret = KRB5KRB_ERR_GENERIC;
251+- goto out;
252+- }
253+ ret = krb5_crypto_init(context, key, 0, &crypto);
254+ if (ret) {
255+ const char *msg = krb5_get_error_message(context, ret);
256+- free(buf);
257+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
258+ krb5_free_error_message(context, msg);
259+ goto out;
260+@@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context,
261+ ret = krb5_verify_checksum(context,
262+ crypto,
263+ KRB5_KU_TGS_REQ_AUTH_CKSUM,
264+- buf,
265+- len,
266++ b->_save.data,
267++ b->_save.length,
268+ auth->cksum);
269+- free(buf);
270+ krb5_crypto_destroy(context, crypto);
271+ if(ret){
272+ const char *msg = krb5_get_error_message(context, ret);
273+diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
274+index ad7f3efc10a..64ea4c00e41 100644
275+--- a/source4/heimdal/kdc/pkinit.c
276++++ b/source4/heimdal/kdc/pkinit.c
277+@@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context,
278+ PKAuthenticator *a,
279+ const KDC_REQ *req)
280+ {
281+- u_char *buf = NULL;
282+- size_t buf_size;
283+ krb5_error_code ret;
284+- size_t len = 0;
285+ krb5_timestamp now;
286+ Checksum checksum;
287+
288+@@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context,
289+ return KRB5KRB_AP_ERR_SKEW;
290+ }
291+
292+- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
293+- if (ret) {
294+- krb5_clear_error_message(context);
295+- return ret;
296+- }
297+- if (buf_size != len)
298+- krb5_abortx(context, "Internal error in ASN.1 encoder");
299+-
300+ ret = krb5_create_checksum(context,
301+ NULL,
302+ 0,
303+ CKSUMTYPE_SHA1,
304+- buf,
305+- len,
306++ req->req_body._save.data,
307++ req->req_body._save.length,
308+ &checksum);
309+- free(buf);
310+ if (ret) {
311+ krb5_clear_error_message(context);
312+ return ret;
313+diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt
314+index 1d6d5e8989f..5acc596d39c 100644
315+--- a/source4/heimdal/lib/asn1/krb5.opt
316++++ b/source4/heimdal/lib/asn1/krb5.opt
317+@@ -4,3 +4,4 @@
318+ --sequence=METHOD-DATA
319+ --sequence=ETYPE-INFO
320+ --sequence=ETYPE-INFO2
321++--preserve-binary=KDC-REQ-BODY
322+--
323+2.25.1
324+

Subscribers

People subscribed via source and target branches