Ubuntu
samba package

Merge ~ahasenack/ubuntu/+source/samba:jammy-samba-win-22h2-fixes into ubuntu/+source/samba:ubuntu/jammy-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/samba
  3. jammy-samba-win-22h2-fixes
  4. Merge into ubuntu/jammy-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: f8095f8db4568de30a82fff5c7da3257504ff2d8
Proposed branch: ~ahasenack/ubuntu/+source/samba:jammy-samba-win-22h2-fixes
Merge into: ubuntu/+source/samba:ubuntu/jammy-devel
Diff against target: 324 lines (+302/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/win-22H2-fix.patch (+294/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+432766@code.launchpad.net

Description of the change

Fix for Windows 11 22H2 failing to join a Samba AD DC domain. The linked SRU bug has a test plan and more details on the bug.

If you want to follow that test plan, we have the necessary VM created on diglett. You can point virt-manager at qemu+ssh://<youruser>@diglett/system and see:

- win11H22: the Windows 11 22H22 VM that shows the bug. Creds: ubuntu_local/Passw0rd!ub (is an admin) for when NOT joined to a domain. This is on DHCP, current IP is 10.0.18.201 and RDP is enabled.
Note that after joining the domain, RDP access is cut off. You have to login as Administrator and allow the "Domain Users" group to use RDP. I didn't find a way to allow this from the samba AD DC, but didn't search really hard.

Ubuntu VMs, where you can (re)install samba packages at will. They are pointing at my PPA with the fix, so if you want to see the bug, you have to downgrade them to the non-ppa version. These all can be logged in via the virt-manager console, creds ubuntu/ubuntu, and from there you can ssh-import your key.
- ad: jammy AD. Fixed IP at 10.0.18.5
- b-ad: bionic AD. Fixed IP at 10.0.18.3
- f-ad: focal AD. Fixed IP at 10.0.18.2

Libvirt network: 10.0.18.0/24

If you want, we can have a hangout where I can show all of this.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-22h2/

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

This is missing the new changelog entry.

review: Needs Fixing
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

The patch DEP-3 headers are missing as well.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hmpf, forgot to push

$ git push ahasenack jammy-samba-win-22h2-fixes --force-with-lease
Enumerating objects: 15, done.
Counting objects: 100% (15/15), done.
Delta compression using up to 4 threads
Compressing objects: 100% (10/10), done.
Writing objects: 100% (10/10), 4.46 KiB | 652.00 KiB/s, done.
Total 10 (delta 7), reused 0 (delta 0), pack-reused 0
remote:
remote: Create a merge proposal for 'jammy-samba-win-22h2-fixes' on Launchpad by visiting:
remote: https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+ref/jammy-samba-win-22h2-fixes/+register-merge
remote:
To ssh://git.launchpad.net/~ahasenack/ubuntu/+source/samba
 + dcf4cec77b0...f8095f8db45 jammy-samba-win-22h2-fixes -> jammy-samba-win-22h2-fixes (forced update)

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks Andreas, LGTM.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded:

Uploading samba_4.15.9+dfsg-0ubuntu0.3.dsc
Uploading samba_4.15.9+dfsg-0ubuntu0.3.debian.tar.xz
Uploading samba_4.15.9+dfsg-0ubuntu0.3_source.buildinfo
Uploading samba_4.15.9+dfsg-0ubuntu0.3_source.changes

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve

Update scan failed

At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 3a44200..878e4f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1samba (2:4.15.9+dfsg-0ubuntu0.3) jammy; urgency=medium
2
3 * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
4 clients (LP: #1993934)
5
6 -- Andreas Hasenack <andreas@canonical.com> Tue, 08 Nov 2022 10:59:27 -0300
7
1samba (2:4.15.9+dfsg-0ubuntu0.2) jammy-security; urgency=medium8samba (2:4.15.9+dfsg-0ubuntu0.2) jammy-security; urgency=medium
29
3 * Updated to 2.15.9 to fix multiple security issues.10 * Updated to 2.15.9 to fix multiple security issues.
diff --git a/debian/patches/series b/debian/patches/series
index d2d04e9..e411ebc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ heimdal-rfc3454.txt
9smbd.service-Run-update-apparmor-samba-profile-befor.patch9smbd.service-Run-update-apparmor-samba-profile-befor.patch
10fix-nfs-service-name-to-nfs-kernel-server.patch10fix-nfs-service-name-to-nfs-kernel-server.patch
11ctdb-config-enable-syslog-by-default.patch11ctdb-config-enable-syslog-by-default.patch
12win-22H2-fix.patch
diff --git a/debian/patches/win-22H2-fix.patch b/debian/patches/win-22H2-fix.patch
12new file mode 10064413new file mode 100644
index 0000000..615ab44
--- /dev/null
+++ b/debian/patches/win-22H2-fix.patch
@@ -0,0 +1,294 @@
1From 5b7d8363ce6a3ac8bcec707c4fe318770213dc32 Mon Sep 17 00:00:00 2001
2From: Joseph Sutton <josephsutton@catalyst.net.nz>
3Date: Tue, 4 Oct 2022 12:25:08 +1300
4Subject: [PATCH 1/3] tests/krb5: Add test requesting a service ticket expiring
5 post-2038
6
7Windows 11 22H2 performs such requests, with year 9999.
8The test fails with KDC_ERR_BAD_INTEGRITY on older
9Heimdal versions, which are unable to verify a checksum
10over the modified request body (due to a re-encoding failure).
11
12REF: https://github.com/heimdal/heimdal/issues/1011
13
14BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
15
16[abartlet@samba.org Add knownfail for backport - as Samba
17 4.15 and earlier fail this test, adapted commit
18 67811e121fbef08337675d473390160793544719 to test
19 paraemters in 4.15]
20
21Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
22Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
23(backported from commit 67811e121fbef08337675d473390160793544719)
24
25Origin: https://attachments.samba.org/attachment.cgi?id=17595
26Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934
27Last-Update: 2022-11-08
28---
29 python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++
30 selftest/knownfail.d/windows11-22h2 | 2 ++
31 2 files changed, 16 insertions(+)
32 create mode 100644 selftest/knownfail.d/windows11-22h2
33
34diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
35index e52f46152fa..a4bc48e587a 100755
36--- a/python/samba/tests/krb5/kdc_tgs_tests.py
37+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
38@@ -2099,6 +2099,18 @@ class KdcTgsTests(KDCBaseTest):
39 self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED,
40 KDC_ERR_C_PRINCIPAL_UNKNOWN))
41
42+ # Test making a TGS request for a ticket expiring post-2038.
43+ def test_tgs_req_future_till(self):
44+ creds = self._get_creds()
45+ tgt = self._get_tgt(creds)
46+
47+ target_creds = self.get_service_creds()
48+ self._tgs_req(
49+ tgt=tgt,
50+ expected_error=0,
51+ target_creds=target_creds,
52+ till='99990913024805Z')
53+
54 def _modify_renewable(self, enc_part):
55 # Set the renewable flag.
56 enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True)
57@@ -2469,6 +2481,7 @@ class KdcTgsTests(KDCBaseTest):
58 sname=None,
59 srealm=None,
60 use_fast=False,
61+ till=None,
62 expect_claims=True,
63 expect_pac=True,
64 expect_pac_attrs=None,
65@@ -2580,6 +2593,7 @@ class KdcTgsTests(KDCBaseTest):
66 cname=None,
67 realm=srealm,
68 sname=sname,
69+ till_time=till,
70 etypes=etypes,
71 additional_tickets=additional_tickets)
72 if expected_error:
73diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2
74new file mode 100644
75index 00000000000..69980ce763a
76--- /dev/null
77+++ b/selftest/knownfail.d/windows11-22h2
78@@ -0,0 +1,2 @@
79+# This tests shows the new timestamp from Windows 11 22H2 which fails in this version
80+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till
81\ No newline at end of file
82--
832.25.1
84
85
86From e8a1c05847618c1c4b83d92757c928484dc172e9 Mon Sep 17 00:00:00 2001
87From: Joseph Sutton <josephsutton@catalyst.net.nz>
88Date: Thu, 20 Oct 2022 12:36:44 +1300
89Subject: [PATCH 2/3] tests/krb5: Add test requesting a TGT expiring post-2038
90
91This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
92which changed to use a year 9999 date for a forever timetime in
93tickets.
94
95BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
96
97Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
98Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
99
100Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
101Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
102
103(backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
104
105[abartlet@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2
106 as the kerberos tests have changed parameters in newer versions
107 breaking the context]
108---
109 python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++--
110 1 file changed, 11 insertions(+), 2 deletions(-)
111
112diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
113index 054a49b64aa..aa4bc2370c4 100755
114--- a/python/samba/tests/krb5/as_req_tests.py
115+++ b/python/samba/tests/krb5/as_req_tests.py
116@@ -42,7 +42,7 @@ global_hexdump = False
117
118 class AsReqBaseTest(KDCBaseTest):
119 def _run_as_req_enc_timestamp(self, client_creds, sname=None,
120- expected_error=None):
121+ expected_error=None, till=None):
122 client_account = client_creds.get_username()
123 client_as_etypes = self.get_default_enctypes()
124 client_kvno = client_creds.get_kvno()
125@@ -62,7 +62,8 @@ class AsReqBaseTest(KDCBaseTest):
126 expected_sname = sname
127 expected_salt = client_creds.get_salt()
128
129- till = self.get_KerberosTime(offset=36000)
130+ if till is None:
131+ till = self.get_KerberosTime(offset=36000)
132
133 initial_etypes = client_as_etypes
134 initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
135@@ -241,6 +242,14 @@ class AsReqKerberosTests(AsReqBaseTest):
136 sname=wrong_krbtgt_princ,
137 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
138
139+ # Test that we can make a request for a ticket expiring post-2038.
140+ def test_future_till(self):
141+ client_creds = self.get_client_creds()
142+
143+ self._run_as_req_enc_timestamp(
144+ client_creds,
145+ till='99990913024805Z')
146+
147
148 if __name__ == "__main__":
149 global_asn1_print = False
150--
1512.25.1
152
153
154From 7bcbe9428438ee9fed60af133b1863e150001d35 Mon Sep 17 00:00:00 2001
155From: Luke Howard <lukeh@padl.com>
156Date: Thu, 20 Oct 2022 13:27:31 +1300
157Subject: [PATCH 3/3] kdc: avoid re-encoding KDC-REQ-BODY
158
159Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
160re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
161
162[abartlet@samba.org adapted from Heimdal commit
163 ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
164 by removing references to FAST and GSS-pre-auth.
165
166 This fixes the Windows 11 22H2 issue with TGS-REQ
167 as seen at https://github.com/heimdal/heimdal/issues/1011 and so
168 removes the knownfail file for this test]
169
170BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
171
172Signed-off-by: Andrew Bartlett <abartlet@samba.org>
173---
174 selftest/knownfail.d/windows11-22h2 | 2 --
175 source4/heimdal/kdc/krb5tgs.c | 24 ++----------------------
176 source4/heimdal/kdc/pkinit.c | 16 ++--------------
177 source4/heimdal/lib/asn1/krb5.opt | 1 +
178 4 files changed, 5 insertions(+), 38 deletions(-)
179 delete mode 100644 selftest/knownfail.d/windows11-22h2
180
181diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2
182deleted file mode 100644
183index 69980ce763a..00000000000
184--- a/selftest/knownfail.d/windows11-22h2
185+++ /dev/null
186@@ -1,2 +0,0 @@
187-# This tests shows the new timestamp from Windows 11 22H2 which fails in this version
188-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till
189\ No newline at end of file
190diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
191index 15be136496f..fa7755a4e3d 100644
192--- a/source4/heimdal/kdc/krb5tgs.c
193+++ b/source4/heimdal/kdc/krb5tgs.c
194@@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context,
195 krb5_keyblock *key)
196 {
197 krb5_authenticator auth;
198- size_t len = 0;
199- unsigned char *buf;
200- size_t buf_size;
201 krb5_error_code ret;
202 krb5_crypto crypto;
203
204@@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context,
205 goto out;
206 }
207
208- /* XXX should not re-encode this */
209- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
210- if(ret){
211- const char *msg = krb5_get_error_message(context, ret);
212- kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
213- krb5_free_error_message(context, msg);
214- goto out;
215- }
216- if(buf_size != len) {
217- free(buf);
218- kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
219- *e_text = "KDC internal error";
220- ret = KRB5KRB_ERR_GENERIC;
221- goto out;
222- }
223 ret = krb5_crypto_init(context, key, 0, &crypto);
224 if (ret) {
225 const char *msg = krb5_get_error_message(context, ret);
226- free(buf);
227 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
228 krb5_free_error_message(context, msg);
229 goto out;
230@@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context,
231 ret = krb5_verify_checksum(context,
232 crypto,
233 KRB5_KU_TGS_REQ_AUTH_CKSUM,
234- buf,
235- len,
236+ b->_save.data,
237+ b->_save.length,
238 auth->cksum);
239- free(buf);
240 krb5_crypto_destroy(context, crypto);
241 if(ret){
242 const char *msg = krb5_get_error_message(context, ret);
243diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
244index ad7f3efc10a..64ea4c00e41 100644
245--- a/source4/heimdal/kdc/pkinit.c
246+++ b/source4/heimdal/kdc/pkinit.c
247@@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context,
248 PKAuthenticator *a,
249 const KDC_REQ *req)
250 {
251- u_char *buf = NULL;
252- size_t buf_size;
253 krb5_error_code ret;
254- size_t len = 0;
255 krb5_timestamp now;
256 Checksum checksum;
257
258@@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context,
259 return KRB5KRB_AP_ERR_SKEW;
260 }
261
262- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
263- if (ret) {
264- krb5_clear_error_message(context);
265- return ret;
266- }
267- if (buf_size != len)
268- krb5_abortx(context, "Internal error in ASN.1 encoder");
269-
270 ret = krb5_create_checksum(context,
271 NULL,
272 0,
273 CKSUMTYPE_SHA1,
274- buf,
275- len,
276+ req->req_body._save.data,
277+ req->req_body._save.length,
278 &checksum);
279- free(buf);
280 if (ret) {
281 krb5_clear_error_message(context);
282 return ret;
283diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt
284index 1d6d5e8989f..5acc596d39c 100644
285--- a/source4/heimdal/lib/asn1/krb5.opt
286+++ b/source4/heimdal/lib/asn1/krb5.opt
287@@ -4,3 +4,4 @@
288 --sequence=METHOD-DATA
289 --sequence=ETYPE-INFO
290 --sequence=ETYPE-INFO2
291+--preserve-binary=KDC-REQ-BODY
292--
2932.25.1
294

Subscribers

People subscribed via source and target branches