Ubuntu
samba package

Merge ~ahasenack/ubuntu/+source/samba:bionic-samba-win-22h2-fixes into ubuntu/+source/samba:ubuntu/bionic-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/samba
  3. bionic-samba-win-22h2-fixes
  4. Merge into ubuntu/bionic-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 9c9fd2b4a0ecb22056514859d881af63ddb0943e
Proposed branch: ~ahasenack/ubuntu/+source/samba:bionic-samba-win-22h2-fixes
Merge into: ubuntu/+source/samba:ubuntu/bionic-devel
Diff against target: 168 lines (+146/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/win-22H2-fix.patch (+138/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+432768@code.launchpad.net

Description of the change

Fix for Windows 11 22H2 failing to join a Samba AD DC domain. The linked SRU bug has a test plan and more details on the bug.

If you want to follow that test plan, we have the necessary VM created on diglett. You can point virt-manager at qemu+ssh://<youruser>@diglett/system and see:

- win11H22: the Windows 11 22H22 VM that shows the bug. Creds: ubuntu_local/Passw0rd!ub (is an admin) for when NOT joined to a domain. This is on DHCP, current IP is 10.0.18.201 and RDP is enabled.
Note that after joining the domain, RDP access is cut off. You have to login as Administrator and allow the "Domain Users" group to use RDP. I didn't find a way to allow this from the samba AD DC, but didn't search really hard.

Ubuntu VMs, where you can (re)install samba packages at will. They are pointing at my PPA with the fix, so if you want to see the bug, you have to downgrade them to the non-ppa version. These all can be logged in via the virt-manager console, creds ubuntu/ubuntu, and from there you can ssh-import your key.
- ad: jammy AD. Fixed IP at 10.0.18.5
- b-ad: bionic AD. Fixed IP at 10.0.18.3
- f-ad: focal AD. Fixed IP at 10.0.18.2

Libvirt network: 10.0.18.0/24

If you want, we can have a hangout where I can show all of this.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-22h2/

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

I did not test the feature itself but I see you got some good feedback on the bug. The packaging changes LGTM.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded:

Uploading samba_4.7.6+dfsg~ubuntu-0ubuntu2.29.dsc
Uploading samba_4.7.6+dfsg~ubuntu-0ubuntu2.29.debian.tar.xz
Uploading samba_4.7.6+dfsg~ubuntu-0ubuntu2.29_source.buildinfo
Uploading samba_4.7.6+dfsg~ubuntu-0ubuntu2.29_source.changes

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index c853f9d..824c9d2 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.29) bionic; urgency=medium
7+
8+ * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
9+ clients (LP: #1993934)
10+
11+ -- Andreas Hasenack <andreas@canonical.com> Wed, 09 Nov 2022 11:42:14 -0300
12+
13 samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.28) bionic-security; urgency=medium
14
15 * SECURITY UPDATE: code exec via out-of-bounds read/write in vfs_fruit
16diff --git a/debian/patches/series b/debian/patches/series
17index 90fb827..507126f 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -171,3 +171,4 @@ CVE-2021-44142-3.patch
21 CVE-2021-44142-4.patch
22 CVE-2021-44142-5.patch
23 CVE-2021-44142-6.patch
24+win-22H2-fix.patch
25diff --git a/debian/patches/win-22H2-fix.patch b/debian/patches/win-22H2-fix.patch
26new file mode 100644
27index 0000000..b92d37f
28--- /dev/null
29+++ b/debian/patches/win-22H2-fix.patch
30@@ -0,0 +1,138 @@
31+From 56c949d2764b69050bc441bec68008f4a046f1d3 Mon Sep 17 00:00:00 2001
32+From: Luke Howard <lukeh@padl.com>
33+Date: Thu, 20 Oct 2022 13:27:31 +1300
34+Subject: [PATCH 3/3] kdc: avoid re-encoding KDC-REQ-BODY
35+
36+Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
37+re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
38+
39+[abartlet@samba.org adapted from Heimdal commit
40+ ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
41+ by removing references to FAST and GSS-pre-auth.
42+
43+ This fixes the Windows 11 22H2 issue with TGS-REQ
44+ as seen at https://github.com/heimdal/heimdal/issues/1011 and so
45+ removes the knownfail file for this test]
46+
47+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
48+
49+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
50+
51+Ubuntu backport note: removed diff for files that do not exist in this version
52+
53+Origin: backport, https://bugzilla.samba.org/attachment.cgi?id=17596
54+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934
55+Last-Update: 2022-11-09
56+---
57+ selftest/knownfail.d/windows11-22h2 | 2 --
58+ source4/heimdal/kdc/krb5tgs.c | 24 ++----------------------
59+ source4/heimdal/kdc/pkinit.c | 16 ++--------------
60+ source4/heimdal/lib/asn1/krb5.opt | 1 +
61+ 4 files changed, 5 insertions(+), 38 deletions(-)
62+ delete mode 100644 selftest/knownfail.d/windows11-22h2
63+
64+diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
65+index 13996f96b4a..f1393fa87a1 100644
66+--- a/source4/heimdal/kdc/krb5tgs.c
67++++ b/source4/heimdal/kdc/krb5tgs.c
68+@@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context,
69+ krb5_keyblock *key)
70+ {
71+ krb5_authenticator auth;
72+- size_t len = 0;
73+- unsigned char *buf;
74+- size_t buf_size;
75+ krb5_error_code ret;
76+ krb5_crypto crypto;
77+
78+@@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context,
79+ goto out;
80+ }
81+
82+- /* XXX should not re-encode this */
83+- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
84+- if(ret){
85+- const char *msg = krb5_get_error_message(context, ret);
86+- kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
87+- krb5_free_error_message(context, msg);
88+- goto out;
89+- }
90+- if(buf_size != len) {
91+- free(buf);
92+- kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
93+- *e_text = "KDC internal error";
94+- ret = KRB5KRB_ERR_GENERIC;
95+- goto out;
96+- }
97+ ret = krb5_crypto_init(context, key, 0, &crypto);
98+ if (ret) {
99+ const char *msg = krb5_get_error_message(context, ret);
100+- free(buf);
101+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
102+ krb5_free_error_message(context, msg);
103+ goto out;
104+@@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context,
105+ ret = krb5_verify_checksum(context,
106+ crypto,
107+ KRB5_KU_TGS_REQ_AUTH_CKSUM,
108+- buf,
109+- len,
110++ b->_save.data,
111++ b->_save.length,
112+ auth->cksum);
113+- free(buf);
114+ krb5_crypto_destroy(context, crypto);
115+ if(ret){
116+ const char *msg = krb5_get_error_message(context, ret);
117+diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
118+index ad7f3efc10a..64ea4c00e41 100644
119+--- a/source4/heimdal/kdc/pkinit.c
120++++ b/source4/heimdal/kdc/pkinit.c
121+@@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context,
122+ PKAuthenticator *a,
123+ const KDC_REQ *req)
124+ {
125+- u_char *buf = NULL;
126+- size_t buf_size;
127+ krb5_error_code ret;
128+- size_t len = 0;
129+ krb5_timestamp now;
130+ Checksum checksum;
131+
132+@@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context,
133+ return KRB5KRB_AP_ERR_SKEW;
134+ }
135+
136+- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
137+- if (ret) {
138+- krb5_clear_error_message(context);
139+- return ret;
140+- }
141+- if (buf_size != len)
142+- krb5_abortx(context, "Internal error in ASN.1 encoder");
143+-
144+ ret = krb5_create_checksum(context,
145+ NULL,
146+ 0,
147+ CKSUMTYPE_SHA1,
148+- buf,
149+- len,
150++ req->req_body._save.data,
151++ req->req_body._save.length,
152+ &checksum);
153+- free(buf);
154+ if (ret) {
155+ krb5_clear_error_message(context);
156+ return ret;
157+diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt
158+index 1d6d5e8989f..5acc596d39c 100644
159+--- a/source4/heimdal/lib/asn1/krb5.opt
160++++ b/source4/heimdal/lib/asn1/krb5.opt
161+@@ -4,3 +4,4 @@
162+ --sequence=METHOD-DATA
163+ --sequence=ETYPE-INFO
164+ --sequence=ETYPE-INFO2
165++--preserve-binary=KDC-REQ-BODY
166+--
167+2.25.1
168+

Subscribers

People subscribed via source and target branches