Bug 10316 - CVE-2013-4408 regression
CVE-2013-4408 regression
Status: REOPENED
Product: Samba 4.0
Classification: Unclassified
Component: DCE-RPCs and pipes
4.0.0
x64 Linux
: P5 critical
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-12-10 19:30 UTC by Nate Huffnagle
Modified: 2014-02-13 09:22 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nate Huffnagle 2013-12-10 19:30:13 UTC
Latest December 9th update broke our AD authentication, rolling back to the previous version fixed AD auth.

SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS

Joined 'VSURFDATA' to realm 'AD.UCSD.EDU'
DNS Update for vsurfdata.ucsd.edu failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

yum downgrade fix the issue.
Previous version that works:
Version 4.0.0rc4

From the redhat rhel-6 updates:
---> Package samba4.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-client.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-client.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-common.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-common.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-dc.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-dc.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-dc-libs.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-dc-libs.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-devel.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-devel.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-libs.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-libs.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-pidl.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-pidl.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-python.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-python.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-swat.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-swat.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-test.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-test.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-winbind.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-winbind.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-winbind-clients.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-winbind-clients.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
---> Package samba4-winbind-krb5-locator.x86_64 0:4.0.0-58.el6.rc4 will be updated
---> Package samba4-winbind-krb5-locator.x86_64 0:4.0.0-60.el6_5.rc4 will be an update
Comment 1 Kristaps Tigeris 2014-01-21 13:15:00 UTC
Is this bug being worked on? Not seeing any updates. Just encountered this myself, here are some console outputs:

[root@lxapp128 ~]# wbinfo -t
checking the trust secret for domain RDML via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

[root@lxapp128 ~]# wbinfo -a user
Enter user's password:
plaintext password authentication failed
Could not authenticate user user with plaintext password
Enter user's password:
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user ktigeris with challenge/response

[root@lxapp128 ~]# wbinfo -K user
Enter user's password:
plaintext kerberos password authentication for [user] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0

wbinfo -u successfully lists all Active Directory users.
getent passwd also succesfully lists all users, both local and AD.

samba4 packages installed:
[root@lxapp128 ~]# rpm -qa | grep samba
samba4-common-4.0.0-60.el6_5.rc4.x86_64
samba4-libs-4.0.0-60.el6_5.rc4.x86_64
samba4-winbind-4.0.0-60.el6_5.rc4.x86_64
samba4-client-4.0.0-60.el6_5.rc4.x86_64
samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64

After performing this:
[root@lxapp128 ~]# yum downgrade samba4-common samba4-winbind-clients samba4-libs samba4-client samba4-winbind

Then everything works without issues, packages get downgraded to 4.0.0-58.

Also, I'am running on CentOS 6.5.

I don't know what happens if you try joining AD with version 4.0.0-60, in my case I already have all joined to AD when performing update.
Comment 2 Richard Scott 2014-02-12 11:05:07 UTC
(In reply to comment #0)
> I don't know what happens if you try joining AD with version 4.0.0-60, in my
> case I already have all joined to AD when performing update

If you use v4.0.0-60 on a new system you can join AD but any winbind services don't work.

I can also confirm that downgrading to v4.0.0-58 and everything works again.

Where is the change log between patch 58 and patch 60? This now makes Samba4 unusable with AD Authentication.

Rich
Comment 3 Nate Huffnagle 2014-02-12 19:52:39 UTC
I might add that I have configured special share conditions to limit access to the different shares:

 valid users = +AD\ccelter

[ccelter]
 comment = ccelter
 path = /vdata/project/ccelter
 browsable = Yes
 writeable = yes
 inherit permissions = no
 create mask = 0664
 dos filemode = yes
 directory mask = 0775
 oplocks = yes
 strict locking = no
 force group = ccelter
 valid users = +AD\ccelter

This is the only difference between a server that works and one that does not work with AD authentication.
Comment 4 Andrew Bartlett 2014-02-12 20:24:15 UTC
If you have issues with the differences between Red Hat patch releases on RHEL, you need to address these to Red Hat, via your support subscription. 

We really can't help here.

Sorry,
Comment 5 Andrew Bartlett 2014-02-12 20:26:17 UTC
When someone works out what in the patches causes the issue (you rebuild and try them one by one, or Red Hat support indicates the specific issue), and reproduces this on upstream Samba, we will be very happy to address this in upstream Samba, but for now I'm going to close this off as INVALID.

Sorry,
Comment 6 Nate Huffnagle 2014-02-12 21:23:21 UTC
u sck..
Comment 7 Richard Scott 2014-02-12 21:41:22 UTC
Even the latest 4.1.7 package from EnterpriseSamba.com suffers the same problem so I'm not sure its a RedHat fault.
Comment 8 Andrew Bartlett 2014-02-12 21:56:44 UTC
As I said, please reproduce on a current Samba release, or even better isolate it down to the specific additional patch that is being applied, and test that reverted on top of a current release.  That would makes it much easier to isolate the issue.
Comment 9 Richard Scott 2014-02-12 22:02:47 UTC
The RPM of Samba v4.1.4 from Enterprise Samba also has this problem... I have found from a quick google that the 4.0.0-60 release applied one patch for this:

http://www.samba.org/samba/security/CVE-2013-4408

Info found here:
http://linuxsoft.cern.ch/cern/slc65/x86_64/yum/updates/repoview/samba4.html

I'm assuming this code is also in the latest release too??
Comment 10 Richard Scott 2014-02-13 09:22:05 UTC
I get lots of this in my logs:

cli_negprot failed: NT_STATUS_INVALID_PARAMETER_MIX

Reported by winbindd when ran as 'winbindd -SFd9'