Created attachment 10637 [details] Wireshark capture between Samba and Windows Server Hi, I have a problem with MS Remote Desktop. I cannot connect to Windows Server 2012 R2 (win2012r2) via RDP from Windows 8.1 (win8.1). win2012r2 have been joined to the AD domain created by Samba. win8.1 is not a domain computer. This is the same problem as reported in Samba mailing list (https://lists.samba.org/archive/samba/2014-May/181303.html). This occurs in Samba 4.2.0rc2 or later. In Samba 4.1.16, the problem does not happen. I captured some packets and find out that an authentication succeeded. But after that, logon process hangs in WINREG or SMB2 packets (Wireshark frame 149-154). When I kill the smbd process which connects to win2012r2 in that state, logon process continues and get successfully logged on with RDP. My test environment: * Samba - OS: CentOS 7 (3.10.0-123.13.2.el7.x86_64) - Samba version: 4.2.0rc3 - IP address: 192.168.12.1 * win2012r2 - OS: Windows Server 2012 R2 - IP address: 192.168.12.80 - RDP server * win8.1 - OS: Windows 8.1 - IP address: 192.168.12.215 - RDP client Thanks,
Same here, RDP can logon if just 4.1 DCs are available, but if I turn on my 4.2 DC and it is selected as the logon server, the logon hangs at "Welcome". No issues with DNS. Like other users, if I kill the samba process, the logon continues. I notice that the RDSH attributes are now being written to Active Directory, previously they would fail to be written and an error reported in the error log saying the RDSH could not write RD licence attributes to Active Directory. Don't know if that has something to do with it...
I've also suffered from this issue. It seems, to be related to the winbind/winbindd rewrite. However, reactivating the old code path with "server services = +winbind -winbindd" fixes this issue. Regards, Henning
(In reply to Henning Becker from comment #2) I have to take it back. It just worked once... I'm sorry, Henning
On 2015-04-08 at 19:13 +0000 samba-bugs@samba.org sent off: > I have to take it back. It just worked once... you mean it suddently started to work always? or you mean it worked once (like one time, and then not any more)?
Hi, Me too having the same problem, remote desktop session hangs at "welcome" screen and i forcefully downgraded the version to samba 4.1 version. If samba process killed then remote login will continue. Tried with +winbind =winbindd option, no use, can you please help me in this ? Vijay
Still not working as of Samba 4.2.1
I'm sorry to say, but regarding 4.2.1 that is expected, I've only just started to look into this, and 4.2.1 froze over a week ago.
A set of Samba logs correlated with a matching network trace may well be helpful - as I can't work out what the failing packet might be in the trace alone. Also include, the exact time the logon failed. Thanks!
Connecting over RDP from Linux to Windows 8.1 doesn't work (using Remmina Remote Desktop Client) I'll build a Windows 2012R2 member server and see if that is any different. Thanks for your patience here!
Confirming bug, when using console or rdesktop.org: * Local account will log in, if domain account has never been tried since reboot * Domain account locks up the login system and no users can login after a failed Domain login attempt. - Windows Server 2012R2
Can you give me more details? - Administrator vs not administrator? - exact rdesktop.org command? - any other details? I can't reproduce it using Remmina right now, but that may be some unrelated issue. rdesktop is giving me: ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ? Failed to connect, CredSSP required by server.
I've also been testing from a Remote desktop client installed on a domain member Win8.1, and tested with Samba 4.1 (I was using master previously). I still can't reproduce this issue. It may help for someone who can reproduce this at will, to do a git bisect between current v4-2-test and when we branched v4-1-test (4.1rc1), to understand when this broke, as that may give us more clues than I have right now.
I will be glad to test, given directions on which git branch to test. I have the following three computers: 1. Samba AD DC, fresh install with 4.2.1 release. Configured AD Domain with 'samba-tool domain provision --use-rfc2307 --interactive' 2. New image of Windows 2012R2 from OpenStack: http://www.cloudbase.it/ws2012r2/ 3. Fedora 20, using rdesktop.org v1.8.3 I am currently running fine with Samba v4.1.17
Revisions used for bisecting: good v4-1-stable bad v4-2-stable After a couple of testing... Bisecting: 2 revisions left to test after this (roughly 2 steps) [7daa4b94fa6299d6e1788c93ed8ff0b4c4023b40] s3-rpc_server: Add make_internal_rpc_pipe_socketpair(). root@dc4:~/src/samba.mirror# Bisecting: 0 revisions left to test after this (roughly 1 step) [b8e07323c985c4b797c2d31bf91af3f9a9471052] s3-rpc_server: Use make_internal_rpc_pipe_socketpair(). root@dc4:~/src/samba.mirror# Bisecting: 0 revisions left to test after this (roughly 0 steps) [4498d07e7355a0ec8b96f7f9138d8321b15bef55] s3-rpc_server: Pass the server event context to np_open(). Is this enough? I don't know... First time using bisecting... schnaggy:-)
Continued testing: good v4-1-test bad v4-2-test Not up to speed on bisecting. Need to learn more git.
Here is the last step: b8e07323c985c4b797c2d31bf91af3f9a9471052 is the first bad commit commit b8e07323c985c4b797c2d31bf91af3f9a9471052 Author: Andreas Schneider <asn@samba.org> Date: Wed Oct 23 17:04:12 2013 +0200 s3-rpc_server: Use make_internal_rpc_pipe_socketpair(). Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> :040000 040000 ce2341464794420becbb98a9ed0512f3962ab2f6 66e9448442377cd599f1b9463eacbb8127e3be88 M source3 Hope it helps... Cheers, schnaggy:-)
Can you try setting in your smb.conf: rpc_server:winreg = external That will use a different registry server, and that one won't use the internal named pipe proxy that seems to have locked up here. It isn't a solution (probably will break printing), but it might confirm the bisect result.
Hi Andrew, I checkedout b8e07323c985c4b797c2d31bf91af3f9a9471052 and built. Modified smb.conf with rpc_server:winreg = external. (samba-tool testparm showed this parameter) -> The remote Login still got hung up. Did I make any mistakes? schnaggy:-)
I would say you made a mistake while bisecting.
Hhhmmm, another try: finding to commits, one good one bad: good is 4498d07e7355a0ec8b96f7f9138d8321b15bef55 bad is b8e07323c985c4b797c2d31bf91af3f9a9471052 (Verified via building and starting a RDP connection.) Start bisecting: root@dc4:~/src/samba.mirror# git bisect good 4498d07e7355a0ec8b96f7f9138d8321b15bef55 root@dc4:~/src/samba.mirror# git bisect bad b8e07323c985c4b797c2d31bf91af3f9a9471052 b8e07323c985c4b797c2d31bf91af3f9a9471052 is the first bad commit commit b8e07323c985c4b797c2d31bf91af3f9a9471052 Author: Andreas Schneider <asn@samba.org> Date: Wed Oct 23 17:04:12 2013 +0200 s3-rpc_server: Use make_internal_rpc_pipe_socketpair(). Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> :040000 040000 ce2341464794420becbb98a9ed0512f3962ab2f6 66e9448442377cd599f1b9463eacbb8127e3be88 M source3 root@dc4:~/src/samba.mirror# git bisect reset Maybe this is not the only change which made this RDP behaviour, because: 1.) Login via RDP -> hangs 2.) kill samba -> login continues 3.) start samba again 4.) Logout 5.) Login via RDP again -> success 6.) Logout 7.) Login via RDP -> hangs ... Maybe there were some other correlated changes before b8e07323c985c4b797c2d31bf91af3f9a9471052? schnaggy:-)
Created attachment 10981 [details] RDP Hangs @ welcome screen
Created attachment 10982 [details] Login contnues after restarting samba process
It might be worth trying the NTVFS file server. Run with this in the smb.conf: server services = +smb -s3fs That will mean that the named pipe handler the bisect indicates will be skipped, which may help show that that indeed is the issue.
Hi Andrew. Confirmed: With smb and without s3fs services the rdp login works on got version b8e07323c985c4b797c2d31bf91af3f9a9471052. schnaggy:-)
Used below config in 4.3.0 , and RDP is working now. Will test some more . Thanks much for a fix. [root@mydc01 bin]# /usr/local/samba/sbin/samba -V Version 4.3.0pre1-GIT-2e2ff8b [root@mydc01 bin]# pwd /usr/local/samba/bin [root@mydc01 bin]# grep -i server ../etc/smb.conf server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns, smb [root@mydc01 bin]#
But now, sysvol and netlogon shares are not accessible from workstations.
Rechecked, with s3fs its working , but not with smb.
Correct, it is expected that this would break other things, like sysvol. The data point is however very helpful in isolating it, and I think does strongly suggest the indicated commit is indeed the regression. Using the ntvfs file server is not a long term solution, but in the short term it may be enough to reset the acls with 'samba-tool ntacl sysvolreset --use-ntvfs'
I would say a log level 10 of smbd (s3fs) is needed to see what is going on ...
Ok, will try to get it. May i know if you foresee any other issues if I change it to smb from s3fs ?
(In reply to Vijay from comment #30) Using the ntvfs file server (called smb in server services) is not a long term solution, and in any case won't give us the logs we need to fix this.
Created attachment 10999 [details] please ignore
Created attachment 11000 [details] log.samba RDP Loglevel10
Created attachment 11001 [details] log.smbd RDP Loglevel10
Hi *, two gzipped logfiles at Loglevel10: - Startup samba - Started RDP Connection -> hanging - Restarted samba at 09:40 - RDP Connection succeeded - Logout from RDP Connection - Shutdown samba Samba build from git version b8e07323c985c4b797c2d31bf91af3f9a9471052.
Could you try with reverting the following change? commit 52ccd28ca75bef4f7ac2489389a5aebf5db2b34a Author: Stefan Metzmacher <metze@samba.org> AuthorDate: Thu Jan 30 12:52:34 2014 +0100 Commit: Günther Deschner <gd@samba.org> CommitDate: Thu Feb 13 11:54:16 2014 +0100 s3:dcerpc_ep: make use of dcerpc_binding helper functions We should not dereference 'struct dcerpc_binding'. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
LSASD daemon does not complete its initialization with the change of 52ccd28ca75bef4f7ac2489389a5aebf5db2b34a and that causes also FreeIPA to fail in Fedora 22 (where we rebased to Samba 4.2). See my analysis in https://bugzilla.redhat.com/show_bug.cgi?id=1217346
If reverting the change in comment #36 doesn't fix the problem, please also try to revert: commit 017338a180c87e938af5215720bf59610f4ddbb1 Author: Stefan Metzmacher <metze@samba.org> AuthorDate: Thu Jan 23 12:13:14 2014 +0100 Commit: Günther Deschner <gd@samba.org> CommitDate: Thu Feb 13 11:54:14 2014 +0100 librpc/rpc: set more things via dcerpc_binding_set_string_option() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Can affected users please try Samba GIT master and confirm if this problem is still reproduced? Thanks,
Created attachment 11008 [details] logs: loglevel 10. Hai here are some logs. Login RDP around.. Fri May 1 14:22:11 CEST 2015 result : Only Welkom is shown.. no login possible. while still getting the "Welkom" added : auth methods = sam, winbind /etc/init.d/samba-ad-dc force-reload around Fri May 1 14:24:09 CEST 2015 and login proceeded successfully.
Created attachment 11009 [details] logs:Log level 10 Not sure exactly which logs you need so I sent them all. log.marvin is the win7 machine I am trying to rdp to. I started the rdp session at approx 2015/05/01 16:39:06.942091. It displayed the welcome until I restarted samba at 2016/05/01 16:41:46.667856. The rdp session then suceeded.
Hello, I am sad to say that this issue is still present with 4.2.2. I am running Samba on a Debian 8 VM inside of Hyper-V. Firewalls are all off and everything is on the same subnet. Like the others, RDP hangs on welcome screen until Samba is restarted.. If I add the 'auth methods = sam, winbind' it fixes RDP but breaks permissions for domain admins so they CAN'T use ADUC. If I add.. server services = +smb -s3fs dcerpc endpoint servers = +winreg +srvsvc to smb.conf, RDP and ADUC permissions work, but the internal DNS is broken. Finally I don't know if this helps but WITHOUT the above workarounds, when I run.. smbclient -L localhost -U% It shows my OS as Windows 6.1? Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.2.2] Whenever I add the above lines to smb.conf, OS shows as.. Domain=[TEST] OS=[Unix] Server=[Samba 4.2.2] I hope this helps and I very much look forward to this issue's resolution.. Thanks, Brett
One more thing. I would like to confirm that this issue does not exist in the 4.1.18 version. On the exact same VMs I tested 4.2.2 I ran 'make uninstall', downloaded, compiled, and completely reconfigured 4.1.18 and everything, RDP, internal DNS, permissions, all works as it should. Thanks, Brett
Hi All Unfortuantelly, I confirm that this bug is still present in 4.2.2 It has a big impact on the samba 4.2 installation, can you please let us know if it will be addressed in 4.2.3 ? thank you!
I realise everyone is very frustrated by this bug. There are two major issues: - I've tried to reproduce the issue locally, but was not able to. - Nobody who can reproduce the issue has tried reverting the patches that Andreas suggests. Sadly without some change on either of these, no future version of Samba 4.2 is likely to fix this. It will be clearly marked in the release notes and on this bug when it has been fixed. I realise the delay here is highly frustrating, if this is impacting seriously on your enterprise, and you are not able to rebuild Samba to test the patches manually, then I can only suggest engaging a commercial support provider to assist: https://www.samba.org/samba/support/globalsupport.html
Hi Andrew regarding your uestions: 1) I've tried to reproduce the issue locally, but was not able to. I can describe you my scenario and the related issue, so maybe you can try to reproduce a) I have a AD domain created with a samba 3 PDC. b) I want to upgrade to samba 4 (NOTE, I cannot use 4.1.x version as it does not have user lockout mechanism, which is mandatory for us) c) I do a fresh install of samba 4.2.2 based on the latest release of sernet-samba. This is done on an ubuntu server trusty 14.04 d) the classicupgrade works perfectlly fine and I am able to see users and groups e) when I try to remote desktop to any machine of the domain using a user belonging to the "Remote Desktop users built in group I get: the error: "to log on to this remote computer, you must be granted the Allow Log on trough Terminal Service Rights" f) same thing happens if I want to join a machine to the domain using a non "domain administrator user" g) I have opened a support mail in order to get help on this and the answer points to this bug. You can find the full mail thread here: https://lists.samba.org/archive/samba/2015-May/191436.html It looks like a problem with access to the GPO, like bidirectioanl access to the sysvol. I have tried all the configuration proposed but none worked. I am happy to give you all the debug and log possible, but please tell me how to enable the debugging and what exactly you need. If possible, please let's work on the sernet-samba packages as we are not allowed to use self compiled code :( 2) Nobody who can reproduce the issue has tried reverting the patches that Andreas suggests. I can't apply/revet the patches as we are working on the sernet-samba binaries. I am happy to work with you to get it sorted, let me know what we need Thank you for all your work Andrew! we appreciate you effort on this!!
Hi Andrew, If you can point me toward some instructions on what the 'revert patch' comment entails, I'll give it a shot. Unfortunately I don't really know what that means and googling only leads back to this post. Aside from that I have tried to make this work several times now with new installations and every time is the same result. I can tell you that I start with 2 newly installed VMs. One is Debian 8 where I download, compile, and install Samba to create a test domain using the basic instructions in the wiki. Second is a windows 8.1 VM which joins successfully to the new domain. I then set it up to allow RDP (which works with the local account). Then RDP hangs with domain admin etc. Not sure if that helps but I just wanted to let you know my lab for testing this is as simple as it gets. Again, I more than happy to help any way I can and thanks for all your efforts.. Brett
Sorry Andrew, I did not know you wanted us to try to revert the patches. I tried git revert 52ccd28c. but when I try to build samba I get the following errors: [2975/4107] Compiling source3/librpc/rpc/dcerpc_ep.c ../source3/librpc/rpc/dcerpc_ep.c: In function ‘dcerpc_binding_vector_add_np_default’: ../source3/librpc/rpc/dcerpc_ep.c:114:8: error: dereferencing pointer to incomplete type if (b->transport != NCACN_NP) { ^ ../source3/librpc/rpc/dcerpc_ep.c:119:4: error: dereferencing pointer to incomplete type b->object = iface->syntax_id; ^ ../source3/librpc/rpc/dcerpc_ep.c:121:4: error: dereferencing pointer to incomplete type b->host = talloc_asprintf(b, "\\\\%s", lp_netbios_name()); ^ ../source3/librpc/rpc/dcerpc_ep.c:122:8: error: dereferencing pointer to incomplete type if (b->host == NULL) { ^ ../source3/librpc/rpc/dcerpc_ep.c: In function ‘dcerpc_binding_vector_add_port’: ../source3/librpc/rpc/dcerpc_ep.c:160:8: error: dereferencing pointer to incomplete type if (b->transport != NCACN_IP_TCP) { ^ ../source3/librpc/rpc/dcerpc_ep.c:165:4: error: dereferencing pointer to incomplete type b->object = iface->syntax_id; ^ ../source3/librpc/rpc/dcerpc_ep.c:167:4: error: dereferencing pointer to incomplete type b->host = talloc_strdup(b, host); ^ ../source3/librpc/rpc/dcerpc_ep.c:168:8: error: dereferencing pointer to incomplete type if (b->host == NULL) { ^ ../source3/librpc/rpc/dcerpc_ep.c:173:4: error: dereferencing pointer to incomplete type b->endpoint = talloc_asprintf(b, "%u", port); ^ ../source3/librpc/rpc/dcerpc_ep.c:174:8: error: dereferencing pointer to incomplete type if (b->endpoint == NULL) { ^ ../source3/librpc/rpc/dcerpc_ep.c: In function ‘dcerpc_binding_vector_add_unix’: ../source3/librpc/rpc/dcerpc_ep.c:213:8: error: dereferencing pointer to incomplete type if (b->transport != NCALRPC) { ^ ../source3/librpc/rpc/dcerpc_ep.c:218:4: error: dereferencing pointer to incomplete type b->object = iface->syntax_id; ^ ../source3/librpc/rpc/dcerpc_ep.c:220:4: error: dereferencing pointer to incomplete type b->endpoint = talloc_asprintf(b, ^ ../source3/librpc/rpc/dcerpc_ep.c:224:8: error: dereferencing pointer to incomplete type if (b->endpoint == NULL) { ^ Waf: Leaving directory `/home/build/samba4-master/samba/bin' Build failed: -> task failed (err #1): {task: cc dcerpc_ep.c -> dcerpc_ep_25.o} make: *** [all] Error 1 I tried this from master and on branch samba-4.2.1. Same result. If I build from master without the revert, samba builds without any errors. If there is something else you need me to try, please let me know.
Created attachment 11120 [details] Possible fix from Volker. Can you try this patch ? Volker found this and it seems in exactly the right place to fix the issue. It's currently being pushed to master. Cheers, Jeremy.
Comment on attachment 11120 [details] Possible fix from Volker. If defining 1000 shares is regarded as too hard for the test, we should be able to test this by running the rpc.echo test we already have, and forcing a very large reply over ncanc_np and the named pipe forwarding code.
Thank you guys I have no experience in patching samba, Maybe Tom Diehl can give it a go, otherwise can you point to a reference doc? P.s. does the patch apply to 4.2.2 or 4.2.1 ? thanks
Comment on attachment 11120 [details] Possible fix from Volker. Apparently this does not fix the problem, as a user just reported.
I too use the sernet-samba packages. If you wanted to reproduce this the system that I just installed I did the following: 1) Installed CentOS 6.6 minimal and ran all updates. 2) Installed the Sernet 4.1 packages from their repo to create a domain controller (sernet-samba-ad) 3) upgraded to sernet 4.2.1 packages using yum. After that I had the problem with Remote Desktop. -Rich
ok I have done another test: 1) fresh ubuntu install trusty 14.04 2) downlad the latest samba source code 3) applied the patch of comment 49 4) followed this procedure in order to compile / install samba 4.2.2: http://www.linuxfromscratch.org/blfs/view/svn/basicnet/samba.html 5) upgraded from a different samba3 machine to the samba4 install, all ok 6) tested the remote desktop and I still get the error: "The connection is denied because the user account is not authorized for > remote login" Can someone else PLEASE test independently the patch proposed in comment 29? I'm afraid I am missing something different and the patch might actually work. regards
(In reply to Mario from comment #54) Does this only reproduce if the server has been based on a classicupgrade?
(In reply to Andrew Bartlett from comment #55) Hi Andrew I have not tested without the classicupgrade, so I can't answer your question, would you mind testing it without it if you can? thanks
(In reply to Mario from comment #56) I can't reproduce this issue, so no, I can't do that testing. That is why I asked.
(In reply to Mario from comment #54) Hi Mario I think the issue you are describing is different. This bug was initially about an inability to login a machine via RDP using domain credentials as the login hanged, staying forever at "Welcome" until you restarted Samba4 and the login would continue. Your issue appears to be different in that you are receiving a "to log on to this remote computer, you must be granted the Allow Log on trough Terminal Service Rights" error (comment #46), but your login is not hanging. I had a similar issue to you and solved it by creating a GPO with the "Allow logon through Terminal Services" setting containing the users I wanted to be able to login. For whatever reason setting this in the Computer options directly seemed to have no affect. Regards
(In reply to Alex MacCuish from comment #58) Indeed, this bug is confusing enough without trying to describe 'related' (actually totally unrelated) issues in it. Mario, Please raise and discuss those elsewhere. Thanks,
(In reply to Andrew Bartlett from comment #59) Hi All @Andrew I've had this issue for a while, and I did open a support request here describing my issue: https://lists.samba.org/archive/samba/2015-May/191436.html but I was originally pointed to this Bug (11061) instead to the GPO @Alex Thank you for your suggestion! I have followed this How-To and created a specific GPO for remote desktop which works well!! http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/ @ALL I have this issue resolved on my samba4 installation, I will summarize the steps done on my environment in case might be of help. I suggest to push the patch as per comment 49 as it seems to help in my case: 1) fresh Ubuntu Install trusty 10.04 2) download the latest tarball of samba 4.2.2 3) apply the patch propoed in comment 49 on the source code ( patch -p1 < 0001-tstream-Make-socketpair-nonblocking.patch ) 4) configure ,compile,install samba 4.2.2 following this how-to http://www.linuxfromscratch.org/blfs/view/svn/basicnet/samba.html 5) run the classicupgrade tool 6) adjust the smb.conf with custom settings 7) from a machine on the domain that has ADUC , follow this How to and create a custom remote desktop group: http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/ This has worked for me, I have No problems with accessing domain machines trough RDP and I hope a final patch will be pushed in 4.2.3 Thank you ALL for your support!!
Hi! We assume that this bug is a duplicate of bug 11312. I'll add the patch to our Enterprise SerNet-Samba packages and provide them in the next days. Best regards Björn
(In reply to Andrew Bartlett from comment #55) Hello Andrew, I can confirm that bug is not only with classicupgrade. Here are the two scenario : 1) where upgrading from samba 4.1.x (4.1.17 in my case) to 4.2.1 2) with a fresh install of 4.2.1 Here are steps to reproduce problem on first scenario: *Install ubuntu 14.04 LTS *Install sernet samba 4.1.17 *Provision domain with this command : samba-tool domain provision --use-rfc2307 --function-level=2008_R2 --interactive (with samba internal DNS, and a bind9 as DNS forwarder) ===> at this step : no problem with RDP *upgrade sernet samba to 4.2.1 ===> now RDP connexion (with DC user) hang on "welcome" screen *upgrade sernet samba to 4.2.2 ===> RDP connexion (with DC user) still hang on "welcome" screen Here are steps to reproduce problem on second scenario : *Install ubuntu 14.04 LTS *Provision domain with this command : samba-tool domain provision --use-rfc2307 --function-level=2008_R2 --interactive (with samba internal DNS, and a bind9 as DNS forwarder) ===> RDP connexion (with DC user) hang on "welcome" screen *Upgrade sernet samba to 4.2.2 ===> RDP connexion (with DC user) still hang on "welcome" screen I can do other tests if you want.
I have run into the originally-reported problem and can confirm that Volker's patch does NOT resolve the issue on an existing domain. The first time I hit this issue was with an upgrade of an older Samba 4 domain. I have repeatedly set up new Samba 4 domains and new Windows Server 2012 R2 Remote Desktop hosts, and have consistently hit this issue. == My Setup == Fedora 21 host with Samba 4 built from samba.org sources (no Fedora samba packages installed). I have used recent release tarballs and git clone from master with the same results. Packages installed: yum install \ avahi-devel \ bind-utils \ cups-devel \ gcc \ git \ gnutls-devel \ krb5-workstation \ libacl-devel \ make \ openldap-devel \ pam-devel \ pwgen \ python-devel yum group install "Printing Support" --exclude=samba-client Build Configuration: ./configure.developer \ -j 2 \ --with-ads \ --with-ldap \ --enable-cups \ --with-quotas \ --enable-avahi \ --with-acl-support \ --with-dnsupdate \ --with-syslog \ --prefix=/opt/samba4 \ --sysconfdir=/etc \ --localstatedir=/var \ --enable-fhs Provisioning: samba-tool domain provision --use-rfc2307 --interactive I'm using bind 9.9 for DNS. This is the same process and configuration that I had previously used with Samba 4.0.x and 4.1.x without issue. After I have created a domain and tested basic functionality, I proceed with installing Windows Server 2012 R2. I apply all available updates, then connect it to the domain. I then run the Remote Desktop installation. After completing the Remote Desktop configuration, I can successfully log in at the console or using any local (non-domain) account via RDP. The first time I log in with a domain account via RDP, it will hang at the "Welcome" screen and the RD server will become largely unresponsive, requiring a forced reboot of the RD server or a restart of Samba to recover. I have tried applying Volker's patch, rebuilding and reinstalling Samba and testing with an existing domain and RD server. I have not rebuilt a domain and RD server with the patch applied.
would any of the people with reproducers be able and willing to give a samba developer login on such a DC? I'd take network traces and watch the corresponding processes, attach to some with gdb or so, depending on what I find.
@Volker I'm going to try to reproduce the problem in an isolated network. If I succeed, I'll get you access to it.
This issue could be fixed in master with: commit ab26e84da15c636ecd772afcba740b307e1a5a79 Author: Volker Lendecke <vl@samba.org> Date: Wed Jun 3 13:41:24 2015 +0000 tstream: Make socketpair nonblocking When we have a large RPC reply, we can't block in the RPC server. Test: Do rpcclient netshareenumall with a thousand shares defined Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(In reply to Andreas Schneider from comment #66) Comment 63 says this does not fix it. I've got login info from the reporter. I will try to diagnose what is going on later this week.
(In reply to Volker Lendecke from comment #67) Got one step further: It is a (to me at least) subtle problem with GSSAPI. Metze is working on it, he says it's possibly an unexpected behaviour Fedora 21's system kerberos and gss libs.
(In reply to Volker Lendecke from comment #68) I have the issue and I'm running Debian so I don't think it'll be a Fedora specific problem.
Created attachment 11162 [details] Work in progress patches (on master) This fixes the problem for me, but it needs a bit more work. The problem is that the source3 rpc server uses 8 byte aligned padding relative to the pdu start, while windows uses 16 byte aligned padding relative to the payload start. The heimdal gss_wrap() (called in gensec_gssapi_seal_packet()) code assumes the windows behaviour when working in dce_style mode. Otherwise is generated a too short signature 68 bytes in this cases instead of the expected 76 bytes returned by gensec_gssapi_sig_size().
(In reply to Stefan (metze) Metzmacher from comment #70) > The problem is that the source3 rpc server uses 8 byte aligned padding relative > to the pdu start, while windows uses 16 byte aligned padding relative to the > payload start. Oh that is genius logic - congratulations ! How did you realize the padding alignments were different ? Are the padding requirements specified in one of the MS-XXX docs ?
Comment on attachment 11162 [details] Work in progress patches (on master) Wow! A big thanks to everyone who worked on this!
I can confirm that this issue is not only on Fedora or Linux. I have same issue on FreeBSD with heimdal.
Wow Great Stephen! is the pacht going to be added to the samba 4.2.3 release? that would be great!
Hello! Does it possible to apply this patch to 4.4.2 ? I would like to rebuild Sernet packages with patch applied and test if it will help me in same case. Also, if you still need sandbox with this issue reproduced - I can help.
Hello, I can confirm that attachment 11162 [details] applied to Sernet 4.4.2-8 packages resolved issue for me. Thank you.
I have now tested the WIP patches in several affected environments and can happily report that they work wonderfully. A big thanks to all who contributed to getting this fixed!
Created attachment 11184 [details] Possible patches for master Can someone verify these patches also fix the problem?
Comment on attachment 11184 [details] Possible patches for master In dcerpc_ship_next_request() you could also use the constant instead of 16. chunk_size -= (chunk_size % DCERPC_AUTH_PAD_ALIGNMENT); Beside that, the patchset looks good! Great work ...
(In reply to Andreas Schneider from comment #79) That's [PATCH 09/16] s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT define...
Hy Guys, I´m using Samba 4.2 by source. How I apply this patch. Can you help me? Thanks!!
Hy ! I apply de patch and all work fine. Thanks.
I can also confirm that the patches in master have resolved this problem for me. Thanks for fixing this.
Hello. This fix is planned to be included in 4.2.3?
Created attachment 11212 [details] Patches for v4-2-test
Created attachment 11213 [details] Patches for v4-1-test
Comment on attachment 11213 [details] Patches for v4-1-test LGTM. This patchset also includes the tests for our testsuite.
Karolin, please push to 4.1 and 4.2. Thanks!
Pushed to autobuild-v4-[1|2]-test.
(In reply to Karolin Seeger from comment #89) Pushed to both branches. Closing out bug report. Thanks!