Bug 11061 - Logon via MS Remote Desktop hangs
Logon via MS Remote Desktop hangs
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes
4.2.2
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on: 11245
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-20 10:03 UTC by KAMEI Yutaka
Modified: 2015-07-16 09:36 UTC (History)
17 users (show)

See Also:


Attachments
Wireshark capture between Samba and Windows Server (41.43 KB, application/vnd.tcpdump.pcap)
2015-01-20 10:03 UTC, KAMEI Yutaka
no flags Details
RDP Hangs @ welcome screen (156.25 KB, image/png)
2015-04-23 00:59 UTC, Vijay
no flags Details
Login contnues after restarting samba process (154.42 KB, image/png)
2015-04-23 01:03 UTC, Vijay
no flags Details
please ignore (1.33 KB, text/plain)
2015-04-29 07:34 UTC, schnaggy
no flags Details
log.samba RDP Loglevel10 (419.63 KB, application/x-gzip)
2015-04-29 07:43 UTC, schnaggy
no flags Details
log.smbd RDP Loglevel10 (206.07 KB, application/x-gzip)
2015-04-29 07:44 UTC, schnaggy
no flags Details
logs: loglevel 10. (2.17 MB, application/x-gzip)
2015-05-01 12:33 UTC, Louis
no flags Details
logs:Log level 10 (1.19 MB, application/x-compressed-tar)
2015-05-01 21:08 UTC, Tom Diehl
no flags Details
Possible fix from Volker. (1.53 KB, patch)
2015-06-03 18:49 UTC, Jeremy Allison
no flags Details
Work in progress patches (on master) (6.49 KB, patch)
2015-06-16 16:27 UTC, Stefan Metzmacher
no flags Details
Possible patches for master (23.42 KB, patch)
2015-06-22 20:20 UTC, Stefan Metzmacher
asn: review+
Details
Patches for v4-2-test (30.22 KB, patch)
2015-06-30 08:19 UTC, Stefan Metzmacher
abartlet: review+
asn: review+
jra: review+
Details
Patches for v4-1-test (30.28 KB, patch)
2015-06-30 08:19 UTC, Stefan Metzmacher
metze: review? (abartlet)
asn: review+
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description KAMEI Yutaka 2015-01-20 10:03:49 UTC
Created attachment 10637 [details]
Wireshark capture between Samba and Windows Server

Hi,

I have a problem with MS Remote Desktop.

I cannot connect to Windows Server 2012 R2 (win2012r2) via RDP from Windows 8.1
(win8.1). win2012r2 have been joined to the AD domain created by Samba. win8.1
is not a domain computer.

This is the same problem as reported in Samba mailing list
(https://lists.samba.org/archive/samba/2014-May/181303.html).

This occurs in Samba 4.2.0rc2 or later.
In Samba 4.1.16, the problem does not happen.

I captured some packets and find out that an authentication succeeded.
But after that, logon process hangs in WINREG or SMB2 packets
(Wireshark frame 149-154). When I kill the smbd process which connects to
win2012r2 in that state, logon process continues and get successfully logged
on with RDP.

My test environment:

* Samba
    - OS: CentOS 7 (3.10.0-123.13.2.el7.x86_64)
    - Samba version: 4.2.0rc3
    - IP address: 192.168.12.1
* win2012r2
    - OS: Windows Server 2012 R2
    - IP address: 192.168.12.80
    - RDP server
* win8.1
    - OS: Windows 8.1
    - IP address: 192.168.12.215
    - RDP client

Thanks,
Comment 1 Alex MacCuish 2015-03-14 21:21:58 UTC
Same here, RDP can logon if just 4.1 DCs are available, but if I turn on my 4.2 DC and it is selected as the logon server, the logon hangs at "Welcome".

No issues with DNS. Like other users, if I kill the samba process, the logon continues. I notice that the RDSH attributes are now being written to Active Directory, previously they would fail to be written and an error reported in the error log saying the RDSH could not write RD licence attributes to Active Directory. Don't know if that has something to do with it...
Comment 2 Henning Becker 2015-04-08 19:02:27 UTC
I've also suffered from this issue.
It seems, to be related to the winbind/winbindd rewrite.

However, reactivating the old code path with
"server services = +winbind -winbindd"
fixes this issue.

Regards,
Henning
Comment 3 Henning Becker 2015-04-08 19:13:19 UTC
(In reply to Henning Becker from comment #2)
I have to take it back. It just worked once...

I'm sorry,
Henning
Comment 4 Björn Jacke 2015-04-09 07:15:31 UTC
On 2015-04-08 at 19:13 +0000 samba-bugs@samba.org sent off:
> I have to take it back. It just worked once...

you mean it suddently started to work always?

or you mean it worked once (like one time, and then not any more)?
Comment 5 Vijay 2015-04-15 03:03:32 UTC
Hi,

Me too having the same problem, remote desktop session hangs at "welcome" screen and i forcefully downgraded the version to samba 4.1 version. If samba process killed then remote login will continue.

Tried with +winbind =winbindd option, no use, can you please help me in this ?

Vijay
Comment 6 Rodney 2015-04-16 15:09:44 UTC
Still not working as of Samba 4.2.1
Comment 7 Andrew Bartlett 2015-04-16 22:59:50 UTC
I'm sorry to say, but regarding 4.2.1 that is expected, I've only just started to look into this, and 4.2.1 froze over a week ago.
Comment 8 Andrew Bartlett 2015-04-16 23:01:51 UTC
A set of Samba logs correlated with a matching network trace may well be helpful - as I can't work out what the failing packet might be in the trace alone.  

Also include, the exact time the logon failed.

Thanks!
Comment 9 Andrew Bartlett 2015-04-20 00:49:00 UTC
Connecting over RDP from Linux to Windows 8.1 doesn't work (using Remmina Remote Desktop Client)

I'll build a Windows 2012R2 member server and see if that is any different.

Thanks for your patience here!
Comment 10 Ed K 2015-04-20 14:55:36 UTC
Confirming bug, when using console or rdesktop.org:

* Local account will log in, if domain account has never been tried since reboot
* Domain account locks up the login system and no users can login after a failed Domain login attempt.

- Windows Server 2012R2
Comment 11 Andrew Bartlett 2015-04-20 23:45:25 UTC
Can you give me more details?  

 - Administrator vs not administrator?
 - exact rdesktop.org command?
 - any other details?

I can't reproduce it using Remmina right now, but that may be some unrelated issue.

rdesktop is giving me:


ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
Failed to connect, CredSSP required by server.
Comment 12 Andrew Bartlett 2015-04-21 00:35:02 UTC
I've also been testing from a Remote desktop client installed on a domain member Win8.1, and tested with Samba 4.1 (I was using master previously).

I still can't reproduce this issue. 

It may help for someone who can reproduce this at will, to do a git bisect between current v4-2-test and when we branched v4-1-test (4.1rc1), to understand when this broke, as that may give us more clues than I have right now.
Comment 13 Ed K 2015-04-21 11:59:15 UTC
I will be glad to test, given directions on which git branch to test. I have the following three computers:

1. Samba AD DC, fresh install with 4.2.1 release. Configured AD Domain with 'samba-tool domain provision --use-rfc2307 --interactive'

2. New image of Windows 2012R2 from OpenStack: http://www.cloudbase.it/ws2012r2/

3. Fedora 20, using rdesktop.org v1.8.3

I am currently running fine with Samba v4.1.17
Comment 14 schnaggy 2015-04-21 15:20:40 UTC
Revisions used for bisecting:

good v4-1-stable
bad  v4-2-stable


After a couple of testing...


Bisecting: 2 revisions left to test after this (roughly 2 steps)
[7daa4b94fa6299d6e1788c93ed8ff0b4c4023b40] s3-rpc_server: Add make_internal_rpc_pipe_socketpair().
root@dc4:~/src/samba.mirror# 


Bisecting: 0 revisions left to test after this (roughly 1 step)
[b8e07323c985c4b797c2d31bf91af3f9a9471052] s3-rpc_server: Use make_internal_rpc_pipe_socketpair().
root@dc4:~/src/samba.mirror# 

Bisecting: 0 revisions left to test after this (roughly 0 steps)
[4498d07e7355a0ec8b96f7f9138d8321b15bef55] s3-rpc_server: Pass the server event context to np_open().


Is this enough? I don't know... First time using bisecting...

schnaggy:-)
Comment 15 Ed K 2015-04-21 15:24:09 UTC
Continued testing:

good v4-1-test
bad  v4-2-test

Not up to speed on bisecting. Need to learn more git.
Comment 16 schnaggy 2015-04-21 15:29:38 UTC
Here is the last step:

b8e07323c985c4b797c2d31bf91af3f9a9471052 is the first bad commit
commit b8e07323c985c4b797c2d31bf91af3f9a9471052
Author: Andreas Schneider <asn@samba.org>
Date:   Wed Oct 23 17:04:12 2013 +0200

    s3-rpc_server: Use make_internal_rpc_pipe_socketpair().
    
    Signed-off-by: Andreas Schneider <asn@samba.org>
    Reviewed-by: Stefan Metzmacher <metze@samba.org>

:040000 040000 ce2341464794420becbb98a9ed0512f3962ab2f6 66e9448442377cd599f1b9463eacbb8127e3be88 M	source3


Hope it helps...

Cheers,

schnaggy:-)
Comment 17 Andrew Bartlett 2015-04-22 06:07:35 UTC
Can you try setting in your smb.conf:

rpc_server:winreg = external

That will use a different registry server, and that one won't use the internal named pipe proxy that seems to have locked up here. 

It isn't a solution (probably will break printing), but it might confirm the bisect result.
Comment 18 schnaggy 2015-04-22 07:12:20 UTC
Hi Andrew,

I checkedout b8e07323c985c4b797c2d31bf91af3f9a9471052 and built.
Modified smb.conf with rpc_server:winreg = external. (samba-tool testparm showed this parameter)

-> The remote Login still got hung up.

Did I make any mistakes?

schnaggy:-)
Comment 19 Andreas Schneider 2015-04-22 09:23:36 UTC
I would say you made a mistake while bisecting.
Comment 20 schnaggy 2015-04-22 10:26:54 UTC
Hhhmmm, another try:

finding to commits, one good one bad: 
good is 4498d07e7355a0ec8b96f7f9138d8321b15bef55
bad is b8e07323c985c4b797c2d31bf91af3f9a9471052

(Verified via building and starting a RDP connection.)

Start bisecting:

root@dc4:~/src/samba.mirror# git bisect good 4498d07e7355a0ec8b96f7f9138d8321b15bef55
root@dc4:~/src/samba.mirror# git bisect bad b8e07323c985c4b797c2d31bf91af3f9a9471052
b8e07323c985c4b797c2d31bf91af3f9a9471052 is the first bad commit
commit b8e07323c985c4b797c2d31bf91af3f9a9471052
Author: Andreas Schneider <asn@samba.org>
Date:   Wed Oct 23 17:04:12 2013 +0200

    s3-rpc_server: Use make_internal_rpc_pipe_socketpair().
    
    Signed-off-by: Andreas Schneider <asn@samba.org>
    Reviewed-by: Stefan Metzmacher <metze@samba.org>

:040000 040000 ce2341464794420becbb98a9ed0512f3962ab2f6 66e9448442377cd599f1b9463eacbb8127e3be88 M	source3
root@dc4:~/src/samba.mirror# git bisect reset


Maybe this is not the only change which made this RDP behaviour, because:

1.) Login via RDP -> hangs
2.) kill samba    -> login continues
3.) start samba again
4.) Logout
5.) Login via RDP again -> success
6.) Logout
7.) Login via RDP -> hangs
...

Maybe there were some other correlated changes before b8e07323c985c4b797c2d31bf91af3f9a9471052?


schnaggy:-)
Comment 21 Vijay 2015-04-23 00:59:07 UTC
Created attachment 10981 [details]
RDP Hangs @ welcome screen
Comment 22 Vijay 2015-04-23 01:03:15 UTC
Created attachment 10982 [details]
Login contnues after restarting samba process
Comment 23 Andrew Bartlett 2015-04-23 06:11:57 UTC
It might be worth trying the NTVFS file server.

Run with this in the smb.conf:

server services = +smb -s3fs

That will mean that the named pipe handler the bisect indicates will be skipped, which may help show that that indeed is the issue.
Comment 24 schnaggy 2015-04-23 07:02:50 UTC
Hi Andrew.

Confirmed: With smb and without s3fs services the rdp login works on got version
b8e07323c985c4b797c2d31bf91af3f9a9471052.


schnaggy:-)
Comment 25 Vijay 2015-04-24 00:37:55 UTC
Used below config in 4.3.0 , and RDP is working now. Will test some more .

Thanks much for a fix.

[root@mydc01 bin]# /usr/local/samba/sbin/samba -V
Version 4.3.0pre1-GIT-2e2ff8b
[root@mydc01 bin]# pwd
/usr/local/samba/bin
[root@mydc01 bin]# grep -i server ../etc/smb.conf
	server role = active directory domain controller
	server services =  rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns, smb
[root@mydc01 bin]#
Comment 26 Vijay 2015-04-24 00:50:11 UTC
But now, sysvol and netlogon shares are not accessible from workstations.
Comment 27 Vijay 2015-04-24 00:53:15 UTC
Rechecked, with s3fs its working , but not with smb.
Comment 28 Andrew Bartlett 2015-04-24 01:29:56 UTC
Correct, it is expected that this would break other things, like sysvol.  The data point is however very helpful in isolating it, and I think does strongly suggest the indicated commit is indeed the regression.

Using the ntvfs file server is not a long term solution, but in the short term it may be enough to reset the acls with 'samba-tool ntacl sysvolreset --use-ntvfs'
Comment 29 Andreas Schneider 2015-04-24 08:22:20 UTC
I would say a log level 10 of smbd (s3fs) is needed to see what is going on ...
Comment 30 Vijay 2015-04-24 17:32:51 UTC
Ok, will try to get it.

May i know if you foresee any other issues if I change it to smb from s3fs ?
Comment 31 Andrew Bartlett 2015-04-29 03:53:20 UTC
(In reply to Vijay from comment #30)
Using the ntvfs file server (called smb in server services) is not a long term solution, and in any case won't give us the logs we need to fix this.
Comment 32 schnaggy 2015-04-29 07:34:43 UTC
Created attachment 10999 [details]
please ignore
Comment 33 schnaggy 2015-04-29 07:43:48 UTC
Created attachment 11000 [details]
log.samba RDP Loglevel10
Comment 34 schnaggy 2015-04-29 07:44:21 UTC
Created attachment 11001 [details]
log.smbd RDP Loglevel10
Comment 35 schnaggy 2015-04-29 07:47:59 UTC
Hi *,

two gzipped logfiles at Loglevel10:

- Startup samba
- Started RDP Connection -> hanging
- Restarted samba at 09:40
- RDP Connection succeeded
- Logout from RDP Connection
- Shutdown samba


Samba build from git version b8e07323c985c4b797c2d31bf91af3f9a9471052.
Comment 36 Andreas Schneider 2015-04-30 08:04:27 UTC
Could you try with reverting the following change?

commit 52ccd28ca75bef4f7ac2489389a5aebf5db2b34a
Author:     Stefan Metzmacher <metze@samba.org>
AuthorDate: Thu Jan 30 12:52:34 2014 +0100
Commit:     Günther Deschner <gd@samba.org>
CommitDate: Thu Feb 13 11:54:16 2014 +0100

    s3:dcerpc_ep: make use of dcerpc_binding helper functions
    
    We should not dereference 'struct dcerpc_binding'.
    
    Signed-off-by: Stefan Metzmacher <metze@samba.org>
    Reviewed-by: Guenther Deschner <gd@samba.org>
Comment 37 Alexander Bokovoy 2015-04-30 08:05:30 UTC
LSASD daemon does not complete its initialization with the change of 52ccd28ca75bef4f7ac2489389a5aebf5db2b34a and that causes also FreeIPA to fail in Fedora 22 (where we rebased to Samba 4.2).

See my analysis in https://bugzilla.redhat.com/show_bug.cgi?id=1217346
Comment 38 Andreas Schneider 2015-04-30 10:07:59 UTC
If reverting the change in comment #36 doesn't fix the problem, please also try to revert:

commit 017338a180c87e938af5215720bf59610f4ddbb1
Author:     Stefan Metzmacher <metze@samba.org>
AuthorDate: Thu Jan 23 12:13:14 2014 +0100
Commit:     Günther Deschner <gd@samba.org>
CommitDate: Thu Feb 13 11:54:14 2014 +0100

    librpc/rpc: set more things via dcerpc_binding_set_string_option()
    
    Signed-off-by: Stefan Metzmacher <metze@samba.org>
    Reviewed-by: Guenther Deschner <gd@samba.org>
Comment 39 Andrew Bartlett 2015-05-01 09:43:26 UTC
Can affected users please try Samba GIT master and confirm if this problem is still reproduced?

Thanks,
Comment 40 Louis 2015-05-01 12:33:30 UTC
Created attachment 11008 [details]
logs: loglevel 10.

Hai here are some logs. 

Login RDP around..  
Fri May  1 14:22:11 CEST 2015 
result : Only Welkom is shown.. no login possible. 

while still getting the "Welkom" 
added :         auth methods = sam, winbind 

/etc/init.d/samba-ad-dc force-reload
around Fri May  1 14:24:09 CEST 2015

and login proceeded successfully.
Comment 41 Tom Diehl 2015-05-01 21:08:56 UTC
Created attachment 11009 [details]
logs:Log level 10

Not sure exactly which logs you need so I sent them all. log.marvin is the win7 machine I am trying to rdp to.

I started the rdp session at approx 2015/05/01 16:39:06.942091. It displayed the welcome until I restarted samba at 2016/05/01 16:41:46.667856. The rdp session then suceeded.
Comment 42 open_side111 2015-05-28 01:05:52 UTC
Hello,

I am sad to say that this issue is still present with 4.2.2. I am running Samba on a Debian 8 VM inside of Hyper-V. Firewalls are all off and everything is on the same subnet. Like the others, RDP hangs on welcome screen until Samba is restarted..

If I add the 'auth methods = sam, winbind' it fixes RDP but breaks permissions for domain admins so they CAN'T use ADUC.

If I add..

        server services = +smb -s3fs
        dcerpc endpoint servers = +winreg +srvsvc

to smb.conf, RDP and ADUC permissions work, but the internal DNS is broken.

Finally I don't know if this helps but WITHOUT the above workarounds, when I run..
smbclient -L localhost -U%
It shows my OS as Windows 6.1?
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.2.2]

Whenever I add the above lines to smb.conf, OS shows as..
Domain=[TEST] OS=[Unix] Server=[Samba 4.2.2]

I hope this helps and I very much look forward to this issue's resolution..

Thanks,
Brett
Comment 43 open_side111 2015-05-28 02:21:50 UTC
One more thing. I would like to confirm that this issue does not exist in the 4.1.18 version.

On the exact same VMs I tested 4.2.2 I ran 'make uninstall', downloaded, compiled, and completely reconfigured 4.1.18 and everything, RDP, internal DNS, permissions, all works as it should.

Thanks,
Brett
Comment 44 Mario 2015-05-28 10:20:41 UTC
Hi All

Unfortuantelly, I confirm that this bug is still present in 4.2.2

It has a big impact on the samba 4.2 installation, can you please let us know if it will be addressed in 4.2.3 ?

thank you!
Comment 45 Andrew Bartlett 2015-06-02 08:58:25 UTC
I realise everyone is very frustrated by this bug.

There are two major issues:
 - I've tried to reproduce the issue locally, but was not able to.
 - Nobody who can reproduce the issue has tried reverting the patches that Andreas suggests. 

Sadly without some change on either of these, no future version of Samba 4.2 is likely to fix this.  

It will be clearly marked in the release notes and on this bug when it has been fixed.

I realise the delay here is highly frustrating, if this is impacting seriously on your enterprise, and you are not able to rebuild Samba to test the patches manually, then I can only suggest engaging a commercial support provider to assist: https://www.samba.org/samba/support/globalsupport.html
Comment 46 Mario 2015-06-02 11:07:11 UTC
Hi Andrew

regarding your uestions:

1) I've tried to reproduce the issue locally, but was not able to.

I can describe you my scenario and the related issue, so maybe you can try to reproduce

a) I have a AD domain created with a samba 3 PDC.
b) I want to upgrade to samba 4 (NOTE, I cannot use 4.1.x version as it does not have user lockout mechanism, which is mandatory for us)
c) I do a fresh install of samba 4.2.2 based on the latest release of sernet-samba. This is done on an ubuntu server trusty 14.04
d) the classicupgrade works perfectlly fine and I am able to see users and groups
e) when I try to remote desktop to any machine of the domain using a  user belonging to the "Remote Desktop users built in group I get: the error:  

"to log on to this remote computer, you must be granted the Allow Log on trough Terminal Service Rights"
f) same thing happens if I want to join a machine to the domain using a non "domain administrator user"

g) I have opened a support mail in order to get help on this and the answer points to this bug. You can find the full mail thread here:

https://lists.samba.org/archive/samba/2015-May/191436.html

It looks like a problem with access to the GPO, like bidirectioanl access to the sysvol. I have tried all the configuration proposed but none worked. I am happy to give you all the debug and log possible, but please tell me how to enable the debugging and what exactly you need. If possible, please let's work on the sernet-samba packages as we are not allowed to use self compiled code :(


2) Nobody who can reproduce the issue has tried reverting the patches that Andreas suggests. 

I can't apply/revet the patches as we are working on the sernet-samba binaries. I am happy to work with you to get it sorted, let me know what we need 

Thank you for all your work Andrew! we appreciate you effort on this!!
Comment 47 open_side111 2015-06-02 21:07:29 UTC
Hi Andrew,

If you can point me toward some instructions on what the 'revert patch' comment entails, I'll give it a shot. Unfortunately I don't really know what that means and googling only leads back to this post.

Aside from that I have tried to make this work several times now with new installations and every time is the same result.

I can tell you that I start with 2 newly installed VMs. One is Debian 8 where I download, compile, and install Samba to create a test domain using the basic instructions in the wiki. Second is a windows 8.1 VM which joins successfully to the new domain. I then set it up to allow RDP (which works with the local account). Then RDP hangs with domain admin etc.

Not sure if that helps but I just wanted to let you know my lab for testing this is as simple as it gets.

Again, I more than happy to help any way I can and thanks for all your efforts..
Brett
Comment 48 Tom Diehl 2015-06-02 23:38:04 UTC
Sorry Andrew, I did not know you wanted us to try to revert the patches.

I tried git revert 52ccd28c. but when I try to build samba I get the following errors:

[2975/4107] Compiling source3/librpc/rpc/dcerpc_ep.c
../source3/librpc/rpc/dcerpc_ep.c: In function ‘dcerpc_binding_vector_add_np_default’:
../source3/librpc/rpc/dcerpc_ep.c:114:8: error: dereferencing pointer to incomplete type
   if (b->transport != NCACN_NP) {
        ^
../source3/librpc/rpc/dcerpc_ep.c:119:4: error: dereferencing pointer to incomplete type
   b->object = iface->syntax_id;
    ^
../source3/librpc/rpc/dcerpc_ep.c:121:4: error: dereferencing pointer to incomplete type
   b->host = talloc_asprintf(b, "\\\\%s", lp_netbios_name());
    ^
../source3/librpc/rpc/dcerpc_ep.c:122:8: error: dereferencing pointer to incomplete type
   if (b->host == NULL) {
        ^
../source3/librpc/rpc/dcerpc_ep.c: In function ‘dcerpc_binding_vector_add_port’:
../source3/librpc/rpc/dcerpc_ep.c:160:8: error: dereferencing pointer to incomplete type
   if (b->transport != NCACN_IP_TCP) {
        ^
../source3/librpc/rpc/dcerpc_ep.c:165:4: error: dereferencing pointer to incomplete type
   b->object = iface->syntax_id;
    ^
../source3/librpc/rpc/dcerpc_ep.c:167:4: error: dereferencing pointer to incomplete type
   b->host = talloc_strdup(b, host);
    ^
../source3/librpc/rpc/dcerpc_ep.c:168:8: error: dereferencing pointer to incomplete type
   if (b->host == NULL) {
        ^
../source3/librpc/rpc/dcerpc_ep.c:173:4: error: dereferencing pointer to incomplete type
   b->endpoint = talloc_asprintf(b, "%u", port);
    ^
../source3/librpc/rpc/dcerpc_ep.c:174:8: error: dereferencing pointer to incomplete type
   if (b->endpoint == NULL) {
        ^
../source3/librpc/rpc/dcerpc_ep.c: In function ‘dcerpc_binding_vector_add_unix’:
../source3/librpc/rpc/dcerpc_ep.c:213:8: error: dereferencing pointer to incomplete type
   if (b->transport != NCALRPC) {
        ^
../source3/librpc/rpc/dcerpc_ep.c:218:4: error: dereferencing pointer to incomplete type
   b->object = iface->syntax_id;
    ^
../source3/librpc/rpc/dcerpc_ep.c:220:4: error: dereferencing pointer to incomplete type
   b->endpoint = talloc_asprintf(b,
    ^
../source3/librpc/rpc/dcerpc_ep.c:224:8: error: dereferencing pointer to incomplete type
   if (b->endpoint == NULL) {
        ^
Waf: Leaving directory `/home/build/samba4-master/samba/bin'
Build failed:  -> task failed (err #1):
        {task: cc dcerpc_ep.c -> dcerpc_ep_25.o}
make: *** [all] Error 1

I tried this from master and on branch samba-4.2.1. Same result.

If I build from master without the revert, samba builds without any errors.

If there is something else you need me to try, please let me know.
Comment 49 Jeremy Allison 2015-06-03 18:49:44 UTC
Created attachment 11120 [details]
Possible fix from Volker.

Can you try this patch ? Volker found this and it seems in exactly the right place to fix the issue. It's currently being pushed to master.

Cheers,

Jeremy.
Comment 50 Andrew Bartlett 2015-06-03 19:32:00 UTC
Comment on attachment 11120 [details]
Possible fix from Volker.

If defining 1000 shares is regarded as too hard for the test, we should be able to test this by running the rpc.echo test we already have, and forcing a very large reply over ncanc_np and the named pipe forwarding code.
Comment 51 Mario 2015-06-04 09:40:04 UTC
Thank you guys

I have no experience in patching samba, Maybe Tom Diehl can give it  a go, otherwise can you point to a reference doc?

P.s. does the patch apply to 4.2.2 or 4.2.1 ?

thanks
Comment 52 Volker Lendecke 2015-06-04 12:09:35 UTC
Comment on attachment 11120 [details]
Possible fix from Volker.

Apparently this does not fix the problem, as a user just reported.
Comment 53 Rich Webb 2015-06-07 15:28:52 UTC
I too use the sernet-samba packages.  If you wanted to reproduce this the system that I just installed I did the following:

1) Installed CentOS 6.6 minimal and ran all updates.
2) Installed the Sernet 4.1 packages from their repo to create a domain controller (sernet-samba-ad)
3) upgraded to sernet 4.2.1 packages using yum.

After that I had the problem with Remote Desktop.

-Rich
Comment 54 Mario 2015-06-09 10:43:13 UTC
ok I have done another test:

1) fresh ubuntu install trusty 14.04
2) downlad the latest samba source code
3) applied the patch of comment 49
4) followed this procedure in order to compile / install samba 4.2.2: 

http://www.linuxfromscratch.org/blfs/view/svn/basicnet/samba.html

5) upgraded from a different samba3 machine to the samba4 install, all ok
6) tested the remote desktop and I still get the error:

"The connection is denied because the user account is not authorized for
> remote login"



Can someone else PLEASE test independently the patch proposed in comment 29? I'm afraid I am missing something different and the patch might actually work.

regards
Comment 55 Andrew Bartlett 2015-06-09 10:48:33 UTC
(In reply to Mario from comment #54)
Does this only reproduce if the server has been based on a classicupgrade?
Comment 56 Mario 2015-06-09 10:56:34 UTC
(In reply to Andrew Bartlett from comment #55)
Hi Andrew

I have not tested without the classicupgrade, so I can't answer your question, would you mind testing it without it if you can?

thanks
Comment 57 Andrew Bartlett 2015-06-09 11:00:40 UTC
(In reply to Mario from comment #56)
I can't reproduce this issue, so no, I can't do that testing.  That is why I asked.
Comment 58 Alex MacCuish 2015-06-09 11:12:18 UTC
(In reply to Mario from comment #54)
Hi Mario

I think the issue you are describing is different. This bug was initially about an inability to login a machine via RDP using domain credentials as the login hanged, staying forever at "Welcome" until you restarted Samba4 and the login would continue.

Your issue appears to be different in that you are receiving a "to log on to this remote computer, you must be granted the Allow Log on trough Terminal Service Rights" error (comment #46), but your login is not hanging.
I had a similar issue to you and solved it by creating a GPO with the "Allow logon through Terminal Services" setting containing the users I wanted to be able to login. For whatever reason setting this in the Computer options directly seemed to have no affect.

Regards
Comment 59 Andrew Bartlett 2015-06-09 11:19:11 UTC
(In reply to Alex MacCuish from comment #58)
Indeed, this bug is confusing enough without trying to describe 'related' (actually totally unrelated) issues in it.  

Mario,

Please raise and discuss those elsewhere.

Thanks,
Comment 60 Mario 2015-06-09 12:15:07 UTC
(In reply to Andrew Bartlett from comment #59)
Hi All

@Andrew

I've had this issue for a while, and I did open a support request here describing my issue:

https://lists.samba.org/archive/samba/2015-May/191436.html

but I was originally pointed to this Bug (11061) instead to the GPO 

@Alex

Thank you for your suggestion! I have followed this How-To and created a specific GPO for remote desktop which works well!!

http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/

@ALL

I have this issue resolved on my samba4 installation, I will summarize the steps done on my environment in case might be of help. I suggest to push the patch  as per comment 49 as it seems to help in my case:

1) fresh Ubuntu Install trusty 10.04
2) download the latest tarball of samba 4.2.2
3) apply the patch propoed in comment 49 on the source code ( patch -p1 < 0001-tstream-Make-socketpair-nonblocking.patch )
4) configure ,compile,install samba 4.2.2 following this how-to http://www.linuxfromscratch.org/blfs/view/svn/basicnet/samba.html 
5) run the classicupgrade tool
6) adjust the smb.conf with custom settings
7) from a machine on the domain that has ADUC , follow this How to and create a custom remote desktop group: 
http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/



This has worked for me, I have No problems with accessing domain machines trough RDP and I hope a final patch will be pushed in 4.2.3


Thank you ALL for your support!!
Comment 61 Björn Baumbach 2015-06-09 12:57:45 UTC
Hi!

We assume that this bug is a duplicate of bug 11312.
I'll add the patch to our Enterprise SerNet-Samba packages and provide them in the next days.

Best regards
Björn
Comment 62 Lulzim KELMENI 2015-06-09 14:20:23 UTC
(In reply to Andrew Bartlett from comment #55)
Hello Andrew,
I can confirm that bug is not only with classicupgrade.

Here are the two scenario :

1) where upgrading from samba 4.1.x (4.1.17 in my case) to 4.2.1
2) with a fresh install of 4.2.1

Here are steps to reproduce problem on first scenario:
*Install ubuntu 14.04 LTS
*Install sernet samba 4.1.17
*Provision domain with this command : samba-tool domain provision --use-rfc2307 --function-level=2008_R2 --interactive (with samba internal DNS, and a bind9 as DNS forwarder)
===> at this step : no problem with RDP
*upgrade sernet samba to 4.2.1
===> now RDP connexion (with DC user) hang on "welcome" screen
*upgrade sernet samba to 4.2.2
===> RDP connexion (with DC user) still hang on "welcome" screen

Here are steps to reproduce problem on second scenario :
*Install ubuntu 14.04 LTS
*Provision domain with this command : samba-tool domain provision --use-rfc2307 --function-level=2008_R2 --interactive (with samba internal DNS, and a bind9 as DNS forwarder)
===> RDP connexion (with DC user) hang on "welcome" screen
*Upgrade sernet samba to 4.2.2
===> RDP connexion (with DC user) still hang on "welcome" screen


I can do other tests if you want.
Comment 63 Patrick W. Barnes 2015-06-09 14:32:02 UTC
I have run into the originally-reported problem and can confirm that Volker's patch does NOT resolve the issue on an existing domain.

The first time I hit this issue was with an upgrade of an older Samba 4 domain. I have repeatedly set up new Samba 4 domains and new Windows Server 2012 R2 Remote Desktop hosts, and have consistently hit this issue.

== My Setup ==

Fedora 21 host with Samba 4 built from samba.org sources (no Fedora samba packages installed). I have used recent release tarballs and git clone from master with the same results.

Packages installed:
  yum install \
   avahi-devel \
   bind-utils \
   cups-devel \
   gcc \
   git \
   gnutls-devel \
   krb5-workstation \
   libacl-devel \
   make \
   openldap-devel \
   pam-devel \
   pwgen \
   python-devel
  yum group install "Printing Support" --exclude=samba-client

Build Configuration:
  ./configure.developer \
   -j 2 \
   --with-ads \
   --with-ldap \
   --enable-cups \
   --with-quotas \
   --enable-avahi \
   --with-acl-support \
   --with-dnsupdate \
   --with-syslog \
   --prefix=/opt/samba4 \
   --sysconfdir=/etc \
   --localstatedir=/var \
   --enable-fhs

Provisioning:
  samba-tool domain provision --use-rfc2307 --interactive

I'm using bind 9.9 for DNS. This is the same process and configuration that I had previously used with Samba 4.0.x and 4.1.x without issue.

After I have created a domain and tested basic functionality, I proceed with installing Windows Server 2012 R2. I apply all available updates, then connect it to the domain. I then run the Remote Desktop installation. After completing the Remote Desktop configuration, I can successfully log in at the console or using any local (non-domain) account via RDP. The first time I log in with a domain account via RDP, it will hang at the "Welcome" screen and the RD server will become largely unresponsive, requiring a forced reboot of the RD server or a restart of Samba to recover.

I have tried applying Volker's patch, rebuilding and reinstalling Samba and testing with an existing domain and RD server. I have not rebuilt a domain and RD server with the patch applied.
Comment 64 Volker Lendecke 2015-06-09 19:42:24 UTC
would any of the people with reproducers be able and willing to give a samba developer login on such a DC? I'd take network traces and watch the corresponding processes, attach to some with gdb or so, depending on what I find.
Comment 65 Patrick W. Barnes 2015-06-09 21:08:45 UTC
@Volker

I'm going to try to reproduce the problem in an isolated network. If I succeed, I'll get you access to it.
Comment 66 Andreas Schneider 2015-06-15 14:28:38 UTC
This issue could be fixed in master with:

commit ab26e84da15c636ecd772afcba740b307e1a5a79
Author: Volker Lendecke <vl@samba.org>
Date:   Wed Jun 3 13:41:24 2015 +0000

    tstream: Make socketpair nonblocking
    
    When we have a large RPC reply, we can't block in the RPC server.
    
    Test: Do rpcclient netshareenumall with a thousand shares defined
    
    Signed-off-by: Volker Lendecke <vl@samba.org>
    Reviewed-by: Jeremy Allison <jra@samba.org>
Comment 67 Volker Lendecke 2015-06-15 14:39:07 UTC
(In reply to Andreas Schneider from comment #66)

Comment 63 says this does not fix it.

I've got login info from the reporter. I will try to diagnose what is going on later this week.
Comment 68 Volker Lendecke 2015-06-16 13:18:12 UTC
(In reply to Volker Lendecke from comment #67)

Got one step further: It is a (to me at least) subtle problem with GSSAPI. Metze is working on it, he says it's possibly an unexpected behaviour Fedora 21's system kerberos and gss libs.
Comment 69 Alex MacCuish 2015-06-16 15:43:43 UTC
(In reply to Volker Lendecke from comment #68)
I have the issue and I'm running Debian so I don't think it'll be a Fedora specific problem.
Comment 70 Stefan Metzmacher 2015-06-16 16:27:11 UTC
Created attachment 11162 [details]
Work in progress patches (on master)

This fixes the problem for me, but it needs a bit more work.

The problem is that the source3 rpc server uses 8 byte aligned padding relative
to the pdu start, while windows uses 16 byte aligned padding relative to the
payload start. The heimdal gss_wrap() (called in gensec_gssapi_seal_packet()) code assumes the windows behaviour when working in dce_style mode. Otherwise is generated a too short signature 68 bytes in this cases instead of the expected 76 bytes returned by gensec_gssapi_sig_size().
Comment 71 Jeremy Allison 2015-06-16 16:48:23 UTC
(In reply to Stefan (metze) Metzmacher from comment #70)

> The problem is that the source3 rpc server uses 8 byte aligned padding relative
> to the pdu start, while windows uses 16 byte aligned padding relative to the
> payload start.

Oh that is genius logic - congratulations ! How did you realize the padding alignments were different ? Are the padding requirements specified in one of the MS-XXX docs ?
Comment 72 Andrew Bartlett 2015-06-16 22:44:31 UTC
Comment on attachment 11162 [details]
Work in progress patches (on master)

Wow!  A big thanks to everyone who worked on this!
Comment 73 Dron 2015-06-17 07:16:08 UTC
I can confirm that this issue is not only on Fedora or Linux. I have same issue on FreeBSD with heimdal.
Comment 74 Mario 2015-06-17 12:39:00 UTC
Wow Great Stephen!

is the pacht going to be added to the samba 4.2.3 release? that would be great!
Comment 75 brudas 2015-06-18 08:37:51 UTC
Hello!

Does it possible to apply this patch to 4.4.2 ?
I would like to rebuild Sernet packages with patch applied and test if it will help me in same case.
Also, if you still need sandbox with this issue reproduced - I can help.
Comment 76 brudas 2015-06-18 15:00:09 UTC
Hello, I can confirm that attachment 11162 [details] applied to Sernet 4.4.2-8 packages resolved issue for me.

Thank you.
Comment 77 Patrick W. Barnes 2015-06-19 17:28:42 UTC
I have now tested the WIP patches in several affected environments and can happily report that they work wonderfully. A big thanks to all who contributed to getting this fixed!
Comment 78 Stefan Metzmacher 2015-06-22 20:20:58 UTC
Created attachment 11184 [details]
Possible patches for master

Can someone verify these patches also fix the problem?
Comment 79 Andreas Schneider 2015-06-23 07:34:50 UTC
Comment on attachment 11184 [details]
Possible patches for master

In dcerpc_ship_next_request() you could also use the constant instead of 16.

chunk_size -= (chunk_size % DCERPC_AUTH_PAD_ALIGNMENT);

Beside that, the patchset looks good! Great work ...
Comment 80 Stefan Metzmacher 2015-06-23 08:10:41 UTC
(In reply to Andreas Schneider from comment #79)

That's [PATCH 09/16] s4:librpc/rpc: let dcerpc_ship_next_request() use
 DCERPC_AUTH_PAD_ALIGNMENT define...
Comment 81 andre.freire 2015-06-24 16:41:16 UTC
Hy Guys,

I´m using Samba 4.2 by source. How I apply this patch. Can you help me?

Thanks!!
Comment 82 andre.freire 2015-06-25 23:59:18 UTC
Hy ! 

I apply de patch and all work fine.

Thanks.
Comment 83 Tom Diehl 2015-06-27 10:56:26 UTC
I can also confirm that the patches in master have resolved this problem for me.

Thanks for fixing this.
Comment 84 Dron 2015-06-30 07:35:48 UTC
Hello.
This fix is planned to be included in 4.2.3?
Comment 85 Stefan Metzmacher 2015-06-30 08:19:13 UTC
Created attachment 11212 [details]
Patches for v4-2-test
Comment 86 Stefan Metzmacher 2015-06-30 08:19:54 UTC
Created attachment 11213 [details]
Patches for v4-1-test
Comment 87 Andreas Schneider 2015-06-30 09:06:23 UTC
Comment on attachment 11213 [details]
Patches for v4-1-test

LGTM. This patchset also includes the tests for our testsuite.
Comment 88 Andreas Schneider 2015-06-30 09:07:03 UTC
Karolin, please push to 4.1 and 4.2. Thanks!
Comment 89 Karolin Seeger 2015-07-05 19:17:16 UTC
Pushed to autobuild-v4-[1|2]-test.
Comment 90 Karolin Seeger 2015-07-16 09:36:55 UTC
(In reply to Karolin Seeger from comment #89)
Pushed to both branches.
Closing out bug report.

Thanks!