Bug 13949 - Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"
Summary: Request to keep deprecated option "server schannel", VMWare Quickprep require...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.10.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-15 15:50 UTC by Arvid Requate
Modified: 2020-09-16 10:12 UTC (History)
6 users (show)

See Also:


Attachments
Patch for v4-9-test (6.81 KB, patch)
2019-07-02 07:39 UTC, Stefan Metzmacher
asn: review+
Details
Patches for v4-10-test (6.81 KB, patch)
2019-07-02 07:40 UTC, Stefan Metzmacher
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2019-05-15 15:50:23 UTC
We have a report by a customer that is using VMWare Horizon Quickprep to provision and join Microsoft Windows clients into a Samba/AD domain and sees Samba error messages like these, before the tool finally runs into a timeout and gives up:

[2019/05/14 15:32:29.589434,  0, pid=602] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:284(dcesrv_netr_ServerAuthenticate3_helper)
  dcesrv_netr_ServerAuthenticate3_helper: schannel required but client failed to offer it. Client was Win-Cient$

As a workaround the "server schannel" parameter can be set to "auto" in smb.conf and then it works.

The man page asks to report cases like these, to vote against the announced removal of this deprecated parameter: "This option is deprecated with Samba 4.8 and will be removed in future. At the same time the default changed to yes, which will be the hardcoded behavior in future. If you have the need for the behavior of "auto" to be kept, please file a bug at https://bugzilla.samba.org."
Comment 1 Arvid Requate 2019-05-21 10:34:34 UTC
Relaying reported feedback from VMware:

"What’s happening here is that Samba is enforcing schannel use in all cases in order to remove legacy client support.
However, the offline domain join used by NGVC, which is suitably secured with an encrypted password, is falling foul of Samba’s blanket enforcement of schannel.
 
In fact, offline domain joins by any client will be barred by Samba by default (unlike the most recent version of AD!).
That’s a Samba issue."

This is just cut&paste from an email, I cannot speak for VMWare.
Comment 2 Stefan Metzmacher 2019-05-23 06:20:19 UTC
(In reply to Arvid Requate from comment #1)

Hi Arvid,

do you have a network capture? (with server schannel = yes and
server schannel = auto) when using 4.10, which has support
for security context multiplexing, see bug #11892 and bug #13464 ?
Comment 3 Stefan Metzmacher 2019-05-23 06:21:16 UTC
(In reply to Arvid Requate from comment #1)

It would be good to know how the offline join is supposed to work.
Comment 4 Stefan Metzmacher 2019-05-27 10:52:28 UTC
A Link with some background about the situation:

Differences between VMware ClonePrep, QuickPrep and Microsoft Sysprep
https://kb.vmware.com/s/article/2003797
Comment 5 Stefan Metzmacher 2019-07-02 07:39:31 UTC
Created attachment 15271 [details]
Patch for v4-9-test
Comment 6 Stefan Metzmacher 2019-07-02 07:40:10 UTC
Created attachment 15272 [details]
Patches for v4-10-test
Comment 7 Andreas Schneider 2019-07-02 13:30:19 UTC
Karo, please apply the patches to the relevant branches. Thanks!
Comment 8 Karolin Seeger 2019-07-08 11:37:53 UTC
(In reply to Andreas Schneider from comment #7)
Pushed to autobuild-v4-{10,9}-test
Comment 9 trenta 2019-07-08 13:14:59 UTC
Hi,

One question I don't see on relase notes of 4.10.6, has beedn added or
in what version wil be added?

Thanks

Missatge de l'adreça <samba-bugs@samba.org> del dia dl., 8 de jul.
2019 a les 13:37:
>
> https://bugzilla.samba.org/show_bug.cgi?id=13949
>
> --- Comment #8 from Karolin Seeger <kseeger@samba.org> ---
> (In reply to Andreas Schneider from comment #7)
> Pushed to autobuild-v4-{10,9}-test
>
> --
> You are receiving this mail because:
> You are on the CC list for the bug.
Comment 10 Stefan Metzmacher 2019-07-08 13:21:39 UTC
(In reply to trenta from comment #9)

No, this is targeted to the next set of bugfix releases.
Comment 11 Karolin Seeger 2019-08-06 07:49:21 UTC
(In reply to Karolin Seeger from comment #8)
Pushed to both branches.
Closing out bug report.

Thanks!
Comment 12 Stefan Metzmacher 2020-09-16 10:12:57 UTC
Please notice that "server schannel = auto" or "server schannel = no"
is very dangerous, see
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogin"
https://bugzilla.samba.org/show_bug.cgi?id=14497