After installing the 2021-10 Monthly Rollup patch (KB5006743), printing no longer works on my Windows 7 clients. Those clients are joined on a Samba 4.14.5 AD-DC, that is configured as a print server with point-n-print drivers installed. Deinstalling the patch recovers the printing ability. The log.smbd is filled with lines like [2021/10/16 09:02:13.643376, 0, pid=549200, effective(1001, 100), real(1001, 0), class=rpc_srv] ../../source3/rpc_server/rpc_server.c:743(dcesrv_auth_gensec_prepare) dcesrv_auth_gensec_prepare: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE More context around this line: [2021/10/16 09:02:13.637421, 10, pid=549200, effective(1001, 100), real(1001, 0)] ../../librpc/rpc/dcerpc_util.c:403(dcerpc_pull_auth_trailer) dcerpc_pull_auth_trailer: auth_pad_length 0 [2021/10/16 09:02:13.637551, 5, pid=549200, effective(1001, 100), real(1001, 0), class=auth] ../../source3/auth/auth.c:537(make_auth3_context_for_ntlm) Making default auth method list for server role = 'active directory domain controller' [2021/10/16 09:02:13.637629, 5, pid=549200, effective(1001, 100), real(1001, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match samba4 [2021/10/16 09:02:13.637733, 5, pid=549200, effective(1001, 100), real(1001, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method samba4 has a valid init [2021/10/16 09:02:13.637867, 3, pid=549200, effective(1001, 100), real(1001, 0)] ../../lib/util/util.c:215(directory_create_or_exist) directory_create_or_exist: mkdir failed on directory /var/lib/samba/private/msg.sock: Permission denied [2021/10/16 09:02:13.637958, 1, pid=549200, effective(1001, 100), real(1001, 0), class=auth] ../../source3/auth/auth_samba4.c:244(prepare_gensec) imessaging_init failed [2021/10/16 09:02:13.638046, 0, pid=549200, effective(1001, 100), real(1001, 0), class=rpc_srv] ../../source3/rpc_server/rpc_server.c:743(dcesrv_auth_gensec_prepare) dcesrv_auth_gensec_prepare: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE [2021/10/16 09:02:13.639254, 1, pid=549200, effective(1001, 100), real(1001, 0)] ../../librpc/rpc/dcesrv_auth.c:135(dcesrv_auth_prepare_gensec) Failed to call samba_server_gensec_start NT_STATUS_INVALID_SERVER_STATE Some packet tracing shows that with the Montly Rollup applied the Windows 7 client adds 'Auth Info' to the DCE/RPC bind request, which is followed by a Bind_nak SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 1 Channel Sequence: 0 Reserved: 0000 Command: Write (9) Credits requested: 1 Flags: 0x00000008, Signing .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY1 ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: Unknown (13) Process Id: 0x0000feff Tree Id: 0x14bfb246 \\DC01\IPC$ [Tree: \\DC01\IPC$] [Share Type: Named pipe (0x02)] [Connected in Frame: 17] Session Id: 0x00000000275e54f9 Signature: cfee4e79bcab7503381771b912e275ce Write Request (0x09) StructureSize: 0x0031 0000 0000 0011 000. = Fixed Part Length: 24 .... .... .... ...1 = Dynamic Part: True Data Offset: 0x0070 Write Length: 224 File Offset: 0 GUID handle File: spoolss File Id: 73c4d430-0000-0000-ab84-c94d00000000 [Frame handle opened: 32] Channel: None (0x00000000) Remaining Bytes: 0 Write Flags: 0x00000000 .... .... .... .... .... .... .... ...0 = Write through: False Blob Offset: 0x00000000 Blob Length: 0 Channel Info Blob: NO DATA Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 224, Call: 2 Version: 5 Version (minor): 0 Packet type: Bind (11) Packet Flags: 0x07 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .1.. = Cancel Pending: Set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 224 Auth Length: 56 Call ID: 2 Max Xmit Frag: 4280 Max Recv Frag: 4280 Assoc Group: 0x00000000 Num Ctx Items: 3 Ctx Item[1]: Context ID:0, SPOOLSS, 32bit NDR Context ID: 0 Num Trans Items: 1 Abstract Syntax: SPOOLSS V1.0 Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab Interface Ver: 1 Interface Ver Minor: 0 Transfer Syntax[1]: 32bit NDR V2 Transfer Syntax: 32bit NDR UUID:8a885d04-1ceb-11c9-9fe8-08002b104860 ver: 2 Ctx Item[2]: Context ID:1, SPOOLSS, 64bit NDR Context ID: 1 Num Trans Items: 1 Abstract Syntax: SPOOLSS V1.0 Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab Interface Ver: 1 Interface Ver Minor: 0 Transfer Syntax[1]: 64bit NDR V1 Transfer Syntax: 64bit NDR UUID:71710533-beba-4937-8319-b5dbef9ccc36 ver: 1 Ctx Item[3]: Context ID:2, SPOOLSS, Bind Time Feature Negotiation Context ID: 2 Num Trans Items: 1 Abstract Syntax: SPOOLSS V1.0 Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab Interface Ver: 1 Interface Ver Minor: 0 Transfer Syntax[1]: Bind Time Feature Negotiation V1 Transfer Syntax: Bind Time Feature Negotiation UUID:6cb71c2c-9812-4540-0300-000000000000 Bind Time Features: 0x0003, Security Context Multiplexing Supported, Keep Connection On Orphan Supported .... .... .... ...1 = Security Context Multiplexing Supported: True .... .... .... ..1. = Keep Connection On Orphan Supported: True ver: 1 Auth Info: NTLMSSP, Packet privacy, AuthContextId(0) Auth type: NTLMSSP (10) Auth level: Packet privacy (6) Auth pad len: 0 Auth Rsrvd: 0 Auth Context ID: 0 NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001) Negotiate Flags: 0xe208b2b7, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Extended Security, Negotiate Always Sign, Negotiate OEM Workstation Supplied, Negotiate OEM Domain Supplied, Negotiate NTLM key, 1... .... .... .... .... .... .... .... = Negotiate 56: Set .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..1. .... .... .... .... .... .... = Negotiate Version: Set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set .... .... .... .0.. .... .... .... .... = Target Type Share: Not set .... .... .... ..0. .... .... .... .... = Target Type Server: Not set .... .... .... ...0 .... .... .... .... = Target Type Domain: Not set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set .... .... .... .... ..1. .... .... .... = Negotiate OEM Workstation Supplied: Set .... .... .... .... ...1 .... .... .... = Negotiate OEM Domain Supplied: Set .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set .... .... .... .... .... .... 1... .... = Negotiate Lan Manager Key: Set .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set .... .... .... .... .... .... ..1. .... = Negotiate Seal: Set .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .1.. = Request Target: Set .... .... .... .... .... .... .... ..1. = Negotiate OEM: Set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set Calling workstation domain: CARPALIS Length: 8 Maxlen: 8 Offset: 48 Calling workstation name: NB000002 Length: 8 Maxlen: 8 Offset: 40 Version 6.1 (Build 7601); NTLM Current Revision 15 Major Version: 6 Minor Version: 1 Build Number: 7601 NTLM Current Revision: 15 Without the Rollup there is no 'Auth Info' and a Bind_ack: SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Credit Charge: 1 Channel Sequence: 0 Reserved: 0000 Command: Write (9) Credits requested: 1 Flags: 0x00000008, Signing .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY1 ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation Chain Offset: 0x00000000 Message ID: Unknown (14) Process Id: 0x0000feff Tree Id: 0x7ca43ecf \\dc01\IPC$ [Tree: \\dc01\IPC$] [Share Type: Named pipe (0x02)] [Connected in Frame: 18] Session Id: 0x0000000037429511 Signature: 5d40b3ffe9f2f581b558a50c9aa8291e Write Request (0x09) StructureSize: 0x0031 0000 0000 0011 000. = Fixed Part Length: 24 .... .... .... ...1 = Dynamic Part: True Data Offset: 0x0070 Write Length: 160 File Offset: 0 GUID handle File: spoolss File Id: 71e1653f-0000-0000-c1f4-fb7900000000 [Frame handle opened: 39] Channel: None (0x00000000) Remaining Bytes: 0 Write Flags: 0x00000000 .... .... .... .... .... .... .... ...0 = Write through: False Blob Offset: 0x00000000 Blob Length: 0 Channel Info Blob: NO DATA Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 160, Call: 2 Version: 5 Version (minor): 0 Packet type: Bind (11) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 160 Auth Length: 0 Call ID: 2 Max Xmit Frag: 4280 Max Recv Frag: 4280 Assoc Group: 0x00000000 Num Ctx Items: 3 Ctx Item[1]: Context ID:0, SPOOLSS, 32bit NDR Context ID: 0 Num Trans Items: 1 Abstract Syntax: SPOOLSS V1.0 Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab Interface Ver: 1 Interface Ver Minor: 0 Transfer Syntax[1]: 32bit NDR V2 Transfer Syntax: 32bit NDR UUID:8a885d04-1ceb-11c9-9fe8-08002b104860 ver: 2 Ctx Item[2]: Context ID:1, SPOOLSS, 64bit NDR Context ID: 1 Num Trans Items: 1 Abstract Syntax: SPOOLSS V1.0 Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab Interface Ver: 1 Interface Ver Minor: 0 Transfer Syntax[1]: 64bit NDR V1 Transfer Syntax: 64bit NDR UUID:71710533-beba-4937-8319-b5dbef9ccc36 ver: 1 Ctx Item[3]: Context ID:2, SPOOLSS, Bind Time Feature Negotiation Context ID: 2 Num Trans Items: 1 Abstract Syntax: SPOOLSS V1.0 Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab Interface Ver: 1 Interface Ver Minor: 0 Transfer Syntax[1]: Bind Time Feature Negotiation V1 Transfer Syntax: Bind Time Feature Negotiation UUID:6cb71c2c-9812-4540-0300-000000000000 Bind Time Features: 0x0003, Security Context Multiplexing Supported, Keep Connection On Orphan Supported .... .... .... ...1 = Security Context Multiplexing Supported: True .... .... .... ..1. = Keep Connection On Orphan Supported: True ver: 1 If necessary, I am happy to provide complete logs and packet traces.
See this thread on the samba mailing list. https://lists.samba.org/archive/samba/2021-November/238662.html It looks like a simple case of a missing 'become_root()' somewhere before we try to set up messaging in the authentication codepath, likely because the client has changed from plain ncacn_np pipes to encrypted DCE/RPC.
The following reproduces the problem: bin/smbtorture ncacn_np:172.31.9.163[spnego,seal] -P rpc.spoolss.printserver.enum_printers
Created attachment 17120 [details] Patch for v4-16-test
Created attachment 17121 [details] Patch for v4-15-test
Created attachment 17122 [details] Patch for v4-14-test
This bug was referenced in samba master: 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9
Jule please apply the patches to the relevant branches. Thanks!
Pushed to autobuild-v4-{16,15,14}-test.
This bug was referenced in samba v4-14-test: 9e3c363030dd3108d9658e87f7c4101d0b470c47
This bug was referenced in samba v4-15-test: e26270cbe587ebd297b2b0fbece3e9c0542862d0
This bug was referenced in samba v4-16-test: 20f84f11651e93c14818bcfcfe9b2fe259496ae3
Closing out bug report. Thanks!
This bug was referenced in samba v4-16-stable (Release samba-4.16.0rc2): 20f84f11651e93c14818bcfcfe9b2fe259496ae3
This bug was referenced in samba v4-15-stable (Release samba-4.15.6): e26270cbe587ebd297b2b0fbece3e9c0542862d0
This bug was referenced in samba v4-14-stable (Release samba-4.14.13): 9e3c363030dd3108d9658e87f7c4101d0b470c47