Bug 14867 - Printing no longer works on Windows 7 with 2021-10 monthly rollup patch (KB5006743)
Summary: Printing no longer works on Windows 7 with 2021-10 monthly rollup patch (KB50...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.14.5
Hardware: All All
: P5 major with 15 votes (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-17 08:47 UTC by Jerome Borsboom
Modified: 2021-11-24 08:31 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jerome Borsboom 2021-10-17 08:47:16 UTC
After installing the 2021-10 Monthly Rollup patch (KB5006743), printing no longer works on my Windows 7 clients. Those clients are joined on a Samba 4.14.5 AD-DC, that is configured as a print server with point-n-print drivers installed. Deinstalling the patch recovers the printing ability.

The log.smbd is filled with lines like

[2021/10/16 09:02:13.643376,  0, pid=549200, effective(1001, 100), real(1001, 0), class=rpc_srv] ../../source3/rpc_server/rpc_server.c:743(dcesrv_auth_gensec_prepare)
  dcesrv_auth_gensec_prepare: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

More context around this line:

[2021/10/16 09:02:13.637421, 10, pid=549200, effective(1001, 100), real(1001, 0)] ../../librpc/rpc/dcerpc_util.c:403(dcerpc_pull_auth_trailer)
  dcerpc_pull_auth_trailer: auth_pad_length 0
[2021/10/16 09:02:13.637551,  5, pid=549200, effective(1001, 100), real(1001, 0), class=auth] ../../source3/auth/auth.c:537(make_auth3_context_for_ntlm)
  Making default auth method list for server role = 'active directory domain controller'
[2021/10/16 09:02:13.637629,  5, pid=549200, effective(1001, 100), real(1001, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module)
  load_auth_module: Attempting to find an auth method to match samba4
[2021/10/16 09:02:13.637733,  5, pid=549200, effective(1001, 100), real(1001, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module)
  load_auth_module: auth method samba4 has a valid init
[2021/10/16 09:02:13.637867,  3, pid=549200, effective(1001, 100), real(1001, 0)] ../../lib/util/util.c:215(directory_create_or_exist)
  directory_create_or_exist: mkdir failed on directory /var/lib/samba/private/msg.sock: Permission denied
[2021/10/16 09:02:13.637958,  1, pid=549200, effective(1001, 100), real(1001, 0), class=auth] ../../source3/auth/auth_samba4.c:244(prepare_gensec)
  imessaging_init failed
[2021/10/16 09:02:13.638046,  0, pid=549200, effective(1001, 100), real(1001, 0), class=rpc_srv] ../../source3/rpc_server/rpc_server.c:743(dcesrv_auth_gensec_prepare)
  dcesrv_auth_gensec_prepare: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
[2021/10/16 09:02:13.639254,  1, pid=549200, effective(1001, 100), real(1001, 0)] ../../librpc/rpc/dcesrv_auth.c:135(dcesrv_auth_prepare_gensec)
  Failed to call samba_server_gensec_start NT_STATUS_INVALID_SERVER_STATE

Some packet tracing shows that with the Montly Rollup applied the Windows 7 client adds 'Auth Info' to the DCE/RPC bind request, which is followed by a Bind_nak

SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        Server Component: SMB2
        Header Length: 64
        Credit Charge: 1
        Channel Sequence: 0
        Reserved: 0000
        Command: Write (9)
        Credits requested: 1
        Flags: 0x00000008, Signing
            .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY1
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: Unknown (13)
        Process Id: 0x0000feff
        Tree Id: 0x14bfb246  \\DC01\IPC$
            [Tree: \\DC01\IPC$]
            [Share Type: Named pipe (0x02)]
            [Connected in Frame: 17]
        Session Id: 0x00000000275e54f9
        Signature: cfee4e79bcab7503381771b912e275ce
    Write Request (0x09)
        StructureSize: 0x0031
            0000 0000 0011 000. = Fixed Part Length: 24
            .... .... .... ...1 = Dynamic Part: True
        Data Offset: 0x0070
        Write Length: 224
        File Offset: 0
        GUID handle File: spoolss
            File Id: 73c4d430-0000-0000-ab84-c94d00000000
            [Frame handle opened: 32]
        Channel: None (0x00000000)
        Remaining Bytes: 0
        Write Flags: 0x00000000
            .... .... .... .... .... .... .... ...0 = Write through: False
        Blob Offset: 0x00000000
        Blob Length: 0
        Channel Info Blob: NO DATA
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 224, Call: 2
    Version: 5
    Version (minor): 0
    Packet type: Bind (11)
    Packet Flags: 0x07
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .1.. = Cancel Pending: Set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 224
    Auth Length: 56
    Call ID: 2
    Max Xmit Frag: 4280
    Max Recv Frag: 4280
    Assoc Group: 0x00000000
    Num Ctx Items: 3
    Ctx Item[1]: Context ID:0, SPOOLSS, 32bit NDR
        Context ID: 0
        Num Trans Items: 1
        Abstract Syntax: SPOOLSS V1.0
            Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab
            Interface Ver: 1
            Interface Ver Minor: 0
        Transfer Syntax[1]: 32bit NDR V2
            Transfer Syntax: 32bit NDR UUID:8a885d04-1ceb-11c9-9fe8-08002b104860
            ver: 2
    Ctx Item[2]: Context ID:1, SPOOLSS, 64bit NDR
        Context ID: 1
        Num Trans Items: 1
        Abstract Syntax: SPOOLSS V1.0
            Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab
            Interface Ver: 1
            Interface Ver Minor: 0
        Transfer Syntax[1]: 64bit NDR V1
            Transfer Syntax: 64bit NDR UUID:71710533-beba-4937-8319-b5dbef9ccc36
            ver: 1
    Ctx Item[3]: Context ID:2, SPOOLSS, Bind Time Feature Negotiation
        Context ID: 2
        Num Trans Items: 1
        Abstract Syntax: SPOOLSS V1.0
            Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab
            Interface Ver: 1
            Interface Ver Minor: 0
        Transfer Syntax[1]: Bind Time Feature Negotiation V1
            Transfer Syntax: Bind Time Feature Negotiation UUID:6cb71c2c-9812-4540-0300-000000000000
            Bind Time Features: 0x0003, Security Context Multiplexing Supported, Keep Connection On Orphan Supported
                .... .... .... ...1 = Security Context Multiplexing Supported: True
                .... .... .... ..1. = Keep Connection On Orphan Supported: True
            ver: 1
    Auth Info: NTLMSSP, Packet privacy, AuthContextId(0)
        Auth type: NTLMSSP (10)
        Auth level: Packet privacy (6)
        Auth pad len: 0
        Auth Rsrvd: 0
        Auth Context ID: 0
        NTLM Secure Service Provider
            NTLMSSP identifier: NTLMSSP
            NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
            Negotiate Flags: 0xe208b2b7, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Extended Security, Negotiate Always Sign, Negotiate OEM Workstation Supplied, Negotiate OEM Domain Supplied, Negotiate NTLM key,
                1... .... .... .... .... .... .... .... = Negotiate 56: Set
                .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set
                ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
                ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
                .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
                .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
                .... ..1. .... .... .... .... .... .... = Negotiate Version: Set
                .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
                .... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set
                .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set
                .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
                .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set
                .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set
                .... .... .... .0.. .... .... .... .... = Target Type Share: Not set
                .... .... .... ..0. .... .... .... .... = Target Type Server: Not set
                .... .... .... ...0 .... .... .... .... = Target Type Domain: Not set
                .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
                .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set
                .... .... .... .... ..1. .... .... .... = Negotiate OEM Workstation Supplied: Set
                .... .... .... .... ...1 .... .... .... = Negotiate OEM Domain Supplied: Set
                .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
                .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set
                .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
                .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set
                .... .... .... .... .... .... 1... .... = Negotiate Lan Manager Key: Set
                .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set
                .... .... .... .... .... .... ..1. .... = Negotiate Seal: Set
                .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set
                .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
                .... .... .... .... .... .... .... .1.. = Request Target: Set
                .... .... .... .... .... .... .... ..1. = Negotiate OEM: Set
                .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
            Calling workstation domain: CARPALIS
                Length: 8
                Maxlen: 8
                Offset: 48
            Calling workstation name: NB000002
                Length: 8
                Maxlen: 8
                Offset: 40
            Version 6.1 (Build 7601); NTLM Current Revision 15
                Major Version: 6
                Minor Version: 1
                Build Number: 7601
                NTLM Current Revision: 15

Without the Rollup there is no 'Auth Info' and a Bind_ack:

SMB2 (Server Message Block Protocol version 2)
    SMB2 Header
        Server Component: SMB2
        Header Length: 64
        Credit Charge: 1
        Channel Sequence: 0
        Reserved: 0000
        Command: Write (9)
        Credits requested: 1
        Flags: 0x00000008, Signing
            .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST
            .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command
            .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command
            .... .... .... .... .... .... .... 1... = Signing: This pdu is SIGNED
            .... .... .... .... .... .... .000 .... = Priority: This pdu does NOT contain a PRIORITY1
            ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation
            ..0. .... .... .... .... .... .... .... = Replay operation: This is NOT a replay operation
        Chain Offset: 0x00000000
        Message ID: Unknown (14)
        Process Id: 0x0000feff
        Tree Id: 0x7ca43ecf  \\dc01\IPC$
            [Tree: \\dc01\IPC$]
            [Share Type: Named pipe (0x02)]
            [Connected in Frame: 18]
        Session Id: 0x0000000037429511
        Signature: 5d40b3ffe9f2f581b558a50c9aa8291e
    Write Request (0x09)
        StructureSize: 0x0031
            0000 0000 0011 000. = Fixed Part Length: 24
            .... .... .... ...1 = Dynamic Part: True
        Data Offset: 0x0070
        Write Length: 160
        File Offset: 0
        GUID handle File: spoolss
            File Id: 71e1653f-0000-0000-c1f4-fb7900000000
            [Frame handle opened: 39]
        Channel: None (0x00000000)
        Remaining Bytes: 0
        Write Flags: 0x00000000
            .... .... .... .... .... .... .... ...0 = Write through: False
        Blob Offset: 0x00000000
        Blob Length: 0
        Channel Info Blob: NO DATA
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 160, Call: 2
    Version: 5
    Version (minor): 0
    Packet type: Bind (11)
    Packet Flags: 0x03
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 160
    Auth Length: 0
    Call ID: 2
    Max Xmit Frag: 4280
    Max Recv Frag: 4280
    Assoc Group: 0x00000000
    Num Ctx Items: 3
    Ctx Item[1]: Context ID:0, SPOOLSS, 32bit NDR
        Context ID: 0
        Num Trans Items: 1
        Abstract Syntax: SPOOLSS V1.0
            Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab
            Interface Ver: 1
            Interface Ver Minor: 0
        Transfer Syntax[1]: 32bit NDR V2
            Transfer Syntax: 32bit NDR UUID:8a885d04-1ceb-11c9-9fe8-08002b104860
            ver: 2
    Ctx Item[2]: Context ID:1, SPOOLSS, 64bit NDR
        Context ID: 1
        Num Trans Items: 1
        Abstract Syntax: SPOOLSS V1.0
            Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab
            Interface Ver: 1
            Interface Ver Minor: 0
        Transfer Syntax[1]: 64bit NDR V1
            Transfer Syntax: 64bit NDR UUID:71710533-beba-4937-8319-b5dbef9ccc36
            ver: 1
    Ctx Item[3]: Context ID:2, SPOOLSS, Bind Time Feature Negotiation
        Context ID: 2
        Num Trans Items: 1
        Abstract Syntax: SPOOLSS V1.0
            Interface: SPOOLSS UUID: 12345678-1234-abcd-ef00-0123456789ab
            Interface Ver: 1
            Interface Ver Minor: 0
        Transfer Syntax[1]: Bind Time Feature Negotiation V1
            Transfer Syntax: Bind Time Feature Negotiation UUID:6cb71c2c-9812-4540-0300-000000000000
            Bind Time Features: 0x0003, Security Context Multiplexing Supported, Keep Connection On Orphan Supported
                .... .... .... ...1 = Security Context Multiplexing Supported: True
                .... .... .... ..1. = Keep Connection On Orphan Supported: True
            ver: 1

If necessary, I am happy to provide complete logs and packet traces.
Comment 1 Andrew Bartlett 2021-11-23 17:15:46 UTC
See this thread on the samba mailing list.

https://lists.samba.org/archive/samba/2021-November/238662.html

It looks like a simple case of a missing 'become_root()' somewhere before we try to set up messaging in the authentication codepath, likely because the client has changed from plain ncacn_np pipes to encrypted DCE/RPC.