Bug 15197 - Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
Summary: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.10
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-10 14:13 UTC by Denis Cardon
Modified: 2022-11-07 17:29 UTC (History)
8 users (show)

See Also:


Attachments
a test for Samba 4.15 that reproduces the issue (4.26 KB, patch)
2022-10-19 23:47 UTC, Joseph Sutton
no flags Details
Patch for Samba 4.12 (needs correct master commits for cherry-picked tests) (9.63 KB, patch)
2022-10-20 01:37 UTC, Andrew Bartlett
abartlet: ci-passed+
Details
Patch for Samba 4.15 (needs correct master commits for cherry-picked tests) (9.63 KB, patch)
2022-10-20 01:38 UTC, Andrew Bartlett
abartlet: ci-passed+
Details
Patch for Samba 4.15 (with cherry-pick markers) (10.01 KB, patch)
2022-10-20 05:20 UTC, Andrew Bartlett
abartlet: ci-passed+
Details
Patch for Samba 4.12 (on top of maintained 4.12 backports tree) (10.01 KB, patch)
2022-10-20 05:27 UTC, Andrew Bartlett
abartlet: ci-passed+
Details
Patch for Samba 4.15 v2 (with cherry-pick markers) (10.27 KB, patch)
2022-10-21 00:41 UTC, Joseph Sutton
jsutton: review+
jsutton: ci-passed+
Details
Patch for Samba 4.12 (on top of maintained 4.12 backports tree) (10.27 KB, patch)
2022-10-21 00:41 UTC, Joseph Sutton
jsutton: review+
jsutton: ci-passed+
Details
Patch for Samba 4.15 v3 (with cherry-pick markers) (10.26 KB, patch)
2022-10-21 03:05 UTC, Joseph Sutton
abartlet: review+
jsutton: ci-passed+
Details
Patch for Samba 4.12 v3 (on top of maintained 4.12 backports tree) (10.26 KB, patch)
2022-10-21 03:06 UTC, Joseph Sutton
abartlet: review+
jsutton: ci-passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2022-10-10 14:13:45 UTC
Hi everyone,

we had a few call lately from clients where a win11 workstation upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 anymore.

There are a few related post on reddit [1] and it seems to be linked to this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, probably due to the integration of with Heimdal-8.0pre.

The issue is due to a timestamp in the TGS-REQ where it is set to max value in Microsoft kerberos client instead of the usual 2038 timestamp (till=99990913024805Z), and Microsoft says it is by the specs [3] and won't be changed.

I think this bug is going to get get widespread quite fast as Microsoft starts force-feeding this upgrade on unsuspicious end users.

There is only one supported version that is impacted (4.15), but it should at least be more communication to encourage people to upgrade before being bitten by this issue.

Andrew told me to open this bug report last week to keep track of this issue [4].

Cheers,

Denis

[1] https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
[2] https://github.com/heimdal/heimdal/issues/1011
[3] https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
[4] https://lists.samba.org/archive/samba/2022-October/242058.html
Comment 1 Joseph Sutton 2022-10-19 23:47:16 UTC
Created attachment 17586 [details]
a test for Samba 4.15 that reproduces the issue
Comment 2 Andrew Bartlett 2022-10-20 01:37:51 UTC
Created attachment 17587 [details]
Patch for Samba 4.12 (needs correct master commits for cherry-picked tests)

A patch series for samba 4.12.  Tested manually with Windows Server vNext build 25217
Comment 3 Andrew Bartlett 2022-10-20 01:38:47 UTC
Created attachment 17588 [details]
Patch for Samba 4.15 (needs correct master commits for cherry-picked tests)
Comment 4 Andrew Bartlett 2022-10-20 01:42:42 UTC
Manual testing of these patches was with Windows_InsiderPreview_Server_vNext_en-us_25217
Comment 5 Samba QA Contact 2022-10-20 05:01:03 UTC
This bug was referenced in samba master:

67811e121fbef08337675d473390160793544719
50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2
Comment 6 Andrew Bartlett 2022-10-20 05:20:38 UTC
Created attachment 17591 [details]
Patch for Samba 4.15 (with cherry-pick markers)
Comment 7 Andrew Bartlett 2022-10-20 05:27:57 UTC
Created attachment 17592 [details]
Patch for Samba 4.12 (on top of maintained 4.12 backports tree)

Tested on this tree maintained for a Catalyst customer https://gitlab.com/catalyst-samba/samba/-/tags/catalyst-4.12-backports-2022-10
Comment 8 Joseph Sutton 2022-10-21 00:41:02 UTC
Created attachment 17593 [details]
Patch for Samba 4.15 v2 (with cherry-pick markers)

This is an updated version of the previous patch that includes cherry-pick markers.
Comment 9 Joseph Sutton 2022-10-21 00:41:44 UTC
Created attachment 17594 [details]
Patch for Samba 4.12 (on top of maintained 4.12 backports tree)

And the same for 4.12.
Comment 10 Joseph Sutton 2022-10-21 03:05:36 UTC
Created attachment 17595 [details]
Patch for Samba 4.15 v3 (with cherry-pick markers)

cherry picked -> backported
Comment 11 Joseph Sutton 2022-10-21 03:06:33 UTC
Created attachment 17596 [details]
Patch for Samba 4.12 v3 (on top of maintained 4.12 backports tree)
Comment 12 Michael Tokarev 2022-10-21 07:41:39 UTC
Am I right the only real impact of this issue is that Win11 22H2 can not join samba domain?

And the issue has become serious because of the suggestion someone did in the internet to work around this issue which effectively made kerberos auth turned off, so together with the workaround, the issue has become a huge security treat?
Comment 13 Andrew Bartlett 2022-10-21 08:20:43 UTC
The impact is that the KDC will never successfully issue a kerberos service ticket to a Windows 11 22H2 or Windows Server vNext (build 25217 was tested) client.  

The domain join is just the easiest case to test with from a blank setup. 

The workarounds essentially disable the KDC, as Samba since 4.12 does not ever issue DES tickets, so DES-only results in no available ciphers. 

The issue becomes serious because it essentially stops proper Samba operation as an AD DC to these clients.
Comment 14 Stefan Metzmacher 2022-10-21 10:02:18 UTC
Should this include in a final 4.15 release? Maybe together with
https://bugzilla.samba.org/show_bug.cgi?id=15202 ?
Comment 15 Andrew Bartlett 2022-10-21 18:11:21 UTC
(In reply to Stefan Metzmacher from comment #14)
I wasn't going to dare ask the questions in the busy lead-up to a security release, but on balance I think a release would show we (the Samba Team) have done everything we can for our users who didn't expect such an apparent regression.

The case for is that it would allow us to easily tell users who have issues that they need at least this version, and trigger a samba-announce mail that more folks might see and so know to upgrade.

The case against is that of the major distributions impacted, Ubuntu 22.04 has Samba 4.15 but not the latest version.  Debian is on earlier and later major versions for stable (4.13) and testing (4.16), Fedora uses MIT and of course SerNet will apply these I'm sure anyway. 

So it will help some, and if we can use it to get Ubuntu 22.04 to upgrade to this version then it will have been worth it.