15197 – Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Bug 15197 - Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Summary: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.15.10
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15238
	Show dependency tree / graph

Reported:	2022-10-10 14:13 UTC by Denis Cardon
Modified:	2022-12-15 16:34 UTC (History)
CC List:	8 users (show)

See Also:	https://github.com/heimdal/heimdal/issues/1011 https://lists.samba.org/archive/samba/2022-October/242058.html https://gitlab.com/samba-team/samba/-/merge_requests/2759

Attachments
a test for Samba 4.15 that reproduces the issue (4.26 KB, patch) 2022-10-19 23:47 UTC, Jo Sutton	no flags	Details
Patch for Samba 4.12 (needs correct master commits for cherry-picked tests) (9.63 KB, patch) 2022-10-20 01:37 UTC, Andrew Bartlett	abartlet: ci-passed+	Details
Patch for Samba 4.15 (needs correct master commits for cherry-picked tests) (9.63 KB, patch) 2022-10-20 01:38 UTC, Andrew Bartlett	abartlet: ci-passed+	Details
Patch for Samba 4.15 (with cherry-pick markers) (10.01 KB, patch) 2022-10-20 05:20 UTC, Andrew Bartlett	abartlet: ci-passed+	Details
Patch for Samba 4.12 (on top of maintained 4.12 backports tree) (10.01 KB, patch) 2022-10-20 05:27 UTC, Andrew Bartlett	abartlet: ci-passed+	Details
Patch for Samba 4.15 v2 (with cherry-pick markers) (10.27 KB, patch) 2022-10-21 00:41 UTC, Jo Sutton	jsutton: review+ jsutton: ci-passed+	Details
Patch for Samba 4.12 (on top of maintained 4.12 backports tree) (10.27 KB, patch) 2022-10-21 00:41 UTC, Jo Sutton	jsutton: review+ jsutton: ci-passed+	Details
Patch for Samba 4.15 v3 (with cherry-pick markers) (10.26 KB, patch) 2022-10-21 03:05 UTC, Jo Sutton	abartlet: review+ jsutton: ci-passed+	Details
Patch for Samba 4.12 v3 (on top of maintained 4.12 backports tree) (10.26 KB, patch) 2022-10-21 03:06 UTC, Jo Sutton	abartlet: review+ jsutton: ci-passed+	Details
Patches for v4-15-test v4 (rebased on current v4-15-test) (10.33 KB, text/plain) 2022-12-14 16:25 UTC, Stefan Metzmacher	abartlet: review+	Details
Show Obsolete (8) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Denis Cardon 2022-10-10 14:13:45 UTC

Hi everyone,

we had a few call lately from clients where a win11 workstation upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 anymore.

There are a few related post on reddit [1] and it seems to be linked to this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, probably due to the integration of with Heimdal-8.0pre.

The issue is due to a timestamp in the TGS-REQ where it is set to max value in Microsoft kerberos client instead of the usual 2038 timestamp (till=99990913024805Z), and Microsoft says it is by the specs [3] and won't be changed.

I think this bug is going to get get widespread quite fast as Microsoft starts force-feeding this upgrade on unsuspicious end users.

There is only one supported version that is impacted (4.15), but it should at least be more communication to encourage people to upgrade before being bitten by this issue.

Andrew told me to open this bug report last week to keep track of this issue [4].

Cheers,

Denis

[1] https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
[2] https://github.com/heimdal/heimdal/issues/1011
[3] https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
[4] https://lists.samba.org/archive/samba/2022-October/242058.html

Comment 1 Jo Sutton 2022-10-19 23:47:16 UTC

Created attachment 17586 [details]
a test for Samba 4.15 that reproduces the issue

Comment 2 Andrew Bartlett 2022-10-20 01:37:51 UTC

Created attachment 17587 [details]
Patch for Samba 4.12 (needs correct master commits for cherry-picked tests)

A patch series for samba 4.12.  Tested manually with Windows Server vNext build 25217

Comment 3 Andrew Bartlett 2022-10-20 01:38:47 UTC

Created attachment 17588 [details]
Patch for Samba 4.15 (needs correct master commits for cherry-picked tests)

Comment 4 Andrew Bartlett 2022-10-20 01:42:42 UTC

Manual testing of these patches was with Windows_InsiderPreview_Server_vNext_en-us_25217

Comment 5 Samba QA Contact 2022-10-20 05:01:03 UTC

This bug was referenced in samba master:

67811e121fbef08337675d473390160793544719
50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2

Comment 6 Andrew Bartlett 2022-10-20 05:20:38 UTC

Created attachment 17591 [details]
Patch for Samba 4.15 (with cherry-pick markers)

Comment 7 Andrew Bartlett 2022-10-20 05:27:57 UTC

Created attachment 17592 [details]
Patch for Samba 4.12 (on top of maintained 4.12 backports tree)

Tested on this tree maintained for a Catalyst customer https://gitlab.com/catalyst-samba/samba/-/tags/catalyst-4.12-backports-2022-10

Comment 8 Jo Sutton 2022-10-21 00:41:02 UTC

Created attachment 17593 [details]
Patch for Samba 4.15 v2 (with cherry-pick markers)

This is an updated version of the previous patch that includes cherry-pick markers.

Comment 9 Jo Sutton 2022-10-21 00:41:44 UTC

Created attachment 17594 [details]
Patch for Samba 4.12 (on top of maintained 4.12 backports tree)

And the same for 4.12.

Comment 10 Jo Sutton 2022-10-21 03:05:36 UTC

Created attachment 17595 [details]
Patch for Samba 4.15 v3 (with cherry-pick markers)

cherry picked -> backported

Comment 11 Jo Sutton 2022-10-21 03:06:33 UTC

Created attachment 17596 [details]
Patch for Samba 4.12 v3 (on top of maintained 4.12 backports tree)

Comment 12 Michael Tokarev 2022-10-21 07:41:39 UTC

Am I right the only real impact of this issue is that Win11 22H2 can not join samba domain?

And the issue has become serious because of the suggestion someone did in the internet to work around this issue which effectively made kerberos auth turned off, so together with the workaround, the issue has become a huge security treat?

Comment 13 Andrew Bartlett 2022-10-21 08:20:43 UTC

The impact is that the KDC will never successfully issue a kerberos service ticket to a Windows 11 22H2 or Windows Server vNext (build 25217 was tested) client.  

The domain join is just the easiest case to test with from a blank setup. 

The workarounds essentially disable the KDC, as Samba since 4.12 does not ever issue DES tickets, so DES-only results in no available ciphers. 

The issue becomes serious because it essentially stops proper Samba operation as an AD DC to these clients.

Comment 14 Stefan Metzmacher 2022-10-21 10:02:18 UTC

Should this include in a final 4.15 release? Maybe together with
https://bugzilla.samba.org/show_bug.cgi?id=15202 ?

Comment 15 Andrew Bartlett 2022-10-21 18:11:21 UTC

(In reply to Stefan Metzmacher from comment #14)
I wasn't going to dare ask the questions in the busy lead-up to a security release, but on balance I think a release would show we (the Samba Team) have done everything we can for our users who didn't expect such an apparent regression.

The case for is that it would allow us to easily tell users who have issues that they need at least this version, and trigger a samba-announce mail that more folks might see and so know to upgrade.

The case against is that of the major distributions impacted, Ubuntu 22.04 has Samba 4.15 but not the latest version.  Debian is on earlier and later major versions for stable (4.13) and testing (4.16), Fedora uses MIT and of course SerNet will apply these I'm sure anyway. 

So it will help some, and if we can use it to get Ubuntu 22.04 to upgrade to this version then it will have been worth it.

Comment 16 Samba QA Contact 2022-12-14 11:34:13 UTC

This bug was referenced in samba v4-16-test:

a65fc1fa476a45de402d6127b4ce5a26e761508f

Comment 17 Samba QA Contact 2022-12-14 12:41:12 UTC

This bug was referenced in samba v4-17-test:

fea5bde53c41b07ae0fb15f4af0f0bab7f376a46

Comment 18 Stefan Metzmacher 2022-12-14 15:58:55 UTC

I think we should include this in the next 4.15 release

Comment 19 Stefan Metzmacher 2022-12-14 16:25:21 UTC

Created attachment 17701 [details]
Patches for v4-15-test v4 (rebased on current v4-15-test)

Comment 20 Samba QA Contact 2022-12-15 10:00:19 UTC

This bug was referenced in samba v4-15-test:

fd3cdcc1800a4185857494626de9ba1c368dbcdb
ff5d6ada80e90e5fd67086e52f7e82f91bbafcc0
2620bea3af8d9e4e1db195deba414a46e8c66b3d

Comment 21 Samba QA Contact 2022-12-15 16:31:30 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.13):

fd3cdcc1800a4185857494626de9ba1c368dbcdb
ff5d6ada80e90e5fd67086e52f7e82f91bbafcc0
2620bea3af8d9e4e1db195deba414a46e8c66b3d

Comment 22 Samba QA Contact 2022-12-15 16:33:20 UTC

This bug was referenced in samba v4-16-stable (Release samba-4.16.8):

a65fc1fa476a45de402d6127b4ce5a26e761508f

Comment 23 Samba QA Contact 2022-12-15 16:34:48 UTC

This bug was referenced in samba v4-17-stable (Release samba-4.17.4):

fea5bde53c41b07ae0fb15f4af0f0bab7f376a46