Upcoming changes to Windows Server 2025 enforce security checks even on schannel secured NETLOGON connections causing winbind's netlogon dc discovery calls to fail.
This bug was referenced in samba master: f86a4bf6848ade2db7229d182576db3320c3ece7 2560c9b3224816ffd371a62103f65b3aca301ad5
For completeness, here is the full list of affected Netlogon RPC calls: DsrGetDcName DsrGetDcNameEx DsrGetSiteName DsrAddressToSiteNamesW DsrGetDcNameEx2 DsrAddressToSiteNamesExW DsrGetDcSiteCoverageW
We've released the following info via the Samba mailing lists: https://lists.samba.org/archive/samba-announce/2025/000693.html On 8th of July, Microsoft will release an important security update for Active Directory Domain Controllers for Windows Server versions prior to 2025. This update includes a change to the Microsoft RPC Netlogon protocol, which improves security by tightening access checks for a set of RPC requests. Samba running as domain members in these environments will be impacted by this change if a specific configuration is used, see below for which configuration is affected. Windows Server version 2025 is already equipped with these specific security hardenings, and Microsoft is now planning to deploy them to all supported Windows Server versions down to Windows Server 2008. Who is affected? Samba installations acting as member servers in Windows AD domains will be affected if they are configured to use the 'ad' idmapping backend. Samba servers not using this configuration will not be affected by the change – at least to our current knowledge and understanding of the change – and no further action is required. Current versions of Samba with the affected configuration will no longer function correctly once the Microsoft update has been applied. Users will not be able to connect to the SMB service provided by Samba for any domain configured to use the 'ad' idmapping backend. What the Samba Team is doing and what you should do Members of the Samba team have been collaborating with Microsoft and changes to Samba are currently being developed and tested to ensure full compatibility between Samba and Microsoft products. The Samba team is aiming to provide updated Samba releases on Monday evening (UTC+2). What you should do: If you’re running Samba in a Windows AD environment, check your configuration. Keep an eye out for new Samba package updates early next week (starting 7 July).
Created attachment 18660 [details] Patch for 4.21 cherry-picked from master
Created attachment 18661 [details] Patch for 4.22 cherry-picked from master
Comment on attachment 18661 [details] Patch for 4.22 cherry-picked from master LGTM, RB+
Comment on attachment 18660 [details] Patch for 4.21 cherry-picked from master LGTM, RB+
This bug was referenced in samba v4-21-test: fc13e0918fddac18800790926a71a9e60f8b95df 1967ce819985be2e223c258284d5153713549108
This bug was referenced in samba v4-22-test: b197ce8c6f155e7d7dd3bd7a9b77172553eb78f7 78d69a9eebe080aa2bcdf62be8360b581dd1e5f0
This bug was referenced in samba v4-21-stable (Release samba-4.21.7): fc13e0918fddac18800790926a71a9e60f8b95df 1967ce819985be2e223c258284d5153713549108
This bug was referenced in samba v4-22-stable (Release samba-4.22.3): b197ce8c6f155e7d7dd3bd7a9b77172553eb78f7 78d69a9eebe080aa2bcdf62be8360b581dd1e5f0
Is it OK for me to attach an unofficial patch for v4-20-stable here, to potentially help others? The only difference is a conflict in removed code due to commit 814ae222ca15ff7093a71639cdcc97b9937670ce not being in v4-20-stable.
Yes, I think that is fine. We also backported the following patches to older releases in addition: e47ce1d 2024-12-05 16:46 +0000 Stefan Metzmacher o s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND 712ffbf 2024-05-10 01:35 +0000 Stefan Metzmacher o s3:libsmb: allow store_cldap_reply() to work with a ipv6 response 2b66663 2024-04-05 12:24 +0000 Stefan Metzmacher o s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL f55a357 2023-03-09 19:12 +0000 Nathaniel W. Turn~ o dsgetdcname: do not assume local system uses IPv4
Hi Andreas, (In reply to Andreas Schneider from comment #13) How far did you go back with backporting fixes if I might ask? For Debian I have applied all of e47ce1d 2024-12-05 16:46 +0000 Stefan Metzmacher o s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND 712ffbf 2024-05-10 01:35 +0000 Stefan Metzmacher o s3:libsmb: allow store_cldap_reply() to work with a ipv6 response 2b66663 2024-04-05 12:24 +0000 Stefan Metzmacher o s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL (modulo the first one, which is already present) in Debian bookworm's version based on 4.17.12. The proposed work is here: https://salsa.debian.org/samba-team/samba/-/merge_requests/68 I was looking as well at 4.13.13 based version, but know this is completely out of scope for Samba team.
We backported down to 4.15, see https://gitlab.com/samba-redhat/samba Samba < 4.15 doesn't have async dns lookups!
Created attachment 18670 [details] Patch for v4-20, including extra commit from comment #13 This patch is for information only, just in case someone out there wants to patch 4.20.8. Because this is unofficial, I'll explain the patch in some detail. This includes the 1st of 4 additional commits mentioned by Andreas in comment #13 - the other 3 are already in 4.20.8. Following this, the 1st commit of the bug fix is marked "backported" (rather than "cherry picked") because a conflict had to be resolved. This occurred because commit 814ae222ca15ff7093a71639cdcc97b9937670ce is not in 4.20.8, so some code in removed function get_dc_name_via_netlogon() was not matched by the bug fix patch. The resolution is clearly to remove the function. The 2nd commit of the bug fix cherry-picks cleanly.
(In reply to Andreas Schneider from comment #15) > Samba < 4.15 doesn't have async dns lookups! 4.14 does, but 4.13, no.