Bug 910306

Summary:	net-fs/samba: Windows Updates from 13th July 2023 break domain trust (fix inside)
Product:	Gentoo Linux	Reporter:	Felix Leimbach <felix.leimbach>
Component:	Current packages	Assignee:	Gentoo's SAMBA Team <samba>
Status:	RESOLVED FIXED
Severity:	critical	CC:	ole+gentoo, sam
Priority:	Normal	Keywords:	PATCH
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugzilla.samba.org/show_bug.cgi?id=15418 https://bugs.gentoo.org/show_bug.cgi?id=910334
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	910452
Bug Blocks:

Description Felix Leimbach 2023-07-13 18:57:59 UTC

A windows update issued for all windows server and desktop versions on July 13th breaks the secure channel connection and thus domain trust and thus logon via RDP, access to shares and other things.

The issue is diagnosed here and there is a patch:
https://bugzilla.samba.org/show_bug.cgi?id=15418

This is quite urgent as it breaks domains with a samba PDC in all kind of ways.

Reproducible: Always

Steps to Reproduce:
1. Install latest windows updates in a domain with a samba PDC
2. Watch everything break
3. Can confirm breakage by seeing false in this powershell command on a windows client with the latest update: Test-ComputerSecureChannel -Verbose

Comment 1 Felix Leimbach 2023-07-13 19:28:40 UTC

I've applied the patch linked in the bug report to net-fs/samba-4.18.3 in my overlay and confirmed it fixes all issues.

I can log in via RDP again, access file shares and Test-ComputerSecureChannel returns True again.

From what I read people are applying the patch successfully to samba versions as old as 4.13.13, so we might want to issue updates for all our supported versions (i.e. 4.16+).

Comment 2 Felix Leimbach 2023-07-13 19:29:06 UTC

For reference this is the patch: https://cpaste.org/?df0494cac0063e2e#Cx69G684EBPQ71S6sAUVXSYburgV6gPyKHfPSbfmHZPJ

Comment 3 Sam James archtester

2023-07-14 11:58:02 UTC

*** Bug 910335 has been marked as a duplicate of this bug. ***

Comment 4 Larry the Git Cow gentoo-dev

2023-07-16 10:32:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c580697941c0090848274bea073c0d3ef555032a

commit c580697941c0090848274bea073c0d3ef555032a
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2023-07-16 10:32:23 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2023-07-16 10:32:23 +0000

    net-fs/samba: add 4.18.4
    
    Bug: https://bugs.gentoo.org/910306
    Bug: https://bugs.gentoo.org/910334
    Signed-off-by: David Seifert <soap@gentoo.org>

 net-fs/samba/Manifest                              |   1 +
 ...4-bug-15418-windows-update-secure-channel.patch |  56 +++
 net-fs/samba/files/samba-4.18.4-pam.patch          |  29 ++
 net-fs/samba/samba-4.18.4.ebuild                   | 384 +++++++++++++++++++++
 4 files changed, 470 insertions(+)

Comment 5 Larry the Git Cow gentoo-dev

2023-08-03 15:34:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d32095b165e0f127a89bbf6af1d99b0c7386cfa2

commit d32095b165e0f127a89bbf6af1d99b0c7386cfa2
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2023-08-03 15:33:46 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2023-08-03 15:33:46 +0000

    net-fs/samba: drop 4.16.8
    
    Bug: https://bugs.gentoo.org/910306
    Bug: https://bugs.gentoo.org/910334
    Signed-off-by: David Seifert <soap@gentoo.org>

 net-fs/samba/Manifest                              |   1 -
 .../files/samba-4.15.12-configure-clang16.patch    | 117 -------
 .../files/samba-4.15.9-libunwind-automagic.patch   | 118 -------
 .../samba/files/samba-4.16.1-netdb-defines.patch   |  25 --
 .../samba-4.16.2-fix-musl-without-innetgr.patch    |  25 --
 net-fs/samba/files/samba-4.4.0-pam.patch           |  29 --
 net-fs/samba/samba-4.16.8.ebuild                   | 387 ---------------------
 7 files changed, 702 deletions(-)