samba - Nov 2022 - Unable to access shares after upgrade to version 4.17.3

On 20/11/2022 23:24, spindles seven via samba wrote:
> Hi all,
> 
> I have a domain-joined fileserver which was running a self-compiled version
4.17.2.   I updated this to version 4.17.3 when it came out ? again
self-compiled.     When bullseye backports became available for my box?s
architecture (armel) I decided to use that valuable resource rather than
continue to self-compile.  (Many thanks Michael for providing these releases in
Backports ? much appreciated).   So I uninstalled the self-compiled version,
deleted the folder /usr/local/samba and any .tdb files I could find.
> 
>   
> 
> I installed samba version 4.17.3-debian from backports and re-joined the
domain, using the same smb.conf.    However I now can?t access the share from
any Windows machine ? even if I provide valid credentials.   Testing with
smbclient produces:
> 
>   
> 
> root at goflex:~# smbclient -L localhost -U%
> 
>   
> 
>          Sharename       Type      Comment
> 
>          ---------       ----      -------
> 
>          images          Disk
> 
>          IPC$            IPC       IPC Service (Samba 4.17.3-Debian)
> 
> SMB1 disabled -- no workgroup available
> 
>   
> 
> root at goflex:~# smbclient //goflex/images -U roy
> 
> Password for [MICROLYNX\roy]:
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
>   
> 
> root at goflex:~# smbclient //goflex.microlynx.org/images -U roy
> 
> Password for [MICROLYNX\roy]:
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
>   
> 
> BUT using the IP address of golfex succeeds:
> 
> root at goflex:~# smbclient //192.168.2.40/images -U roy
> 
> Password for [MICROLYNX\roy]:
> 
> Try "help" to get a list of possible commands.
> 
> smb: \>
> 
>   
> 
> Don?t know whether this is relevant, but the log file: log.wb-GOFLEX
reports:
> 
> [2022/11/20 22:44:19.851122,  1]
../../source3/rpc_client/cli_pipe.c:550(cli_pipe_validate_current_pdu)
> 
>    ../../source3/rpc_client/cli_pipe.c:550: RPC fault code
DCERPC_NCA_S_OP_RNG_ERROR received from host goflex!
> 
> and
> 
>   
> 
> log.wb-MICROLYNX reports:
> 
> [2022/11/20 22:44:09.611781,  1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> 
>    ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb'
with backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such file or directory
> 
>   
> 
> and indeed there is no such file.
> 
>   
> 
> This pointed to a dns issue, so I checked that goflex.microlynx.org has an
entry:
> 
> root at goflex:~# host -t A goflex
> 
> goflex.microlynx.org has address 192.168.2.40
> 
> root at goflex:~# host -t A goflex.microlynx.org
> 
> goflex.microlynx.org has address 192.168.2.40
> 
> root at goflex:~# dig goflex.microlynx.org
> 
>   
> 
> ; <<>> DiG 9.16.33-Debian <<>> goflex.microlynx.org
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38034
> 
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
>   
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags:; udp: 1232
> 
> ; COOKIE: aa9b9eee1a385ba201000000637ab570830c55f6a435553b (good)
> 
> ;; QUESTION SECTION:
> 
> ;goflex.microlynx.org.          IN      A
> 
>   
> 
> ;; ANSWER SECTION:
> 
> goflex.microlynx.org.   3600    IN      A       192.168.2.40
> 
>   
> 
> ;; Query time: 0 msec
> 
> ;; SERVER: 192.168.2.4#53(192.168.2.4)
> 
> ;; WHEN: Sun Nov 20 23:17:04 GMT 2022
> 
> ;; MSG SIZE  rcvd: 93
> 
> root at goflex:~# cat /etc/resolv.conf
> 
> search microlynx.org
> 
> nameserver 192.168.2.4
> 
> nameserver 192.168.2.5
> 
>   
> 
> The other interesting thing is that I can no longer logon via SSH using my
Kerberos ticket from my Windows machine.
> 
>   
> 
> I?m stumped at this point, so any help will be appreciated,
> 
>   
> 
> Regards,
> 
>   
> 
> Roy
> 
>   
> 
OK, 4.17.3 was released to deal with CVE-2022-42898. Unfortunately there 
is a regression in Heimdal, but it is only supposed to affect 32bit 
systems, see here for more details:

https://bugzilla.samba.org/show_bug.cgi?id=15203

Rowland

21.11.2022 11:30, Rowland Penny via samba wrote:
..
> OK, 4.17.3 was released to deal with CVE-2022-42898. Unfortunately there is
a regression in Heimdal, but it is only supposed to affect 32bit systems,
> see here for more details:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=15203
Oh well.

Do you know if MIT-krb5 is affected too? They also released an updated
version to deal with CVE-2022-42898.

In my case it does look like a kerberos issue after all.

And I've samba built against mit-krb5 - including debian bullseye now
(with backported krb5 20.1).

Thanks,

/mjt

21.11.2022 11:30, Rowland Penny via samba wrote:
> OK, 4.17.3 was released to deal with CVE-2022-42898. Unfortunately there is
a regression in Heimdal, but it is only supposed to affect 32bit systems,
> see here for more details:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=15203
This still looks pretty much like a 32bit-specific issue, - both the initial bug
and the regression.
The submitted fix should not affect 64bit systems in any way, just like the
initial fix for
CVE-2022-42898.

spindles seven, do you run a 32bit system?

/mjt