Univention Bugzilla – Full Text Bug Listing |
Summary: | NetApp can't lookup SIDs | ||
---|---|---|---|
Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
Component: | Samba4 | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | normal | ||
Priority: | P5 | CC: | birkefeld, gohmann, lutz.willek, requate, walkenhorst |
Version: | UCS 4.0 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.0-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://bugzilla.samba.org/show_bug.cgi?id=11291 | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 39263 | ||
Attachments: | netapp_netlogon.patch |
Description
Janis Meybohm
2015-02-24 14:31:59 CET
This is what the test environment NetApp shows without nt4 crypto: --- netapp> cifs domaininfo NetBIOS Domain: LISH Windows Domain Name: 40lish.qa Domain Controller Functionality: Windows 2008 R2 Domain Functionality: Windows 2003 Forest Functionality: Windows 2003 Filer AD Site: Default-First-Site-Name Not currently connected to any DCs Preferred Addresses: None Favored Addresses: 10.200.6.40 MASTER PDCBROKEN Other Addresses: None Connected AD LDAP Server: \\master.40lish.qa Preferred Addresses: None Favored Addresses: 10.200.6.40 master.40lish.qa Other Addresses: None --- As soon as nt4 crypto is enabled: --- netapp> cifs domaininfo NetBIOS Domain: LISH Windows Domain Name: 40lish.qa Domain Controller Functionality: Windows 2008 R2 Domain Functionality: Windows 2003 Forest Functionality: Windows 2003 Filer AD Site: Default-First-Site-Name Current Connected DCs: \\MASTER Total DC addresses found: 1 Preferred Addresses: None Favored Addresses: 10.200.6.40 MASTER PDC Other Addresses: None Connected AD LDAP Server: \\master.40lish.qa Preferred Addresses: None Favored Addresses: 10.200.6.40 master.40lish.qa Other Addresses: None --- Created attachment 6717 [details]
netapp_netlogon.patch
This patch fixed the problem in the test setup.
The issue is triggered by the netapp in two steps:
1. The Netapp calls netr_ServerReqChallenge to set up the challenge tokens
2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS set to 0. Native AD and Samba respond to this with NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away the challenge token negotiated in the first step.
3. Next it calls netr_ServerAuthenticate2 again, this time with NETLOGON_NEG_STRONG_KEYS set to 1. Samba returns NT_STATUS_ACCESS_DENIED as it has lost track of the challenge.
Upstream git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced a workaround for a different but related issue. My patch makes a minor adjustment to the upstream patch to delay flushing the cached challenge until it's clear that we are not in this NT_STATUS_DOWNGRADE_DETECTED situation.
(In reply to Arvid Requate from comment #2) > Created attachment 6717 [details] > netapp_netlogon.patch > > This patch fixed the problem in the test setup. So it does in mine! The package has bee rebuilt with the patch in errata4.0-1. Advisory: 2015-03-19-samba.yaml Patch sent to the upstream mailing list (see URL field above). YAML: OK Code review: OK ucs-test: OK No reaction upstream. Filed bug https://bugzilla.samba.org/show_bug.cgi?id=11291 for this. |