Today I updated our Ubuntu server which is also the primary (and only) domain controller to the latest Samba packages which fixed a few security vulnerabilities. The following packages were updated:
- libpam-winbind:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
- smbclient:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
- libwbclient0:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
- libpam-smbpass:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
- samba-common:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
- samba:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
winbind:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
samba-common-bin:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
(from /var/log/apt/history.log)
After the update, everybody who rebooted his Windows 7 or 8.1 PC could no longer log into the domain. The error message displayed is "the trust relationship between this workstation and the primary domain failed".
The first thing I tried was removing the affected computer from the domain and adding it again. This used to solve this kind of issues, but not this time. There was no error during this process, but it didn't help either: Logging in with a domain account still fails.
Logging in with a local account and then accessing the shares works fine.
The following error is written repeatedly to /var/log/samba/log.
[2016/04/19 11:49:09.975677, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $
Googling and Binging (using Bing) so far only found two hits without a solution.
I urgently need a solution, because the number of affected workstations will probably grow fast.
Any hints?
Edit:
I'm not alone: https://askubuntu.com/questions/759123/samba-23-6-25-0ubuntu0-12-04-2-as-pdc-samba3-nt4-domain-windows-machines-lost
But as of now, there are no answers there either.
What helped so far as a temporary workaround was installing the old packages again. The method I chose was downloading the files from the appropriate links from https://launchpad.net/ubuntu/+source/samba/2:3.6.3-2ubuntu2 and then installing them using
This restored the previous state, all workstations could authenticate the users again.
As I said: This is a temporary workaround. Since the update was a security update, I still need a solution that works with the update.
This is a regression introduced with the latest Samba updates (the ones which also fixed the Badlock vulnerability).
A temporary solution (other than downgrading) might be to set
in your smb.conf (don't forget to restart the samba service after that). Unfortunately this only fixed logins for existing users for me. It didn't help for new users which never had logged into the domain before (if I remember it right I got a "No logon servers available..." for these).
One Samba guy working at RedHat says they have a working fix for that problem. I guess RedHat will release that fix soon and I would expect it will be distributed for other distributions too.
Ubuntu seems to have fixed this problem with the following update:
http://www.ubuntu.com/usn/usn-2950-3/
released on 2016-05-04.
I installed it today and the problem is gone.
possibly related and see my answer there: Samba Share user/password error after update
I will update this answer, if this is indeed the solution.
There is another workaround I got from redhat:
If you are using Win 7 or Win 10, just unplug the network cable (or disable WiFi) then login. It's similar to a local login (versus a network login). Once you've logged in you can re-plug in the network cable and use your resources as normal. Also, turn off the sleep mode with password required so you're not forced to log back in each time your system goes to sleep.
I haven't tried it but it might just work. (It probably also works for Windows 8(.1).)