View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0012180 | Rocky-Linux-9 | samba | public | 2026-03-03 18:30 | 2026-03-03 18:30 |
| Reporter | Kevin Smith | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| OS Version | 9.7 | ||||
| Summary | 0012180: Trusted Domain Authentication samba 4.22 Rocky 9.7 | ||||
| Description | Samba 4.22.4-12.el9_7 doesn't seem to contain the regression anymore for CVE-2025-49716 netlogon hardening fix - **OS**: Rocky Linux 9.7 (Blue Onyx) - **Samba Version**: samba-4.22.4-12.el9_7.x86_64 - **Configuration**: Domain member server joined to DOMAIN-A.COM with forest transitive trust to DOMAIN-B.COM - **idmap backend**: ad (for DOMAIN-B), sss (for DOMAIN-A) After upgrading from Rocky Linux 9.6 (samba-4.21.3-14.el9_6) to Rocky Linux 9.7 (samba-4.22.4-12.el9_7), NTLM challenge/response authentication fails for users from the trusted domain DOMAIN-B.COM with `NT_STATUS_WRONG_PASSWORD`. Plaintext authentication works correctly. [log.wb-DOMAIN-B] cm_connect_netlogon_transport: get_secure_channel_type gave SEC_CHAN_NULL for DOMAIN-B [log.wb-DOMAIN-B] cli_rpc_pipe_open_noauth: opened pipe netlogon to machine DC01.domain-b.com and bound anonymously [log.winbindd] lm_resp: DATA_BLOB length=0 [log.winbindd] nt_resp: DATA_BLOB length=0 [log.winbindd] result: NT_STATUS_WRONG_PASSWORD No `netr_LogonSamLogon` calls found in logs - winbind not attempting netlogon authentication for trusted domain challenge/response. | ||||
| Steps To Reproduce | 1. Join Rocky Linux 9.7 server to Active Directory domain (e.g., DOMAIN-A.COM) 2. Configure idmap_ad backend for trusted domain (e.g., DOMAIN-B.COM) 3. Ensure Microsoft July 2025 security updates (CVE-2025-49716) are applied to domain controllers 4. Test authentication: `echo 'password' | wbinfo -a DOMAIN-B\\testuser` 5. Observe: plaintext succeeds, challenge/response fails Rolling back just to samba 4.21-3.14 from 9.6 vault, fixes the issue. | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-03-03 18:30 | Kevin Smith | New Issue |
