[Samba] Printserver after latest MS updates

Achim Gottinger achim at ag-web.biz
Thu Oct 21 21:06:58 UTC 2021 


Am 19.10.2021 um 14:37 schrieb cn--- via samba:
> Hello you all,
> Microsoft is still trying to fix the PrintNightmare bugs. And after the latest patch day we see lots of NTLMv2 auths on our printserver. And _only_ on our printserver and not on any other member
> servers.
>
> It is not that Kerberos does not work. I can ssh into that machine using Kerberos I can connect with smbclient with kerberos. Also the logs are really spammed with those messages. And it all started
> after we released the last patchday updates from MS.
> This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had the same Problem on 4.14.7. smb.conf is below.
> Everything seems to work as expected. It just is the number of NTLMv2 auths that made me look at this more closely.
>
> Anyone seen something similar?
>
>
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: [2021/10/19 14:22:55.209081,  3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]:   Auth: [winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 14:22:55.209056 CEST] with [NTLMv2]
> status [NT_STATUS_OK] workstation [HOST] remote host [unix:] became [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19 14:22:55.209404,  3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]:   Auth: [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 14:22:55.209385 CEST] with [NTLMv2] status [NT_STATUS_OK]
> workstation [HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [ipv4:yyy.yyy.yyy.xxxx:445]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19 14:22:55.213366,  4] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.213356 CEST] Remote
> host [ipv4:yyy.yyy.yyy.yyy:49949] local host [ipv4:yyy.yyy.yyy.xxxx:445]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: [2021/10/19 14:22:55.272006,  3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]:   Auth: [winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 14:22:55.271994 CEST] with [NTLMv2]
> status [NT_STATUS_OK] workstation [HOST] remote host [unix:] became [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19 14:22:55.272247,  3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]:   Auth: [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 14:22:55.272236 CEST] with [NTLMv2] status [NT_STATUS_OK]
> workstation [HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [ipv4:yyy.yyy.yyy.xxxx:445]
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19 14:22:55.275198,  4] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
> Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.275188 CEST] Remote
> host [ipv4:yyy.yyy.yyy.yyy:49949] local host [ipv4:yyy.yyy.yyy.xxxx:445]

Hello Samba-Group,

I also ran into PrintNightmare issues today after applying the Update 2021-10.
My Client PC is running W10 LTSC 2019.
My Samba fileserver is running on debian buster using samba 4.9.5 as an active directory member.

If I log in with an AD account on the client. I can connect printers and manage them as usual with printmanagement connecting to the server.
But if i log in with an local client account and connect to the server with entering  user/password shares are working but printers can not be connected and printmanagement does not list printers or
drivers.

I found the following interesting post https://www.bleepingcomputer.com/forums/t/759880/kb5006670-network-printer-problems-again-this-month/page-8#entry5263758

-------------------------------------------------------------------------------------------
After Sniffing around in Wireshark seems like this newer spooler is doing two things different:
 
1) On the DCERPC call it has added NTLMSSP_NEGOTIATE and Attempts to Authenticate NTLMSSP_CHALLANGE
2) On the SPOOLSS call the Name of the Printer is now encrypted
 
Failing (Oct DLL's) 0x000006e4 RPC_S_CANNOT_SUPPORT 
Attached File <https://www.bleepingcomputer.com/forums/index.php?app=core&module=attach&section=attach&attach_id=235499>  *SnifferNg.png*
<https://www.bleepingcomputer.com/forums/index.php?app=core&module=attach&section=attach&attach_id=235499>   *135.19KB*   2 downloads
 
Working (Sept DLL's)
Attached File <https://www.bleepingcomputer.com/forums/index.php?app=core&module=attach&section=attach&attach_id=235498>  *SnifferOK.png*
<https://www.bleepingcomputer.com/forums/index.php?app=core&module=attach&section=attach&attach_id=235498>   *137.39KB*   0 downloads
 
Above are to a 2003 server from Win10
 
I think this is a problem with older server's not knowing how to handle encryption and the spooler not falling back to unencrypted communications
https://docs.microsoft.com/en-us/windows/win32/api/rpcasync/nf-rpcasync-rpcbindingbind <https://docs.microsoft.com/en-us/windows/win32/api/rpcasync/nf-rpcasync-rpcbindingbind>
 
 
HTH,
Mike Pisano
-------------------------------------------------------------------------------------------

On bleepingcomputer they replace the files localspl.dll win32spl.dll and spoolsv.exe in c:\windows\system32 with version from Update 2021-09. This temporary workaround works for me. Have not yet
figured out an other way to get printing working with local accounts against the samba server.


Good Night,
Achim Gottinger

More information about the samba mailing list