samba dc ntlm netlogin issue with windows 10/11 2023-07 cumulative update

Status changed to 'Confirmed' because the bug affects multiple users.

debian has already applied a (pre-master?) patch in sid (2:4.18.4+dfsg-2).
For ubuntu mantic a resync may be sufficent (if rebasing on 4.18.4 is still feasable)

We have networks effected by this problem, so if you need any help testing I can use one which has a variety of Windows 10 and 11 machines, including a Windows 10 virtual machine which can rolled back to state before the July 2023 update.

The upstream samba bug just got patches for a number of releases, I'll start working on this now.

@jown-cornerstonelinux, thanks for your testing offer, I will take you up on that.

This bug also affect samba 4.15.13 coming with Ubuntu 20.04

I have first builds happening on this ppa: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5028166/

completely untested yet. I'll trigger the autopkgtests as the builds are finished, and then I'll enable other architectures. For now I just enabled amd64 to be able to trigger the autopkgtests quicker. Once that is green, I'll ask for the other builds.

Sorry Andreas, I should have mentioned that our servers are all amd64 and most still run focal (Ubuntu 20.04) which has Samba 4.15.

At the moment I'm only seeing deb packages for 4.17 and 4.18, although I guess that might be because the others are still in the build queue.

I'll take another look in a few hours time.

All amd64 packages are built for focal, jammy, kinetic, lunar, and mantic. I triggered the autopkgtests, but the queue[1] is large and it will take many hours I suspect for them to be done.

I'll also try to backport the new domain join test[2] I wrote for lunar to the other stable releases, they could benefit from that test.

1. https://autopkgtest.ubuntu.com/running
2. https://git.launchpad.net/ubuntu/+source/samba/tree/debian/tests/samba-ad-dc-provisioning-internal-dns

Jammy/ARM64 user here - not sure if I'm reading the autopkgtest running web page correctly (apologies if not). The ARM64 / ARMHF queues look pretty quiet at the moment; any chance of setting things running there (if indeed it makes any sense to do so)?

Thank you!

Hi, is there any chance to get this into Ubuntu Bionic even though it's EOL? I use Zentyal 6.2 which is based on Ubuntu Bionic and am also affected by this issue.
Thanks for considering it!

Thanks very much for the quick provision of those patched packages. Initial results look very positive.

Before installing the patched packages I could only login via RDP using local (non-domain) accounts. The Windows 10 and 11 machines running on real hardware allowed domain logins on the "console", but I suspect that as using cached info. SMB connection to files shares as a domain user also failed with "NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE".

After installing to the 4.15.13+dfsg-0ubuntu0.20.04.3~ppa1 packages from the PPA I could login without any problems via RDP to Windows 10 & 11 machines using a user account on an NT style domain, and via RDP and the VNC console on a Windows 10 virtual machine. I'm not sure if it makes any difference, but the user account used to test the logins does have local Administrator privileges and has logged into these machines before.

I did not need to repair trust relationship or leave/rejoin domain on any of these Windows machines. No problems accessing files but there was no problems before the patch either, only problems with domain trust preventing login via RDP or SMB.

After installing the patched packages there are also no more of the "Bad switch value" errors of the form:
[2023/07/17 16:48:08.936128, 1] ../../librpc/ndr/ndr.c:662(_ndr_push_error)
  ndr_push_netr_Capabilities: ndr_push_error(Bad Switch): Bad switch value 2 at librpc/gen_ndr/ndr_netlogon.c:7604

For background this is a small LAN with a few Windows machines, not all of which are regularly used. Samba is configured to operate as a Windows NT style domain (not Active Directory). User account info is stored in an replicate LDAP backend on slapd using the smbldap tools. The server is running Ubuntu release 22.04 ("focal") on amd64. Happy to provide other info if needed.

Unfortunately at the moment I don't have access to a similar network with a Samba server running on Ubuntu 22.04 or other versions, so can not test those.

I have not yet tested leaving and rejoining the domain (could try tomorrow), although this network may not be a good test as we have a known problem where a small delay in LDAP replication causes the first attempt to join the domain to fail. The machine account is created but not immediately available to for. Second attempt usually works. We only need to do this about once a year so its never been a priority to fix.

Just an FYI to anyone who is currently affected by this problem such as myself, while we wait for the fix to be released, you can either uninstall the 2023-07 Cumulative Update (KB5028166) on every single Windows machine on your entire network(s), or if you're more concerned about security than the fact that the update also breaks Samba clients being able to access or mount shares from Windows machines, you can simply disable requiring NLA via Group Policy via Computer configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Require user authentication for remote connections by using Network Level Authentication.

> After installing the patched packages there are also no more of the "Bad switch value" errors of the
> form:
> [2023/07/17 16:48:08.936128, 1] ../../librpc/ndr/ndr.c:662(_ndr_push_error)
> ndr_push_netr_Capabilities: ndr_push_error(Bad Switch): Bad switch value 2 at
> librpc/gen_ndr/ndr_netlogon.c:7604

Thanks for testing, I'll see if this is related to the patch. I have a feeling these patches might still change.

Not a single test run has started yet...:

Q0051 -:-- samba ppa jammy amd64 ahasenack/samba-kb5028166 samba/2:4.15.13+dfsg-0ubuntu1.2~ppa1
Q0048 -:-- samba ppa kinetic amd64 ahasenack/samba-kb5028166 samba/2:4.16.8+dfsg-0ubuntu1.2~ppa1
Q0091 -:-- samba ppa lunar amd64 ahasenack/samba-kb5028166 samba/2:4.17.7+dfsg-1ubuntu2~ppa1
Q0005 -:-- samba ppa mantic amd64 ahasenack/samba-kb5028166 samba/2:4.18.4+dfsg-2ubuntu1~ppa1

And looks like I forgot to trigger focal. Doing so now.

> Jammy/ARM64 user here - not sure if I'm reading the autopkgtest running web page correctly (apologies if
> not). The ARM64 / ARMHF queues look pretty quiet at the moment; any chance of setting things running
> there (if indeed it makes any sense to do so)

I'll do it before I leave for the day, so that something can happen during the evening.

In reply to Andreas Hasenack comment #14: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716/comments/14

I believe that that "Bad Switch" error message is very much related to the problem because originally there was only 2 states (0 and 1) for netr_LogonGetCapabilities and the recent July 2023 Microsoft Windows security update added an undocumented 3rd state (2), and so breaks the Samba code which processes.

See comment #1 in the Samba bug report: https://bugzilla.samba.org/show_bug.cgi?id=15418#c1

And also this email: https://lists.samba.org/archive/cifs-protocol/2023-July/004004.html

I've not seen that error message before last week, and now I see it on from all Windows machines which are members of an NT style domain which have had the recent July 2023 Microsoft Windows security update installed. It is not logged for Windows clients which have not had the update installed, or had it uninstalled.

I think the fact I don't see it in the Samba logs after I installed your patched Samba packages is another sign that the patch clears the immediate domain trust problem.

Ah, sorry, I misread what you wrote before: "After installing the patched packages there are also no more of the "Bad switch value" errors of the form". I somehow skipped the "no more" portion of your statement :)

So I mistakenly thought you *started* seeing this message after the patch, and was a bit puzzled :)

I triggered the builds of the remaining architectures in the ppa.

> Hi, is there any chance to get this into Ubuntu Bionic even though it's EOL? I use Zentyal 6.2 which is
> based on Ubuntu Bionic and am also affected by this issue.
> Thanks for considering it!

It looks like the patch applies, I'll see what can be done.

>I'll do it before I leave for the day, so that something can happen during the evening.

Thanks Andreas :-)

Getting this complex domain join test running in older releases of Ubuntu is proving annoying, but I'm almost there. There are slight changes here and there that break the test in subtle ways. Even lxd changed. Just focal remaining now.

Any idea if this patch will be backported to older LTS releases (14/16/18) covered under Ubuntu Advantage?

Below are the results of leaving and rejoining the NT domain with Windows 10 Pro client (running on KVM virtual machine) and Ubuntu 20.04 ("focal") domain controller running Samba running 4.15.13+dfsg-0ubuntu0.20.04.3~ppa1 packages.

Machine trust account not deleted = Produces an error "An account with the same name exists in Active Directory. Reusing the account was blocked by security alert." Unfortunately I can't remember if this is the same behaviour as before the patch.

After deleting the machine trust account = 1st attempt produces the error "The specified computer account could not be found." This is as expected because we have a small delay due to LDAP replication between servers.

The 2nd attempt reports success (as expected). Then after the required reboot I could login as a user account which had previously logged in and could access the old profile, and also as a newly created user account which had never logged into the machine before and had not been added via the User Accounts control panel (again as expected). After login I could access the domain to look user accounts.

So apart from the error message when trying to join the domain when the machine trust account already exists, I think that is a success for the patched packages on Ubuntu 20.04.

To check if that behaviour when the machine trust account already existing is something new I will have to try to find an unpatched Ubuntu server to test with, possibly tomorrow.

I have added the PPA ( https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5028166/ ) to both my 22.04 based domain controllers and updated samba on both.

After restarting both dc01 and dc02 i applied KB5028166 to one Windows 10 Pro Client, which after rebooting did not show signs of any problems. Test-ComputerSecureChannel returns "True" - as it should.

Other Windows 11 machines on the network, which still had KB5028166 applied since Microsoft released the patch last tuesday, are now reachable again via WinRM. It looks like they fixed the domain trust themselves without rebooting said machines.

The patch fixes the problem, and i am happy to report that 2:4.15.13+dfsg-0ubuntu1.2~ppa2 does not introduce other problems so far.

Thank you for your work,
Michael

> Any idea if this patch will be backported to older LTS releases (14/16/18) covered under Ubuntu Advantage?

I have uploaded a bionic (ubuntu 18.04) package to the ppa. I intend to make that available through ESM for Bionic, since bionic has reached end of standard support.

I haven't considered earlier releases, like xenial or trusty. Does samba in those old releases even work with current AD domains?

I can confirm that on a Samba server operating as a PDC for a NT style domain running Ubuntu 20.04 ("focal") which is not running the patched packages the behaviour is the same when trying to a Windows 10 machine (which has had the July 2023 update installed and reboot) to the domain.

So I believe that the error "An account with the same name exists in Active Directory. Reusing the account was blocked by security alert." when trying to add a machine back into the domain after it has left is unrelated to this Samba patch. I suspect that it is likely to be some recent Windows 10 update, but I can't be sure which one or when it was introduced as I only need to do this leaving/joining operation once every few years.

On this note, while it's a bit disturbing that the entire Samba dev community seems to have been totally blindsided by this catastrophic issue which has apparently been over 8 months in the making, does anyone happen to know if the devs are aware of the big pending October 2023 change whereby Kerberos RC4-HMAC becomes enforced, and whether that is likely to break Samba in this same way too? See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37966 and https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

This looks like another pending AD change with a promising chance to break all our networks if the devs aren't aware of it too: Kerberos/Certificate-based authentication on DCs becomes enforced after being moved from May to November 2023. See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26931 and https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16.

This is not related to https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37966 (RC4 in Kerberos) which was addressed in Samba 4.17 (See https://www.samba.org/samba/history/samba-4.17.0.html).

This is a previously unannounced change in the netlogon RPC protocol, and a sudden change in Windows client behaviour.

The only relationship to the Kerberos issue is it was released at the same time.

If you want to know the details you could do worse than following this thread https://lists.samba.org/archive/cifs-protocol/2023-July/004004.html or just read the proposed updates to the protocol document
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NRPC/%5bMS-NRPC%5d-20230718-diff.pdf.

just got an updated package that contains some spotlight and winbind security fixes that has a higher priority than this one.

if you update to ex 4.15.13+dfsg-0ubuntu1.2 it will break ad-dc again.

@redscourge since the windows update that broke ntlm was released the same time as the netlogon sign/seal enforcement many believe this bug and the netlogon security requirements are the same thing, but they are not (very bad timing from microsoft, both contain the word netlogon and people link both issues together).
Prior to the enforcement phase by default the security requirements where in place but you as an admin had the possibility to change the behaviour.

@douglasbagnall where did you find the doc? I followed both bug tracker and around the days when the issue was found the mailing list and nobody has found the updated idl and documentation

Discussion of the protocol changed, now documented, can be found here: https://lists.samba.org/archive/cifs-protocol/2023-July/thread.html#start

@msaxl: yeah, it is new (the "20230718" in the filename would be my guess). That's via https://lists.samba.org/archive/cifs-protocol/2023-July/004012.html.

@douglasbagnall I think so given the footer says
Release: July 18, 2023

The protocol change was documented over a year ago, on 2022-04-29 (or the document we see has no revision at all, that could also be the case). Guess they have the code server side since about then, but only now they enabled it clientside (or even also server side)

just trying to implement (in a lazy way, just to check if this is the solution) the query_level 2
compiling, as always, takes some time...

The currently released MS-NRPC was released on 2022-04-29, but the latest diff document, was release
created on July 18, 2023 and published on July 19, 2023, see
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NRPC/%5bMS-NRPC%5d-errata.pdf
and https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NRPC/%5bMS-NRPC%5d-20230718-diff.pdf

> just got an updated package that contains some spotlight and winbind security fixes that has a higher priority than this one.

Yes, I need to rebase the PPA changes on top of that security update.

> I haven't considered earlier releases, like xenial or trusty. Does samba in those old releases even work with current AD domains?

I have SAMBA DC controllers on both Xenial and Bionic. They do not talk to actual Windows AD controllers - they're the controller. I can tell you that this bug impacts them as well though as clients can't connect for the same reason.

@ahasenack

>Yes, I need to rebase the PPA changes on top of that security update.

Sorry for the inconvenience, but do the current ppa's interfere with the latest security update ?

For example, can ppa 2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa1 be applied over focal security update 2:4.15.13+dfsg-0ubuntu0.20.04.3 (current version) without problems?

thanks a lot

The current ppa contents include the recent security update for samba, *EXCEPT* for the bionic build, which did not receive said security update.

Specifically regarding your question:

2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa1 includes the fix from 2:4.15.13+dfsg-0ubuntu0.20.04.3.

You can click on the package name in this[1] view and it will show two changelog entries: mine, and the previous one from the security team.

1. https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5028166/+packages

Applied 2:4.15.13+dfsg-0ubuntu1.3~ppa1 from the PPA to R-Pi / Jammy - works a treat. Thanks very much Andreas!

Looking over at the SAMBA bug https://bugzilla.samba.org/show_bug.cgi?id=15418 it looks like Microsoft have been quickly forthcoming over the actual protocol change, and they're working on a proper fix at https://bugzilla.samba.org/show_bug.cgi?id=15425. I imagine it will take some time for that to be complete. Your quick work on this temporary fix has been invaluable, thanks again :-)

Here is my experience with the ppa update. I hope it helps.

I have applied the focal ppa package 2:4.15.13+dfsg-0ubuntu0.20.04.4~ppa1 over the latest official security update (2:4.15.13+dfsg-0ubuntu0.20.04.3) and the bug that was originated with the KB5028166 windows update has been successfully resolved.

No reboot has been necessary, nor on the client, nor on the server side.

The response of the "Test-ComputerSecureChannel" command is satisfactory as it returns "True" after applying the ppa package. Other bugs with GPO directives that failed with the trust relationship have also been fixed.

I do not see any additional malfunctions.

Hi, does anyone know the release date of this patch to the official repo?

see https://wiki.ubuntu.com/StableReleaseUpdates

> The ~ubuntu-sru team will review and accept your upload. You can then test the actual binaries in the Ubuntu archive yourself and follow up in the bug report regarding your verification of the bug. The SRU team will evaluate the testing feedback and they will move the package into -updates after it has passed a minimum aging period of 7 days.

There is currently a diff available. This has to be reviewed and accepted by the sru team (think it is not yet, else it should land in -proposed). When this happens it will at least take 7 days until it lands in -updates.

Has anybody tried the bionic build from the ppa? I just tested remote desktop with windows 10 joined to that bionic domain, and I still couldn't authenticate after the patch. I got a different error in the logs, it might be something else, or a mistake I made.

> Hi, does anyone know the release date of this patch to the official repo?

I'm getting reviews on those changes still, hopefully today or tomorrow, then I can upload and the SRU process can start.

Kinetic became EOL, so marking its task as Won't Fix.

This bug was fixed in the package samba - 2:4.18.5+dfsg-1ubuntu1

---------------
samba (2:4.18.5+dfsg-1ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2028265, LP: #2027716). Remaining
    changes:
    - debian/control: Ubuntu i386 binary compatibility:
      + drop ceph support
      + enable the liburing vfs module, except on i386 where liburing is
        not available
      + build-depend on libglusterfs-dev only on !i386 arches
    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
      samba AD DC provisioning and domain join tests with internal DNS
      (LP #1977746, LP #2011745)
    - d/t/util: reload instead of restarting samba, as it's quicker and
      has the same effect we want in this test

 -- Andreas Hasenack <email address hidden> Thu, 20 Jul 2023 10:15:22 -0300

focal, jammy and lunar uploaded to the unapproved queue, waiting for the SRU team to approve now.

Hello msaxl, or anyone else affected,

Accepted samba into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.17.7+dfsg-1ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted samba (2:4.17.7+dfsg-1ubuntu2) for lunar have finished running.
The following regressions have been reported in tests triggered by the package:

adsys/0.11.0 (arm64)
autofs/unknown (amd64)
backuppc/unknown (amd64)
freeradius/3.2.1+dfsg-1 (amd64)
gvfs/1.50.4-1 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/lunar/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Andreas, I just installed the samba4 patches from your PPA on Bionic. Let me know if there's anything you need me to test.

This is with a samba4 dc, and ~50 domain joined computers (Win10 and macOS). Some Win10 boxes with SMBv1 and SMBv3 shares to feed files to non-domain joined Windows Embedded machines.

Lunar verification

Reproducing the problem:

$ apt-cache policy samba
samba:
  Installed: 2:4.17.7+dfsg-1ubuntu1.1
  Candidate: 2:4.17.7+dfsg-1ubuntu1.1
  Version table:
 *** 2:4.17.7+dfsg-1ubuntu1.1 500
        500 http://br.archive.ubuntu.com/ubuntu lunar-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu lunar-security/main amd64 Packages
        100 /var/lib/dpkg/status

I installed Windows 10 in a vm, did NOT apply any updates, and joined a samba domain.

a) Secure channel test
With the non-updated samba version, the test returns that the channel is broken:
"""
PS C:\Users\Focal.SAMBA> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "DESKTOP-FN048B9".
False
VERBOSE: The secure channel between the local computer and the domain samba.internal is broken.
"""

With the updated samba version, the test returns that the channel is established:

$ apt-cache policy samba
samba:
  Installed: 2:4.17.7+dfsg-1ubuntu2
  Candidate: 2:4.17.7+dfsg-1ubuntu2
  Version table:
 *** 2:4.17.7+dfsg-1ubuntu2 100
        100 http://br.archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

"""
PS C:\Users\focal> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "DESKTOP-FN048B9".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.
PS C:\Users\focal>
"""

b) Remote Desktop
I enabled remote desktop on the windows VM, and accessed it with the vinagre RDP tool.

I then updated windows 10 with KB5028166, rebooted, and a new login attempt with vinagre failed with this error:
[15:01:52:917] [58702:58702] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
[15:01:52:917] [58702:58702] [ERROR][com.freerdp.core.nla] - SPNEGO failed with NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D]
[15:01:52:918] [58702:58702] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[15:01:52:918] [58702:58702] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail

I then updated samba to the version in proposed:

$ apt-cache policy samba
samba:
  Installed: 2:4.17.7+dfsg-1ubuntu2
  Candidate: 2:4.17.7+dfsg-1ubuntu2
  Version table:
 *** 2:4.17.7+dfsg-1ubuntu2 100
        100 http://br.archive.ubuntu.com/ubuntu lunar-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

And then the vinagre RDP login and access worked just fine with the domain user.

Lunar verification succeeded.

> Andreas, I just installed the samba4 patches from your PPA on Bionic. Let me know if there's anything you
> need me to test.

Well, just let me know if in your case the bionic package from the ppa fixes the problems for you, introduced by KB-5028166.

In my tests, I couldn't get vinagre (remote desktop client tool) to connect to the joined windows server, I think it doesn't support some authentication mechanism. Remmina (another remote desktop tool) connected just fine.

Never mind, vinagre eventually worked too.

> All autopkgtests for the newly accepted samba (2:4.17.7+dfsg-1ubuntu2) for lunar have finished running.

I have retried the failing tests and they are green now. The excuses page should reflect that the next time it refreshes.

FTR, I noticed that Andreas had removed some upstream tests in his backport and asked about these. His answer:

> 15:59 <ahasenack> rbasak: those tests are not run at build time, they are specific upstream tests, "torture tests"

So as they're not going to be run anyway, I think it's fine to skip backporting them.

Hello msaxl, or anyone else affected,

Accepted samba into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello msaxl, or anyone else affected,

Accepted samba into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu0.20.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi, i am trying to try the jammy-proposed packages for this, however I am not able to do so because a corresponding package for ctdb is missing, so it holds up everything due to requiring the old version of samba-libs, which prevents me from installing everything else

Does anyone know an easy fix for this?

Not all builds are done yet, this will take a few hours. You can check this link for the build status of the jammy package:

https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1.3

Nevermind, I managed to just remove ctdb and get it to let me install.

However, when I installed, I got some errors. Here is the full output from Aptitude:

root@dc4:~# aptitude
Performing actions...
Preconfiguring packages ...
(Reading database ... 118222 files and directories currently installed.)
Removing ctdb (2:4.15.13+dfsg-0ubuntu1.2) ...
(Reading database ... 118131 files and directories currently installed.)
Preparing to unpack .../00-libsmbclient_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking libsmbclient:amd64 (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../01-samba-vfs-modules_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking samba-vfs-modules:amd64 (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../02-samba-dsdb-modules_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking samba-dsdb-modules:amd64 (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../03-python3-samba_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking python3-samba (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../04-samba_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking samba (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../05-libnss-winbind_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking libnss-winbind:amd64 (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../06-libpam-winbind_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking libpam-winbind:amd64 (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../07-winbind_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking winbind (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../08-samba-common-bin_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking samba-common-bin (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../09-smbclient_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking smbclient (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../10-libwbclient0_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking libwbclient0:amd64 (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../11-samba-libs_2%3a4.15.13+dfsg-0ubuntu1.3_amd64.deb ...
Unpacking samba-libs:amd64 (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Preparing to unpack .../12-samba-common_2%3a4.15.13+dfsg-0ubuntu1.3_all.deb ...
Unpacking samba-common (2:4.15.13+dfsg-0ubuntu1.3) over (2:4.15.13+dfsg-0ubuntu1.2) ...
Setting up samba-common (2:4.15.13+dfsg-0ubuntu1.3) ...
Setting up libwbclient0:amd64 (2:4.15.13+dfsg-0ubuntu1.3) ...
Setting up samba-libs:amd64 (2:4.15.13+dfsg-0ubuntu1.3) ...
Setting up libsmbclient:amd64 (2:4.15.13+dfsg-0ubuntu1.3) ...
Setting up smbclient (2:4.15.13+dfsg-0ubuntu1.3) ...
Setting up samba-dsdb-modules:amd64 (2:4.15.13+dfsg-0ubuntu1.3) ...
Setting up python3-samba (2:4.15.13+dfsg-0ubuntu1.3) ...
Setting up samba-vfs-modules:amd64 (2:4.15.13+dfsg-0ubuntu1.3) ...
Setting up samba-common-bin (2:4.15.13...

I then tried to undo all this and it failed with pretty much the same errors. So then on a hunch I tried reinstalling every package that seemed to have to do with the LDB library, which was ldb-tools libldb2 and python3-ldb, and it seems to have let me get back to how it was before.

I then tried to installed these proposed packages again, and of course they broke in the same way, but then instead of reverting them, I followed that up with that same reinstall of ldb-tools libldb2 and python3-ldb, and then I was able to run "samba-tool" on the command line without errors or any more of those errors appearing in "systemctl status samba-ad-dc.service"

Jammy verification

a) Secure channel test
Reproducing the bug:

ubuntu@j-smb-ad:~$ apt-cache policy samba
samba:
  Installed: 2:4.15.13+dfsg-0ubuntu1.2
  Candidate: 2:4.15.13+dfsg-0ubuntu1.2
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status

Secure channel fails like this:
PS C:\Users\focal.SAMBA.001> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "DESKTOP-FN048B9".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.

I then apply the samba update to the AD machine, from proposed:
ubuntu@j-smb-ad:~$ apt-cache policy samba
samba:
  Installed: 2:4.15.13+dfsg-0ubuntu1.3
  Candidate: 2:4.15.13+dfsg-0ubuntu1.3
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu1.3 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.13+dfsg-0ubuntu1.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages

And the secure channel test succeeds:
PS C:\Users\focal.SAMBA.001> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "DESKTOP-FN048B9".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.

b) remote desktop

Trying to connect yields this error:
[16:34:39:768] [563257:563257] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
[16:34:39:768] [563257:563257] [ERROR][com.freerdp.core.nla] - SPNEGO failed with NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D]
[16:34:39:768] [563257:563257] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[16:34:39:768] [563257:563257] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail

Then apply the update to the version in proposed:
ubuntu@j-smb-ad:~$ apt-cache policy samba
samba:
  Installed: 2:4.15.13+dfsg-0ubuntu1.3
  Candidate: 2:4.15.13+dfsg-0ubuntu1.3
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu1.3 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.13+dfsg-0ubuntu1.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages

And the remote desktop connection this time works without issues.

c) As an additional test, it turns out that a simple smbclient command would also fail with an error about trust relationship, before applying the update:

ubuntu@j-smb-ad:~$ smbclient -L 192.168.100.190 -U focal
Password for [SAMBA\focal]:
session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

After the update, it works:
ubuntu@j-smb-ad:~$ smbclient -L 192.168.100.190 -U foca...

@redscourge, the way I test this, is I setup a samba AD DC, join a windows 10 machine to it, and then apply the update.

To apply the update, I enable jammy-proposed, and then just issue "sudo apt install samba", and it will pull in the dependencies needed. I don't know what you selected with aptitude before, but using apt like this worked just fine for me.

I'm attaching the script I used to setup a DC in a jammy VM. It may need adapting, depending on your environment, but it's based on the autopkgtest script that does the same. And I start with
installing the packages like this: "sudo apt install samba samba-dsdb-modules samba-vfs-modules winbind smbclient krb5-user"

Focal verification

a) Secure channel test
Reproducing the bug:
ubuntu@f-smb-ad:~$ apt-cache policy samba
samba:
  Installed: 2:4.15.13+dfsg-0ubuntu0.20.04.3
  Candidate: 2:4.15.13+dfsg-0ubuntu0.20.04.3
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu0.20.04.3 500
        500 http://br.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status

Secure channel fails like this:
PS C:\Users\focal.SAMBA.002> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "DESKTOP-FN048B9".
False
VERBOSE: The secure channel between the local computer and the domain samba.example is broken.

I then apply the samba update to the AD machine, from proposed:

ubuntu@f-smb-ad:~$ apt-cache policy samba
samba:
  Installed: 2:4.15.13+dfsg-0ubuntu0.20.04.4
  Candidate: 2:4.15.13+dfsg-0ubuntu0.20.04.4
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu0.20.04.4 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.13+dfsg-0ubuntu0.20.04.3 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu focal-security/main amd64 Packages

And the secure channel test succeeds:
PS C:\Users\focal.SAMBA.002> Test-ComputerSecureChannel -Verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "DESKTOP-FN048B9".
True
VERBOSE: The secure channel between the local computer and the domain samba.example is in good condition.

b) remote desktop

Trying to connect yields this error:
[17:08:55:427] [565043:565043] [WARN][com.freerdp.crypto] - The VerifyChangedCertificate callback is deprecated, migrate your application to VerifyChangedCertx
[17:09:13:519] [565043:565043] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
[17:09:13:519] [565043:565043] [ERROR][com.freerdp.core.nla] - SPNEGO failed with NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D]
[17:09:13:519] [565043:565043] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[17:09:13:519] [565043:565043] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail

Then apply the update to the version in proposed:
ubuntu@f-smb-ad:~$ apt-cache policy samba
samba:
  Installed: 2:4.15.13+dfsg-0ubuntu0.20.04.4
  Candidate: 2:4.15.13+dfsg-0ubuntu0.20.04.4
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu0.20.04.4 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.13+dfsg-0ubuntu0.20.04.3 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu focal-security/main amd64 Packages

And the remote desktop connection this time works without issues.

c) As an additional test, it turns out that a simple smbclient command would also fail with an error about trust relationship, before applying the update:

...

@Andreas I cannot use your setup-dc script as I am running a live instance of samba as an AD-DC in a real existing network and I use the bind DLZ backend not samba internal, and that script uses samba internal. I also am not sure if that script is viable for users who use the resolvconf system service.

For installing the update, I always use aptitude because it provides realtime feedback on if a proposed package change will cause any dependency problems and suggests conflict resolutions, and will revert a proposed package update request if it will result in broken dependencies. I altered the line in /etc/apt/sources.list for main to say jammy-proposed instead of jammy, ran aptitude, looked for samba, told it to update, then went in and did the suggested resolution to fix every conflict that caused, one of which required uninstalling ctdb since there was no corresponding update package for ctdb but it was dependent on the old version of samba-libs whereas all the other packages I was updating depended on the new version. I am wondering if the fact that I did not uninstall ctdb first in a separate aptitude session first, then do the samba package update, may have contributed to the problem, or the fact that samba was running at the time of the update and did not like something about my setup perhaps, but my setup is not particularly complicated as I am not a Samba or package apt package management expert and do not want to break our entire AD setup by running the wrong command or something.

I hope that explanation helps somehow.

FYI in case useful, I've also tested the jammy-proposed samba package on a samba DC with Windows PCs on the domain. Prior to this fix, we were not able to log in with domain accounts via remote desktop to Windows PCs (Windows RDP or remmina from Linux) and the powershell 'Test-ComputerSecureChannel -Verbose' gave false. Having installed the jammy-proposed package, this now works (did have to reboot for my test Windows 10 VM to pick up the change for 'Test-ComputerSecureChannel -Verbose' to return true).

To install, after adding the jammy-proposed apt source and selective upgrading as per https://wiki.ubuntu.com/Testing/EnableProposed, I ran

  sudo apt install --dry-run samba/jammy-proposed ...

repeatedly to determine the correct dependencies, and ended up with the following:

  sudo apt install samba/jammy-proposed samba-common-bin/jammy-proposed libwbclient0/jammy-proposed \
    samba-libs/jammy-proposed python3-samba/jammy-proposed libnss-winbind/jammy-proposed \
    libsmbclient/jammy-proposed samba-dsdb-modules/jammy-proposed samba-vfs-modules/jammy-proposed \
    smbclient/jammy-proposed winbind/jammy-proposed

and then restarted the service:

  sudo systemctl restart samba-ad-dc.service

apt-cache policy samba
samba:
  Installed: 2:4.15.13+dfsg-0ubuntu1.3
  Candidate: 2:4.15.13+dfsg-0ubuntu1.3
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu1.3 400
        400 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.13+dfsg-0ubuntu1.2 500
        500 http://gb.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     2:4.15.5~dfsg-0ubuntu5 500
        500 http://gb.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

> I altered the line in /etc/apt/sources.list for main to say jammy-proposed
(...)
> ctdb since there was no corresponding update package

That was the issue, you only enabled proposed for main, and ctdb (and other packages) are in universe.

> I cannot use your setup-dc script as I am running a live instance of samba as an AD-DC in a real existing

Ah, sure, that script is meant for a throw-away deployment, just for testing the fix.

I can confirm that the lunar package works as expected (2:4.17.7+dfsg-1ubuntu2)

Hi @valherupl, the jammy task will only be "fix released" once the package reaches the update pocket. For now it's still in proposed:

 samba | 2:4.15.13+dfsg-0ubuntu1.3 | jammy-proposed

I use Zentyal 6.2 which also facing the same issue. I checked, the version of samba installed is 4.7.6, if this fixed workable?

I run apt update or zentyal updates no updates available. Is it need to do it manually?
How to apply patch? Is there any step or how to do it?

The fix was not released to jammy-updates yet, so it will not be updated for you with "apt update && apt upgrade". If you want to test the fix before it is released you can enable the jammy-proposed pocket in your apt's sources.list and the update will be found (see comment #71).

The verification of the Stable Release Update for samba has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package samba - 2:4.17.7+dfsg-1ubuntu2

---------------
samba (2:4.17.7+dfsg-1ubuntu2) lunar; urgency=medium

  * d/p/secure-channel-faulty-kb5028166.patch: fix domain membership
    after Windows KB5028166 update (LP: #2027716)

 -- Andreas Hasenack <email address hidden> Thu, 20 Jul 2023 10:26:31 -0300

I've tried to read the various Ubuntu FAQs and such but am confused about when this is going to show up in updates for Jammy? The last comment above was the SRU team saying it was released and they were unsubscribing from this bug report. What about jammy, their comments seem to be lunar only?

https://ubuntu-archive-team.ubuntu.com/pending-sru.html

The above still shows it as -proposed. I cannot find an authoritative description of what is supposed to happen next and when it moves to the phased update pocket.

Any idea when the final packages will be pushed to ESM? I don't see any new packages since 2022 in https://esm.ubuntu.com/infra/ubuntu/pool/main/s/samba/

I'm in the same situation as krbvroc1. Multiple Samba DCs on Ubuntu 22.04.3, I just did an "apt update" but I don't get offered version 2:4.15.13+dfsg-0ubuntu1.3

This is what I get offered:

# apt-cache policy samba
samba:
  Installed: 2:4.15.13+dfsg-0ubuntu1.2
  Candidate: 2:4.15.13+dfsg-0ubuntu1.2
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu1.2 500
        500 http://gb.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://gb.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.5~dfsg-0ubuntu5 500
        500 http://gb.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

@ krbvroc1 / Emilian

Here a simplified mini-summary of the SRU [1] process steps to understand where things are.
Generally states are tracked per target release
1. Bug is filed and discussed (states: new, confirmed, triaged)
   examples see all early comments <=#45
2. A fix is prepared and uploaded to -unapproved [2]
   example see comment #48
3. The SRU team does an extra review and accepts it to proposed (state: Fix committed)
   examples see comment #49, #57, #58
   From this moment the package is available for testing from -proposed
4. The new build is verified in -proposed where is now available
   and the per release tags marked as verification-done
   examples see comments #52 #64 and #65
5. Once a bug is verified for a given release and aged (usually min 7 days)
   without finding regressions it is released by an SRU member
   and thereby landing in -updates
   (State: "Fix Released")
   example see comment #75

The per release bug states reflect which stage you are in all the time.
Additionally if you are curious there is also global of all ongoing SRUs [3].

Now after that short summary I hope the following makes sense:
"For this case Focal and Jammy are currently in -proposed, already verified and reached >=7 days aging just a few hours ago. So I expect it to be released very soon by the person being on today's SRU duty"

@XanderCDN
Just like Focal/Jammy it is also on its way to ESM in e.g. Bionic, yet not as visible as for the more recent releases. I see you already used the PPA version and helped checking for regressions - thanks!
I sadly do not have an exact timing on for you, but I agree it a) didn't release yet but b) should happen soon.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates
[2]: https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=
[3]: https://ubuntu-archive-team.ubuntu.com/pending-sru.html

@paelzer - I appreciate the summary.

4 days later and https://ubuntu-archive-team.ubuntu.com/pending-sru.html still shows it in the proposed (going on 12 days now), never having been released by the SRU team. Based on some reading of the FAQs, I thought maybe they don't do that heading into a weekend in case of regression, but still no action this week.

Also comment #74 above says 'Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report.' So who is monitoring that this gets released?

Last week the Ubuntu Release team was working on the 22.04.3 point release of Ubuntu and subsequently adding packages to the -updates pocket of Ubuntu (i.e. releasing of SRUs) was on hold. Ubuntu 22.04.3 was released on Thursday but as you suspected we do not release updates on Friday.

This bug was fixed in the package samba - 2:4.15.13+dfsg-0ubuntu1.3

---------------
samba (2:4.15.13+dfsg-0ubuntu1.3) jammy; urgency=medium

  * d/p/secure-channel-faulty-kb5028166.patch: fix domain membership
    after Windows KB5028166 update (LP: #2027716)
  * Cherry pick samba AD DC provisioning DEP8 test from later Ubuntu
    releases (LP: #1977746, LP: #2011745):
    - d/t/control, d/t/util, d/t/samba-ad-dc-provisioning-internal-dns:
      samba AD DC provisioning and domain join tests with internal DNS
      + d/t/control: adjust package dependencies
      + d/t/samba-ad-dc-provisioning-internal-dns: handle the case where
        libnss-winbind does not automatically add winbind to
        /etc/nsswitch.conf (that is done only in Lunar and later)
      + d/t/samba-ad-dc-provisioning-internal-dns: use case insensitive
        match when inspecting kerberos tickets, as the hostname may be
        capitalized

 -- Andreas Hasenack <email address hidden> Sun, 23 Jul 2023 17:09:59 -0300

This bug was fixed in the package samba - 2:4.15.13+dfsg-0ubuntu0.20.04.4

---------------
samba (2:4.15.13+dfsg-0ubuntu0.20.04.4) focal; urgency=medium

  * d/p/secure-channel-faulty-kb5028166.patch: fix domain membership
    after Windows KB5028166 update (LP: #2027716)
  * Cherry pick samba AD DC provisioning DEP8 test from later Ubuntu
    releases (LP: #1977746, LP: #2011745):
    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
      samba AD DC provisioning and domain join tests with internal DNS
      + d/t/control: adjust package dependencies
      + d/t/samba-ad-dc-provisioning-internal-dns: handle the case where
        libnss-winbind does not automatically add winbind to
        /etc/nsswitch.conf (that is done only in Lunar and later)
      + d/t/samba-ad-dc-provisioning-internal-dns: use case insensitive
        match when inspecting kerberos tickets, as the hostname may be
        capitalized
      + d/t/samba-ad-dc-provisioning-internal-dns: Adjust regexp for
        slightly different resolvectl output
      + d/t/util: several lxc command output parsing changes, needed for
        this older version of the lxd snap
      + d/t/samba-ad-dc-provisioning-internal-dns: more dependencies for
        the winbind and sssd domain join tests, which don't get
        installed automatically for us by this version of realmd
      + d/t/util: increase the RLIMIT_MEMLOCK limit for lxd containers,
        as the default of 64kb is too low for at least ppc64el on focal

 -- Andreas Hasenack <email address hidden> Sun, 23 Jul 2023 17:19:48 -0300

Based on what I'm reading here, If I understand it correctly, I should not be experiencing these issues because the output I get from apt-cache policy samba is:
samba:
  Installed: 2:4.16.7+dfsg-l

if it was fixed for focal with

Lexa, 2:4.16.7+dfsg-1 is not an Ubuntu package.

Any progress about https://bugzilla.samba.org/show_bug.cgi?id=15425 ?