How can I fix Samba 3.6.25 "the trust relationship between this workstation and the primary domain failed" error?

Today I updated our Ubuntu server which is also the primary (and only) domain controller to the latest Samba packages which fixed a few security vulnerabilities. The following packages were updated:

• libpam-winbind:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
• smbclient:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
• libwbclient0:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
• libpam-smbpass:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
• samba-common:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)
• samba:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)

• winbind:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)

• samba-common-bin:amd64 (3.6.3-2ubuntu2.17, 3.6.25-0ubuntu0.12.04.2)

(from /var/log/apt/history.log)

After the update, everybody who rebooted his Windows 7 or 8.1 PC could no longer log into the domain. The error message displayed is "the trust relationship between this workstation and the primary domain failed".

The first thing I tried was removing the affected computer from the domain and adding it again. This used to solve this kind of issues, but not this time. There was no error during this process, but it didn't help either: Logging in with a domain account still fails.

Logging in with a local account and then accessing the shares works fine.

The following error is written repeatedly to /var/log/samba/log.

[2016/04/19 11:49:09.975677, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $

Googling and Binging (using Bing) so far only found two hits without a solution.

I urgently need a solution, because the number of affected workstations will probably grow fast.

Any hints?

Edit:

I'm not alone: https://askubuntu.com/questions/759123/samba-23-6-25-0ubuntu0-12-04-2-as-pdc-samba3-nt4-domain-windows-machines-lost

But as of now, there are no answers there either.

What helped so far as a temporary workaround was installing the old packages again. The method I chose was downloading the files from the appropriate links from https://launchpad.net/ubuntu/+source/samba/2:3.6.3-2ubuntu2 and then installing them using

dpkg -i libpam-smbpass_3.6.3-2ubuntu2.17_amd64.deb libpam-winbind_3.6.3-2ubuntu2.17_amd64.deb libwbclient0_3.6.3-2ubuntu2.17_amd64.deb samba-common_3.6.3-2ubuntu2.17_all.deb samba_3.6.3-2ubuntu2.17_amd64.deb winbind_3.6.3-2ubuntu2.17_amd64.deb samba-common-bin_3.6.3-2ubuntu2.17_amd64.deb

This restored the previous state, all workstations could authenticate the users again.

As I said: This is a temporary workaround. Since the update was a security update, I still need a solution that works with the update.

This is a regression introduced with the latest Samba updates (the ones which also fixed the Badlock vulnerability).

A temporary solution (other than downgrading) might be to set

server signing = auto

in your smb.conf (don't forget to restart the samba service after that). Unfortunately this only fixed logins for existing users for me. It didn't help for new users which never had logged into the domain before (if I remember it right I got a "No logon servers available..." for these).

One Samba guy working at RedHat says they have a working fix for that problem. I guess RedHat will release that fix soon and I would expect it will be distributed for other distributions too.

Ubuntu seems to have fixed this problem with the following update:

http://www.ubuntu.com/usn/usn-2950-3/

released on 2016-05-04.

USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues.

This update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. Backported regression fixes were added to Samba 3.6.25 in Ubuntu 12.04 LTS."

I installed it today and the problem is gone.