On Sat, 2021-11-13 at 17:00 +0100, Stefan Kania via samba
wrote:> Error verifying signature: parse error
> --------------ms040604070808030205090303
> Content-Type: text/plain; charset=utf-8
> Content-Language: en-US
> Content-Transfer-Encoding: quoted-printable
>
>
>
> Am 13.11.21 um 16:44 schrieb Rowland Penny via samba:
> > Of course, now I peer very closely at the above, I notice
> > something,
> > why is 'EXAMPLE\root' being asked for a password ? root should
not
> > be
> > in your domain, it should be mapped to the domain Administrator. I
> > get
> > this:
> > =20
> > smbclient -L rpidc1
> > Password for [Administrator at SAMDOM.EXAMPLE.COM]:
> > Anonymous login successful
>
> I version 4.14 I could do a "smbclient -L addc01" with any user
even
> local users from passwd and I get:
>
> ----------
> root at addc01:~# smbclient -L addc01
> Password for [EXAMPLE\root]:
> Anonymous login successful
>
> Sharename Type Comment
> --------- ---- -------
> sysvol Disk
> netlogon Disk
> IPC$ IPC IPC Service
> SMB1 disabled -- no workgroup available
> ----------
> With version 4.15 the default is "client use kerberos =3D
desired" is
> the>
> default, so smbclient for local users still works.
>
> With activating "client use kerberos =3D required" it's not
possible
> anymore. That's great, no local user should be able to use smbclient.
> I
> BUT i also expect the same behavior with an AD-user WITHOUT ticket.
> That's what I don't understand
>
>
> --------------ms040604070808030205090303--
The CVE seems to have possibly broken most (if not all) the join
instructions on the internet, including the Samba wiki. If I leave a
domain:
adminuser at mintmate:~$ sudo net ads leave -U Administrator
Enter Administrator's password:
Deleted account for 'MINTMATE' in realm 'SAMDOM.EXAMPLE.COM'
But If now try to join again:
adminuser at mintmate:~$ sudo net ads join -U Administrator
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain
'SAMDOM.EXAMPLE.COM' over rpc: An invalid parameter was passed to a
service or function.
I have to use a user that is a member of 'Domain Admins':
adminuser at mintmate:~$ sudo net ads join -U SAMDOM\\rowland
Enter SAMDOM\rowland's password:
Using short domain name -- SAMDOM
Joined 'MINTMATE' to dns domain 'samdom.example.com'
Can someone else try this, to confirm it one way or the other.
Rowland