samba - Aug 2022 - samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing

Hello,

Recently we added new DC to existing samba domain. It was supposed to be 
start of the process of migrating our centos-7 based AD-DC to Debian.? 
Samba was installed from default repo (samba-ad-dc), it's version 
4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x 
4.11.4 and one new 4.13.13

Everything seems to working fine with the new DC except for this 
error/warning that occasionally pops up:

samba[15490]: [2022/08/16 16:07:18.885749,? 1] 
../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
samba[15490]:?? PAC_TYPE_REQUESTER_SID missing

It's mostly corresponding to a java 1.8 application that is using 
kerberos (keytab) to re-authenticate to a database. It's not that java 
is unable to authenticate, just every few or so minutes (let's say 
20-ish) I see this error, but not every time. We've had the setup 
running for last 4 years and it's the first time I see issue.

I would be glad for some pointers, I'm not sure what exactly does this 
error/warning mean and what's causing it? Obviously it's related to 
kerberos. On my other 2 DC's I've never seen this and googling
doesn't
help me much either.

I read that in 4.13.14 there was a security change that seems related, 
but I don't "get" why it mostly works only sometimes I see this 
warning/error.

Regards,

Kacper Wirski


-- 
Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie
antywirusowe Avast.
www.avast.com

On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba
wrote:
> Hello,
> 
> Recently we added new DC to existing samba domain. It was supposed to
> be 
> start of the process of migrating our centos-7 based AD-DC to
> Debian.  
> Samba was installed from default repo (samba-ad-dc), it's version 
> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x 
> 4.11.4 and one new 4.13.13
> 
> Everything seems to working fine with the new DC except for this 
> error/warning that occasionally pops up:
> 
> samba[15490]: [2022/08/16 16:07:18.885749,  1] 
> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
> samba[15490]:   PAC_TYPE_REQUESTER_SID missing
> 
> It's mostly corresponding to a java 1.8 application that is using 
> kerberos (keytab) to re-authenticate to a database. It's not that
> java 
> is unable to authenticate, just every few or so minutes (let's say 
> 20-ish) I see this error, but not every time. We've had the setup 
> running for last 4 years and it's the first time I see issue.
> 
> I would be glad for some pointers, I'm not sure what exactly does
> this 
> error/warning mean and what's causing it? Obviously it's related to
> kerberos. On my other 2 DC's I've never seen this and googling
> doesn't 
> help me much either.
> 
> I read that in 4.13.14 there was a security change that seems
> related, 
> but I don't "get" why it mostly works only sometimes I see
this
> warning/error.
That error will be coming from your new DC (it is the only one that
will have that piece of code), but whatever is causing it will not be
using the new DC exclusively, it will use any of the DC's in a round
robin fashion.

I suggest you read this:
https://www.samba.org/samba/security/CVE-2020-25719.html

Rowland

On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba
wrote:
> Hello,
> 
> Recently we added new DC to existing samba domain. It was supposed to
> be 
> start of the process of migrating our centos-7 based AD-DC to
> Debian.  
> Samba was installed from default repo (samba-ad-dc), it's version 
> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x 
> 4.11.4 and one new 4.13.13
> 
> Everything seems to working fine with the new DC except for this 
> error/warning that occasionally pops up:
> 
> samba[15490]: [2022/08/16 16:07:18.885749,  1] 
> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
> samba[15490]:   PAC_TYPE_REQUESTER_SID missing
Mixed insecure and secure (unpatched/patched) DCs are not supported
after the Nov 2021 security updates. 

However, we do our best to stay secure provided there was a normal PAC,
we use the SID found there in the main LOGON_INFO.

The warning you see seems to come from the constrained delegation code,
so perhaps your application is using that. 

Microsoft intends to do strictly require patched DCs, and has a
registry key that can be set to enforce that now, but keeps putting off
the deadline for strict enforcement. 

The security issues we fixed are serious, I would strongly recommend
getting onto patched versions urgently. 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions