Benedikt Kaleß
2021-Nov-12 14:34 UTC
[Samba] NT_STATUS_INVALID_TOKEN after update to 4.13.14
Dear list, we updatet a file-server to 4.13.14 and we are not able to access the shares as an Administrator anymore. root at file-server:~# smbstatus -V Version 4.13.13-SerNet-Debian-12.buster user at client:~$ smbclient -W DOMAIN -U Administrator //file-server/Share Enter DOMAIN\Administrator's password: Try "help" to get a list of possible commands. smb: \> Then we updated: root at file-server:~# smbstatus -V Version 4.13.14-SerNet-Debian-13.buster user at client:~$ smbclient -W DOMAIN -U Administrator //file-server/Share Enter DOMAIN\Administrator's password: session setup failed: NT_STATUS_INVALID_TOKEN An "id administrator" works well, a "su - administrator" as well. We are a hesitating to update all our ADs to the newest version 4.13.14 as we want to avoid to loose the administrative access to the Shares. A few RODCs in subnets are updated, the ADs are still on 4.13.13 Does somebody observes the same issue? Where could I start searching? Best Benedikt -- forumZFD Entschieden f?r Frieden|Committed to Peace Benedikt Kale? Leiter Team IT|Head team IT Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service Am K?lner Brett 8 | 50825 K?ln | Germany Tel 0221 91273233 | Fax 0221 91273299 | http://www.forumZFD.de Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board: Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz VR 17651 Amtsgericht K?ln Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
Rowland Penny
2021-Nov-12 17:11 UTC
[Samba] NT_STATUS_INVALID_TOKEN after update to 4.13.14
On Fri, 2021-11-12 at 15:34 +0100, Benedikt Kale? via samba wrote:> Dear list, > > we updatet a file-server to 4.13.14 and we are not able to access > the > shares as an Administrator anymore. > > root at file-server:~# smbstatus -V > Version 4.13.13-SerNet-Debian-12.buster > > user at client:~$ smbclient -W DOMAIN -U Administrator //file- > server/Share > Enter DOMAIN\Administrator's password: > Try "help" to get a list of possible commands. > smb: \> > > Then we updated: > > root at file-server:~# smbstatus -V > Version 4.13.14-SerNet-Debian-13.buster > > user at client:~$ smbclient -W DOMAIN -U Administrator //file- > server/Share > Enter DOMAIN\Administrator's password: > session setup failed: NT_STATUS_INVALID_TOKEN > > An "id administrator" works well, a "su - administrator" as well. > > We are a hesitating to update all our ADs to the newest version > 4.13.14 > as we want to avoid to loose the administrative access to the Shares. > A > few RODCs in subnets are updated, the ADs are still on 4.13.13 > > Does somebody observes the same issue? Where could I start searching?You really shouldn't be using Administrator on a Unix domain member, Administrator is a Windows admin user. However, my DC's are using 4.15.1, one Unix domain member is using 4.13.14 , another is using 4.14.8>From the 4.14.8 machine to the 4.13.14 machine, I get this:adminuser at mintmate:~$ smbclient -W SAMDOM -U Administrator //devstation/data Enter SAMDOM\Administrator's password: Try "help" to get a list of possible commands. smb: \> Or to put it another way. it works>From the 4.13.14 machine to the 4.14.8 machine, I get this:rowland at devstation:~$ smbclient -W SAMDOM -U Administrator //mintmate//data1 Enter SAMDOM\Administrator's password: session setup failed: NT_STATUS_INVALID_TOKEN It doesn't work. I think it 'might' have something to do with this: https://wiki.samba.org/index.php/CVE-2020-25717 Rowland