On Sat, 2021-11-13 at 16:25 +0100, Stefan Kania via samba wrote:> Error verifying signature: parse error > --------------ms070005030707000005080303 > Content-Type: text/plain; charset=utf-8 > Content-Language: en-US > Content-Transfer-Encoding: quoted-printable > > I just tested the following: > smb.conf > =2E.. > client use kerberos =3D required > =2E.. > > root at addc01:~# klist > klist: No ticket file: /tmp/krb5cc_0 > > root at addc01:~# smbclient -L addc01 -U administrator > Password for [EXAMPLE\administrator]: > > Sharename Type Comment > --------- ---- ------- > sysvol Disk > netlogon Disk > IPC$ IPC IPC Service (Samba 4.15.1-Debian) > SMB1 disabled -- no workgroup available > > root at addc01:~# klist > klist: No ticket file: /tmp/krb5cc_0 > > So using smbclient without Kerberos is still possible if "client use > kerberos =3D required" is set. As I understand the manpage, it should > not> > be possible to authenticate via password (NTLM). > > Only an anonymous use of smbclient is not working: > root at addc01:~# smbclient -L addc01 > Password for [EXAMPLE\root]:RETURN > gensec_spnego_client_negTokenInit_step: Could not find a suitable > mechtype in NEG_TOKEN_INIT > session setup failed: NT_STATUS_INVALID_PARAMETEROf course, now I peer very closely at the above, I notice something, why is 'EXAMPLE\root' being asked for a password ? root should not be in your domain, it should be mapped to the domain Administrator. I get this: smbclient -L rpidc1 Password for [Administrator at SAMDOM.EXAMPLE.COM]: Anonymous login successful Rowland
On Sat, 2021-11-13 at 15:44 +0000, Rowland Penny via samba wrote:> On Sat, 2021-11-13 at 16:25 +0100, Stefan Kania via samba wrote: > > Error verifying signature: parse error > > --------------ms070005030707000005080303 > > Content-Type: text/plain; charset=utf-8 > > Content-Language: en-US > > Content-Transfer-Encoding: quoted-printable > > > > I just tested the following: > > smb.conf > > =2E.. > > client use kerberos =3D required > > =2E.. > > > > root at addc01:~# klist > > klist: No ticket file: /tmp/krb5cc_0 > > > > root at addc01:~# smbclient -L addc01 -U administrator > > Password for [EXAMPLE\administrator]: > > > > Sharename Type Comment > > --------- ---- ------- > > sysvol Disk > > netlogon Disk > > IPC$ IPC IPC Service (Samba 4.15.1-Debian) > > SMB1 disabled -- no workgroup available > > > > root at addc01:~# klist > > klist: No ticket file: /tmp/krb5cc_0 > > > > So using smbclient without Kerberos is still possible if "client > > use > > kerberos =3D required" is set. As I understand the manpage, it > > should > > not> > > > be possible to authenticate via password (NTLM). > > > > Only an anonymous use of smbclient is not working: > > root at addc01:~# smbclient -L addc01 > > Password for [EXAMPLE\root]:RETURN > > gensec_spnego_client_negTokenInit_step: Could not find a suitable > > mechtype in NEG_TOKEN_INIT > > session setup failed: NT_STATUS_INVALID_PARAMETER > > Of course, now I peer very closely at the above, I notice something, > why is 'EXAMPLE\root' being asked for a password ? root should not be > in your domain, it should be mapped to the domain Administrator. I > get > this: > > smbclient -L rpidc1 > Password for [Administrator at SAMDOM.EXAMPLE.COM]: > Anonymous login successful > > RowlandI realised that I was carrying out these tests on systems running pre the latest releases and when I tried the tests on the my only system running the latest release, it doesn't work and I get DOMAIN\root. I think that the fix for CVE-2020-25717 (A user in an AD Domain could become root on domain members), has broken usermaps. Did someone forget that it might be an idea to allow Administrator to be mapped to root ? Rowland
Am 13.11.21 um 16:44 schrieb Rowland Penny via samba:> Of course, now I peer very closely at the above, I notice something, > why is 'EXAMPLE\root' being asked for a password ? root should not be > in your domain, it should be mapped to the domain Administrator. I get > this: > > smbclient -L rpidc1 > Password for [Administrator at SAMDOM.EXAMPLE.COM]: > Anonymous login successfulI version 4.14 I could do a "smbclient -L addc01" with any user even local users from passwd and I get: ---------- root at addc01:~# smbclient -L addc01 Password for [EXAMPLE\root]: Anonymous login successful Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service SMB1 disabled -- no workgroup available ---------- With version 4.15 the default is "client use kerberos = desired" is the default, so smbclient for local users still works. With activating "client use kerberos = required" it's not possible anymore. That's great, no local user should be able to use smbclient. I BUT i also expect the same behavior with an AD-user WITHOUT ticket. That's what I don't understand