Hello all,
what I can confirm that on domain members the Administrator Account does
not work any more.
You get an [NT_STATUS_INVALID_TOKEN] if you try and the account is
mapped to root. If it is not mapped to root you get
[NT_STATUS_NO_SUCH_USER].
Conenctions to Samba Servers without the latest updates continue to work
as well as connections to DCs.
Regards
Christian
Am 13.11.21 um 17:56 schrieb Rowland Penny via samba:> On Sat, 2021-11-13 at 17:00 +0100, Stefan Kania via samba wrote:
>> Error verifying signature: parse error
>> --------------ms040604070808030205090303
>> Content-Type: text/plain; charset=utf-8
>> Content-Language: en-US
>> Content-Transfer-Encoding: quoted-printable
>>
>>
>>
>> Am 13.11.21 um 16:44 schrieb Rowland Penny via samba:
>>> Of course, now I peer very closely at the above, I notice
>>> something,
>>> why is 'EXAMPLE\root' being asked for a password ? root
should not
>>> be
>>> in your domain, it should be mapped to the domain Administrator. I
>>> get
>>> this:
>>> =20
>>> smbclient -L rpidc1
>>> Password for [Administrator at SAMDOM.EXAMPLE.COM]:
>>> Anonymous login successful
>>
>> I version 4.14 I could do a "smbclient -L addc01" with any
user even
>> local users from passwd and I get:
>>
>> ----------
>> root at addc01:~# smbclient -L addc01
>> Password for [EXAMPLE\root]:
>> Anonymous login successful
>>
>> Sharename Type Comment
>> --------- ---- -------
>> sysvol Disk
>> netlogon Disk
>> IPC$ IPC IPC Service
>> SMB1 disabled -- no workgroup available
>> ----------
>> With version 4.15 the default is "client use kerberos =3D
desired" is
>> the>>
>> default, so smbclient for local users still works.
>>
>> With activating "client use kerberos =3D required" it's
not possible
>> anymore. That's great, no local user should be able to use
smbclient.
>> I
>> BUT i also expect the same behavior with an AD-user WITHOUT ticket.
>> That's what I don't understand
>>
>>
>> --------------ms040604070808030205090303--
>
> The CVE seems to have possibly broken most (if not all) the join
> instructions on the internet, including the Samba wiki. If I leave a
> domain:
>
> adminuser at mintmate:~$ sudo net ads leave -U Administrator
> Enter Administrator's password:
> Deleted account for 'MINTMATE' in realm
'SAMDOM.EXAMPLE.COM'
>
> But If now try to join again:
>
> adminuser at mintmate:~$ sudo net ads join -U Administrator
> Enter Administrator's password:
> Failed to join domain: failed to lookup DC info for domain
> 'SAMDOM.EXAMPLE.COM' over rpc: An invalid parameter was passed to a
> service or function.
>
> I have to use a user that is a member of 'Domain Admins':
>
> adminuser at mintmate:~$ sudo net ads join -U SAMDOM\\rowland
> Enter SAMDOM\rowland's password:
> Using short domain name -- SAMDOM
> Joined 'MINTMATE' to dns domain 'samdom.example.com'
>
> Can someone else try this, to confirm it one way or the other.
>
> Rowland
>
>
>
--
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development
BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen