Rowland Penny
2021-Nov-12 17:37 UTC
[Samba] NT_STATUS_INVALID_TOKEN after update to 4.13.14
On Fri, 2021-11-12 at 17:11 +0000, Rowland Penny via samba wrote:> On Fri, 2021-11-12 at 15:34 +0100, Benedikt Kale? via samba wrote: > > Dear list, > > > > we updatet a file-server to 4.13.14 and we are not able to access > > the > > shares as an Administrator anymore. > > > > root at file-server:~# smbstatus -V > > Version 4.13.13-SerNet-Debian-12.buster > > > > user at client:~$ smbclient -W DOMAIN -U Administrator //file- > > server/Share > > Enter DOMAIN\Administrator's password: > > Try "help" to get a list of possible commands. > > smb: \> > > > > Then we updated: > > > > root at file-server:~# smbstatus -V > > Version 4.13.14-SerNet-Debian-13.buster > > > > user at client:~$ smbclient -W DOMAIN -U Administrator //file- > > server/Share > > Enter DOMAIN\Administrator's password: > > session setup failed: NT_STATUS_INVALID_TOKENunenforcable > > > > An "id administrator" works well, a "su - administrator" as well. > > > > We are a hesitating to update all our ADs to the newest version > > 4.13.14 > > as we want to avoid to loose the administrative access to the > > Shares. > > A > > few RODCs in subnets are updated, the ADs are still on 4.13.13 > > > > Does somebody observes the same issue? Where could I start > > searching?unenforcable > > You really shouldn't be using Administrator on a Unix domain member, > Administrator is a Windows admin user. > > However, my DC's are using 4.15.1, one Unix domain member is using > 4.13.14 , another is using 4.14.8 > > From the 4.14.8 machine to the 4.13.14 machine, I get this: > > adminuser at mintmate:~$ smbclient -W SAMDOM -U Administrator > //devstation/data > Enter SAMDOM\Administrator's password: > Try "help" to get a list of possible commands. > smb: \> > > Or to put it another way. it works > > From the 4.13.14 machine to the 4.14.8 machine, I get this: > > rowland at devstation:~$ smbclient -W SAMDOM -U Administrator > //mintmate//data1 > Enter SAMDOM\Administrator's password: > session setup failed: NT_STATUS_INVALID_TOKEN > > It doesn't work. I think it 'might' have something to do with this: > > https://wiki.samba.org/index.php/CVE-2020-25717 > > RowlandOOPS :"-) And then I noticed that I had fat fingered the last command, too many '\'. So when I do it correctly: rowland at devstation:~$ smbclient -W SAMDOM -U Administrator //mintmate/data1 Enter SAMDOM\Administrator's password: session setup failed: NT_STATUS_INVALID_TOKEN It still doesn't work, but if I use a normal user: rowland at devstation:~$ smbclient -W SAMDOM -U rowland //mintmate/data1 Enter SAMDOM\rowland's password: Try "help" to get a list of possible commands. smb: \> It works! So, I think that the CVE I pointed to, is doing its job, you need to stop logging into Samba as Administrator. Not sure where this leaves us with '!root = SAMDOM\Administrator' in a usermap, I am going to have to do some testing. Rowland
On 11/12/21 12:37 PM, Rowland Penny via samba wrote:> So when I do it correctly: > rowland at devstation:~$ smbclient -W SAMDOM -U Administrator > //mintmate/data1 > Enter SAMDOM\Administrator's password: > session setup failed: NT_STATUS_INVALID_TOKEN > > It still doesn't work, but if I use a normal user: > > rowland at devstation:~$ smbclient -W SAMDOM -U rowland //mintmate/data1 > Enter SAMDOM\rowland's password: > Try "help" to get a list of possible commands. > smb: \> > > It works! > > So, I think that the CVE I pointed to, is doing its job, you need to > stop logging into Samba as Administrator. Not sure where this leaves us > with '!root = SAMDOM\Administrator' in a usermap, I am going to have to > do some testing. > > Rowland > > >So where does that leave us? I mean, I am simply trying to do commands such as net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\Administrator" or net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -U'SAMDOM\administrator' None of these work anymore NT_STATUS_INVALID_TOKEN