Mmmmm
Strange i checked my smb.conf before upgrade and no one parameter is present.
Now i added
allow nt4 crypto = yes
reject md5 clients = no
but nothing change in my logs:
Mar 30 14:09:58 dc3 samba[1879231]: [2023/03/30 14:09:58.225659, 0]
../../source4/rpc_server/netlogon/dcerpc_netlogon.c:357(dcesrv_netr_ServerAuthenticate3_check_downgrade)
Mar 30 14:09:58 dc3 samba[1879231]: CVE-2022-38023: Check if option 'server
reject md5 schannel:ARRQUADRO_2_16$ = no' might be needed for a legacy
client.
Mar 30 14:09:58 dc3 samba[1879237]: [2023/03/30 14:09:58.795431, 0]
../../source4/rpc_server/netlogon/dcerpc_netlogon.c:1567(dcesrv_netr_LogonSamLogon_base_reply)
Mar 30 14:09:58 dc3 samba[1879237]: dcesrv_netr_LogonSamLogon_base_reply:
netlogon_creds_encrypt_samlogon_validation() failed -
NT_STATUS_INVALID_INFO_CLASS
-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: gioved? 30 marzo 2023 12:19
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] upgrade from 4.17 to samba 4.18.1
On 30/03/2023 11:06, Corrado Ravinetto via samba wrote:> Hello all
> On my centos 8 i upgraded compiling my self from source.
> After upgrade of my dc from samba 4.17 to samba 4.18.1 my logs are full of
:
>
> Mar 30 11:58:00 dc3 samba[708393]: CVE-2022-38023:
> client_account[MAGCAMPIONI$] computer_name[MAGCAMPIONI]
> schannel_type[2] client_negotiate_flags[0x600fffff]
> real_account[magcampioni$] NT_STATUS_DOWNGRADE_DETECTED reject_des[0]
> reject_md5[1] Mar 30 11:58:00 dc3 samba[708393]: [2023/03/30
> 11:58:00.117240, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708393]: CVE-2022-38023: Check if option
'server reject md5 schannel:magcampioni$ = no' might be needed for a
legacy client.
> Mar 30 11:58:00 dc3 samba[708379]: [2023/03/30 11:58:00.136897, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708379]: CVE-2022-38023:
> client_account[PASSAPZXP$] computer_name[PASSAPZXP] schannel_type[2]
> client_negotiate_flags[0x600fffff] real_account[passapzxp$]
> NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1] Mar 30
> 11:58:00 dc3 samba[708379]: [2023/03/30 11:58:00.136993, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708379]: CVE-2022-38023: Check if option
'server reject md5 schannel:passapzxp$ = no' might be needed for a
legacy client.
> Mar 30 11:58:48 dc3 samba[708379]: [2023/03/30 11:58:48.782007, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:48 dc3 samba[708379]: CVE-2022-38023:
> client_account[DATACOLOR0719$] computer_name[DATACOLOR0719]
> schannel_type[2] client_negotiate_flags[0x600fffff]
> real_account[DATACOLOR0719$] NT_STATUS_DOWNGRADE_DETECTED
> reject_des[0] reject_md5[1] Mar 30 11:58:48 dc3 samba[708379]:
> [2023/03/30 11:58:48.782116, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:48 dc3 samba[708379]: CVE-2022-38023: Check if option
'server reject md5 schannel:DATACOLOR0719$ = no' might be needed for a
legacy client.
> Mar 30 12:00:05 dc3 samba[708379]: [2023/03/30 12:00:05.691763, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 12:00:05 dc3 samba[708379]: CVE-2022-38023:
> client_account[PASSA_PZ2$] computer_name[PASSA_PZ2] schannel_type[2]
> client_negotiate_flags[0x600fffff] real_account[PASSA_PZ2$]
> NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1] Mar 30
> 12:00:05 dc3 samba[708379]: [2023/03/30 12:00:05.691850, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 12:00:05 dc3 samba[708379]: CVE-2022-38023: Check if option
'server reject md5 schannel:PASSA_PZ2$ = no' might be needed for a
legacy client.
>
> How can i do ??
> At this moment my clients not experiencing particular problem.
> thanks
A bit weird that, the CVE referred to in the logs was in the security release
4.16.8 and reading this might help:
https://www.samba.org/samba/security/CVE-2022-38023.html
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Corrado Ravinetto
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at
lanificiocerruti.com>
T: +39 015 3591283
[Lanificio F.lli CERRUTI]
Lanificio F.lli Cerruti S.p.A.
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
[Twitter] <https://twitter.com/Lan_Cerruti> [Facebook]
<https://www.facebook.com/LanificioCerruti> [Instagram]
<https://www.instagram.com/lanificiocerruti/>
Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary
[Unesco]