On 02/05/2023 10:36, Anantha Raghava via samba wrote:> Hi, > > We recently upgraded to Samba Version 4.18.1 from 4.15.6. > > While adding new users to Vcenter console, new user addition is getting > refused. While assessing the problem we see a peculiar error in the log. > This was working properly earlier with 4.15.6 > > The error log shows as follows: > > {"timestamp": "2023-05-02T11:13:08.478955+0530", "type": > "Authentication", "Authentication": {"version": {"major": 1, "minor": > 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": > "NT_STATUS_DOWNGRADE_DETECTED", "localAddress": > "ipv4:172.16.202.175:445", "remoteAddress": "ipv4:172.16.223.16:35096", > "serviceDescription": "NETLOGON", "authDescription": > "ServerAuthenticate", "clientDomain": "KTKBANKLTD", "clientAccount": > "KBLVCENT-TUZ6BW$", "workstation": null, "becameAccount": &quo > t;KBLVCENT-TUZ6BW$", "becameDomain": "KTKBANKLTD", "becameSid": null, > "mappedAccount": "KBLVCENT-TUZ6BW$", "mappedDomain": null, &quo > t;netlogonComputer": "KBLVCENT-TUZ6BW", "netlogonTrustAccount": > "KBLVCENT-TUZ6BW$", "netlogonNegotiateFlags": "0x6007FFFF", > "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": null, > "passwordType": "HMAC-MD5"}}HMAC-MD5 ????> > Samba is installed on RHEL 8 > > our smb.conf shown below. > > *smb.conf* > > # Global parameters > [global] > ??????? netbios name = PDC > ??????? realm = KTKBANKLTD.COMHmm, with a realm like 'KTKBANKLTD.COM' it is a fair assumption that you are a bank, but seemingly not one that cares about security> ??????? server role = active directory domain controller > ??????? workgroup = KTKBANKLTD > ??????? idmap_ldb:use rfc2307 = yes > ??????? ldap server require strong auth = NoWhy not require strong auth ?> ??????? dns forwarder = x.x.x.x > ??????? allow dns updates = nonsecureAgain, why do you not require secure dns updates ?> ??? ??? tls priority = NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2Oh, come on, TLS 1.2 ?> ??????? log level = 3 auth_audit:0 auth_json_audit:3 dsdb_json_audit:5 > ??????? log file = /var/log/samba/pdc.log > ??????? max log size = 1000000000 > > [sysvol] > ??????? path = /usr/local/samba/var/locks/sysvol > ??????? read only = No > > [netlogon] > ??????? path = /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts > ??????? read only = No > > Request someone to help us fix the issue. >Read this, I think you will find it relevant: https://www.samba.org/samba/security/CVE-2022-37966.html Rowland
Hello Rowloand, Thanks for quick response. Yes, we are a bank. Unfortunately, we have no choice but to allow insecure methods and lower version of TLS since there are many applications that still do not support the secure methods. Even if we enable, secure methods, applications fail to authenticate and start throwing many errors. AD alone enabling secure methods while the other applications still lag behind creates a havoc. VCenter integration is one such example, which still uses HMAC-MD5. Switching them to AES is a herculean task and many missiles will also fly ;) . Is there any quick workaround to get the work going while we get the application vendors to upgrade themselves? Thanks & Regards, Anantha Raghava H A DISCLAIMER: This e-mail communication and any attachments may be privileged and confidential to Exzatech Consulting And Services Pvt. Ltd., Bangalore, and are intended only for the use of the recipients named above If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Do not print this e-mail unless required. Save Paper & trees. On 02/05/23 3:22 pm, Rowland Penny via samba wrote:> > > On 02/05/2023 10:36, Anantha Raghava via samba wrote: >> Hi, >> >> We recently upgraded to Samba Version 4.18.1 from 4.15.6. >> >> While adding new users to Vcenter console, new user addition is >> getting refused. While assessing the problem we see a peculiar error >> in the log. This was working properly earlier with 4.15.6 >> >> The error log shows as follows: >> >> {"timestamp": "2023-05-02T11:13:08.478955+0530", "type": >> "Authentication", "Authentication": {"version": {"major": 1, "minor": >> 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": >> "NT_STATUS_DOWNGRADE_DETECTED", "localAddress": >> "ipv4:172.16.202.175:445", "remoteAddress": >> "ipv4:172.16.223.16:35096", "serviceDescription": "NETLOGON", >> "authDescription": "ServerAuthenticate", "clientDomain": >> "KTKBANKLTD", "clientAccount": "KBLVCENT-TUZ6BW$", "workstation": >> null, "becameAccount": &quo t;KBLVCENT-TUZ6BW$", "becameDomain": >> "KTKBANKLTD", "becameSid": null, "mappedAccount": "KBLVCENT-TUZ6BW$", >> "mappedDomain": null, &quo t;netlogonComputer": "KBLVCENT-TUZ6BW", >> "netlogonTrustAccount": "KBLVCENT-TUZ6BW$", "netlogonNegotiateFlags": >> "0x6007FFFF", "netlogonSecureChannelType": 2, >> "netlogonTrustAccountSid": null, "passwordType": "HMAC-MD5"}} > > HMAC-MD5 ???? > >> >> Samba is installed on RHEL 8 >> >> our smb.conf shown below. >> >> *smb.conf* >> >> # Global parameters >> [global] >> ???????? netbios name = PDC >> ???????? realm = KTKBANKLTD.COM > > Hmm, with a realm like 'KTKBANKLTD.COM' it is a fair assumption that > you are a bank, but seemingly not one that cares about security > >> ???????? server role = active directory domain controller >> ???????? workgroup = KTKBANKLTD >> ???????? idmap_ldb:use rfc2307 = yes >> ???????? ldap server require strong auth = No > > Why not require strong auth ? > >> ???????? dns forwarder = x.x.x.x >> ???????? allow dns updates = nonsecure > > Again, why do you not require secure dns updates ? > >> ???? ??? tls priority = NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 > > Oh, come on, TLS 1.2 ? > >> ???????? log level = 3 auth_audit:0 auth_json_audit:3 dsdb_json_audit:5 >> ???????? log file = /var/log/samba/pdc.log >> ???????? max log size = 1000000000 >> >> [sysvol] >> ???????? path = /usr/local/samba/var/locks/sysvol >> ???????? read only = No >> >> [netlogon] >> ???????? path = /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts >> ???????? read only = No >> >> Request someone to help us fix the issue. >> > > Read this, I think you will find it relevant: > > https://www.samba.org/samba/security/CVE-2022-37966.html > > Rowland >
On Tue, 2023-05-02 at 10:52 +0100, Rowland Penny via samba wrote:> On 02/05/2023 10:36, Anantha Raghava via samba wrote: > > Hi, > > We recently upgraded to Samba Version 4.18.1 from 4.15.6. > > While adding new users to Vcenter console, new user addition is > > getting refused. While assessing the problem we see a peculiar > > error in the log. This was working properly earlier with 4.15.6 > > The error log shows as follows: > > {"timestamp": "2023-05-02T11:13:08.478955+0530", "type": > > "Authentication", "Authentication": {"version": {"major": 1, > > "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, > > "status": "NT_STATUS_DOWNGRADE_DETECTED", "localAddress": > > "ipv4:172.16.202.175:445", "remoteAddress": > > "ipv4:172.16.223.16:35096", "serviceDescription": "NETLOGON", > > "authDescription": "ServerAuthenticate", "clientDomain": > > "KTKBANKLTD", "clientAccount": "KBLVCENT-TUZ6BW$", "workstation": > > null, "becameAccount": &quo t;KBLVCENT-TUZ6BW$", "becameDomain": > > "KTKBANKLTD", "becameSid": null, "mappedAccount": "KBLVCENT- > > TUZ6BW$", "mappedDomain": null, &quo t;netlogonComputer": > > "KBLVCENT-TUZ6BW", "netlogonTrustAccount": "KBLVCENT-TUZ6BW$", > > "netlogonNegotiateFlags": "0x6007FFFF", > > "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": null, > > "passwordType": "HMAC-MD5"}} > > HMAC-MD5 ???? > > Samba is installed on RHEL 8 > > our smb.conf shown below. > > *smb.conf* > > # Global parameters[global] netbios name = PDC > > realm = KTKBANKLTD.COM > > Hmm, with a realm like 'KTKBANKLTD.COM' it is a fair assumption that > you are a bank, but seemingly not one that cares about security > > server role = active directory domain controller > > workgroup = KTKBANKLTD idmap_ldb:use rfc2307 = yes > > ldap server require strong auth = No > > Why not require strong auth ? > > dns forwarder = x.x.x.x allow dns updates > > nonsecure > > Again, why do you not require secure dns updates ? > > tls priority = NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 > > Oh, come on, TLS 1.2 ? > > log level = 3 auth_audit:0 auth_json_audit:3 > > dsdb_json_audit:5 log file = /var/log/samba/pdc.log > > max log size = 1000000000 > > [sysvol] path = /usr/local/samba/var/locks/sysvol > > read only = No > > [netlogon] path > > /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts > > read only = No > > Request someone to help us fix the issue. > > Read this, I think you will find it relevant: > https://www.samba.org/samba/security/CVE-2022-37966.htmlThis is actually NETLOGON, so this is the advisory, with the options to set for the Vcenter. https://www.samba.org/samba/security/CVE-2022-38023.html id="-x-evo-selection-start-marker">> Rowland-- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions