samba - Sep 2023 - What are the potential side effects of Multi Versions of Samba AD in the same domain.

On Fri, 2023-09-08 at 10:21 -0700, Holan via samba
wrote:
> Hey Samba Userlist!
> 
> I've been performing a rollout of upgrades to our 4.7.6 environment
> bringing it up to 4.15.13. The process I use for this is to demote
> the old
> DC, load a new OS with the later versions and rejoin as a DC. I've
> managed
> to update 2 of the 3 DCs to 4.15.13, with the 3rd (and previously
> primary
> FSMO holder which has since been migrated to the newer DC) sitting at
> 4.7.6
> in a position I can't update for a couple month or so to decommission
> and
> move to new hosting.
> 
> What are the side effects of running multiple versions for a few
> months?
> Are the effects generally localized to the DC being used by the
> clients or
> are there greater replication problems I should be concerned about.
> 
> As a general FYI i'm already planning another hop to Debian Backports
> to
> bring my version up to  more supported levels so hoping to update the
> two
> 4.15.3 to 4.18 before I get to updating the 4.7.6. But if there is a
> chance
> this is hurting my foundations I'll probably just try to get to the
> 4.7.6
> asap before moving to backports.  All samba-tool checks for things
> like
> kcc, dbcheck and other things are coming back fine.
> 
> Thanks for any insight on this anyone can give me!
> --
> defactoman at gmail.com
The biggest concern I would have is that your network is likely highly
insecure if you keep a 4.7.6 DC online.  It holds the krbtgt key and
can impersonate anything on the network, and any attack on that DC will allow
modifications that every other DC will honour.  Since 4.7.6 we have released a
lot of security patches since Samba 4.7.6 and in particular found bugs that
allowed all users to become domain administrator!

Additionally, your Samba 4.7.6 server, unless it has been getting
security patches, will not interoperate with the 4.15.13 server for
some specific Kerberos tasks around S4U2Proxy (constrained
delegation).  MS did a massive 6-month or more period of allowing a new
PAC buffer to be missing, we simply called a flag day (due to
resources).  

Finally, modern Windows 10/11, that is getting security patches, will
fail to operate against the 4.7.6 DC (NETLOGON will fail), and even the
4.15.13 DC.  

Going directly on all servers to a supported 4.18 would be my
recommendation. 

You need to keep up with Samba, getting this far behind is not a secure
way to run a network. 

I suggest you find a way to provide an interim solution for your 'hard
to update' DC. 

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...
> Additionally, your Samba 4.7.6 server, unless it has been getting
> security patches, will not interoperate with the 4.15.13 server for
> some specific Kerberos tasks around S4U2Proxy (constrained
> delegation).  MS did a massive 6-month or more period of allowing a new
> PAC buffer to be missing, we simply called a flag day (due to
> resources).  
> Finally, modern Windows 10/11, that is getting security patches, will
> fail to operate against the 4.7.6 DC (NETLOGON will fail), and even the
> 4.15.13 DC.  
You are speaking of:

	https://support.microsoft.com/it-it/topic/kb5020805-come-gestire-le-modifiche-al-protocollo-kerberos-correlate-a-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

so i need to update Samba (on DC, i suppose) to at least 4.18 before october
10, or netlogon will fail? Really?!

-- 
  Donna ti voglio cantare, donna sei luce, donna sei cenere
  donnai sei ansia, donnai sei danza
  e a volte nuvola sei...				(A. Branduardi)