Marco Gaiarin
2023-Sep-12 10:19 UTC
[Samba] What are the potential side effects of Multi Versions of Samba AD in the same domain.
Mandi! Andrew Bartlett via samba In chel di` si favelave...> Additionally, your Samba 4.7.6 server, unless it has been getting > security patches, will not interoperate with the 4.15.13 server for > some specific Kerberos tasks around S4U2Proxy (constrained > delegation). MS did a massive 6-month or more period of allowing a new > PAC buffer to be missing, we simply called a flag day (due to > resources). > Finally, modern Windows 10/11, that is getting security patches, will > fail to operate against the 4.7.6 DC (NETLOGON will fail), and even the > 4.15.13 DC.You are speaking of: https://support.microsoft.com/it-it/topic/kb5020805-come-gestire-le-modifiche-al-protocollo-kerberos-correlate-a-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb so i need to update Samba (on DC, i suppose) to at least 4.18 before october 10, or netlogon will fail? Really?! -- Donna ti voglio cantare, donna sei luce, donna sei cenere donnai sei ansia, donnai sei danza e a volte nuvola sei... (A. Branduardi)
Andrew Bartlett
2023-Sep-12 19:10 UTC
[Samba] What are the potential side effects of Multi Versions of Samba AD in the same domain.
On Tue, 2023-09-12 at 12:19 +0200, Marco Gaiarin via samba wrote:> Mandi! Andrew Bartlett via samba In chel di` si favelave... > > Additionally, your Samba 4.7.6 server, unless it has been > > gettingsecurity patches, will not interoperate with the 4.15.13 > > server forsome specific Kerberos tasks around S4U2Proxy > > (constraineddelegation). MS did a massive 6-month or more period > > of allowing a newPAC buffer to be missing, we simply called a flag > > day (due toresources). Finally, modern Windows 10/11, that is > > getting security patches, willfail to operate against the 4.7.6 DC > > (NETLOGON will fail), and even the4.15.13 DC. > > You are speaking of: > > https://support.microsoft.com/it-it/topic/kb5020805-come-gestire-le-modifiche-al-protocollo-kerberos-correlate-a-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb > > so i need to update Samba (on DC, i suppose) to at least 4.18 before > october10, or netlogon will fail? Really?!I'm talking about https://bugzilla.samba.org/show_bug.cgi?id=15418 id="-x-evo-selection-start-marker"> -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions