In the meantime I also did a lot of testing to find out where exactly the issue
starts. This is what I found:
4.13.13 still works. I can joing a DC running this version without problem.
4.13.14 show exactly the same error as I also see on 4.21.
So what exactly was changed between these two versions? According to release
notes there have just been a few security fixes. I don't see how any of
these can be responsible for the changed behavior:
o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
authentication.
https://www.samba.org/samba/security/CVE-2016-2124.html
o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
(PLEASE READ! There are important behaviour changes described)
o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
by an RODC.
https://www.samba.org/samba/security/CVE-2020-25718.html
o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
tickets.
https://www.samba.org/samba/security/CVE-2020-25719.html
o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
(eg objectSid).
https://www.samba.org/samba/security/CVE-2020-25721.html
o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
checking of data stored.
https://www.samba.org/samba/security/CVE-2020-25722.html
o CVE-2021-3738: Use after free in Samba AD DC RPC server.
https://www.samba.org/samba/security/CVE-2021-3738.html
o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
https://www.samba.org/samba/security/CVE-2021-23192.html
On 12/12/24 06:25, Peter Mittermayer via samba wrote:> In the meantime I also did a lot of testing to find out where exactly the issue starts. This is what I found: > 4.13.13 still works. I can joing a DC running this version without problem. > 4.13.14 show exactly the same error as I also see on 4.21.Good work tracking that down. Do 4.14.9 or 4.15.1 work? If it is something in the security patches themselves, these will work, but 4.14.10 and 4.15.2 won't. Otherwise, the issue is with a patch backported to 4.13 to allow the security patch to apply.> So what exactly was changed between these two versions? According to release notes there have just been a few security fixes. I don't see how any of these can be responsible for the changed behavior:There might be more subtlety in these than the headlines imply. Those few security fixes were actually quite complicated, reflecting many months of work. They tightened restrictions on a number of things. For example, this one might cause problems if your domain has objects that don't match the new requirements:> o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance > checking of data stored. > https://www.samba.org/samba/security/CVE-2020-25722.htmland this one's PLEASE READ might be worth a go> o CVE-2020-25717: A user on the domain can become root on domain members. > https://www.samba.org/samba/security/CVE-2020-25717.html > (PLEASE READ! There are important behaviour changes described)... BUT first if you try 4.14.9, you might be able to avoid that, because it might indeed be something unrelated that was pulled in to help the backport. I haven't been following this thread properly, so apologies if I missed something. Douglas