samba - Dec 2024 - Error when joining new DC

On 12/12/24 06:25, Peter Mittermayer via samba wrote:
> In the meantime I also did a lot of testing to find out where exactly the
issue starts. This is what I found:
> 4.13.13 still works. I can joing a DC running this version without problem.
> 4.13.14 show exactly the same error as I also see on 4.21.
Good work tracking that down.

Do 4.14.9 or 4.15.1 work?

If it is something in the security patches themselves, these will work, 
but 4.14.10 and 4.15.2 won't.

Otherwise, the issue is with a patch backported to 4.13 to allow the 
security patch to apply.
> So what exactly was changed between these two versions? According to
release notes there have just been a few security fixes. I don't see how any
of these can be responsible for the changed behavior:
There might be more subtlety in these than the headlines imply. Those 
few security fixes were actually quite complicated, reflecting many 
months of work. They tightened restrictions on a number of things.

For example, this one might cause problems if your domain has objects 
that don't match the new requirements:
> o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
>                   checking of data stored.
>                   https://www.samba.org/samba/security/CVE-2020-25722.html
and this one's PLEASE READ might be worth a go
> o CVE-2020-25717: A user on the domain can become root on domain members.
>                    https://www.samba.org/samba/security/CVE-2020-25717.html
>                    (PLEASE READ! There are important behaviour changes
described)
... BUT first if you try 4.14.9, you might be able to avoid that, 
because it might indeed be something unrelated that was pulled in to 
help the backport.

I haven't been following this thread properly, so apologies if I missed 
something.

Douglas

Hi Douglas,

Thanks for this suggestion. I'll try that.
Additionally, after reading the not on samba.tranquil.it  about
'dependencies to sssd' (whatever it means) I will try to use a
completely fresh installation of RHEL9. For my testlab I have just used a clone
of some VM which was previously joined to domain and was using sssd.

I will report back with my findings in a while.

Thanks
Peter
________________________________________
From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Sent: Thursday, December 12, 2024 6:20 AM
To: samba at lists.samba.org; Peter Mittermayer
Subject: Re: [Samba] Error when joining new DC

On 12/12/24 06:25, Peter Mittermayer via samba wrote:
> In the meantime I also did a lot of testing to find out where exactly the
issue starts. This is what I found:
> 4.13.13 still works. I can joing a DC running this version without problem.
> 4.13.14 show exactly the same error as I also see on 4.21.
Good work tracking that down.

Do 4.14.9 or 4.15.1 work?

If it is something in the security patches themselves, these will work,
but 4.14.10 and 4.15.2 won't.

Otherwise, the issue is with a patch backported to 4.13 to allow the
security patch to apply.
> So what exactly was changed between these two versions? According to
release notes there have just been a few security fixes. I don't see how any
of these can be responsible for the changed behavior:
There might be more subtlety in these than the headlines imply. Those
few security fixes were actually quite complicated, reflecting many
months of work. They tightened restrictions on a number of things.

For example, this one might cause problems if your domain has objects
that don't match the new requirements:
> o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
>                   checking of data stored.
>                   https://www.samba.org/samba/security/CVE-2020-25722.html
and this one's PLEASE READ might be worth a go
> o CVE-2020-25717: A user on the domain can become root on domain members.
>                    https://www.samba.org/samba/security/CVE-2020-25717.html
>                    (PLEASE READ! There are important behaviour changes
described)
... BUT first if you try 4.14.9, you might be able to avoid that,
because it might indeed be something unrelated that was pulled in to
help the backport.

I haven't been following this thread properly, so apologies if I missed
something.

Douglas