Hi Douglas,
Doing an online backup is running the same checks as during join? I noted the
same behavior. I already went up to debug level 9 without seeing any additional
information. But will try 10 too.
This is only about sam.ldb or any of the other DB files as well?
Thanks
________________________________
From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Sent: Thursday, December 12, 2024 11:05:45 PM
To: Peter Mittermayer <samba.lists at outlook.com>; samba at
lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Error when joining new DC
On 13/12/24 02:11, Peter Mittermayer via samba wrote:> So, without doing a fresh install on the system the join succeeded with
4.14.9.
> What does it mean?
It means the change that broke the security patches themselves, not in
some change that 4.13 needed to make it ready for the security patches.
So,
> This leads to the conclusion that there is something in my current domain
databases which does not meet the new security constraints introduced with
4.14.10 (or 4.13.14, or 4.15.2).
>
> Questions how do I find the culprit, and how to fix it?
Yes.
There were changes in what names are acceptable, whether they can alias
each other in subtle ways, and what was acceptable in SPNs and UPNs.
https://www.samba.org/samba/security/CVE-2020-25722.html is possibly
relevant.
For example, maybe you have a user with sAMAccountName "Peter", and a
*different* user with userPrincipalName "peter at example.com". Old
Samba
was OK with this, new Samba is not.
If you are able to turn up the debug level on the join with a `-d 10`
argument, you might get to see exactly where it fails.
Douglas