Microsoft Enforcement Mode
Andreas Schneider
asn at samba.org
Sun Jan 30 16:41:55 UTC 2022
On Sunday, 30 January 2022 08:47:50 CET Andrew Bartlett via samba-technical
wrote:
> On Sat, 2022-01-29 at 11:41 +0100, Stefan Kania via samba-technical
>
> wrote:
> > I just read, that Microsoft uses a new Enforcement Mode on all MS DCs to
> > protect the DC against CVE-2021-42287 and CVE-2021-42278. The
> > Enforcement Mode can be deactivated until June, then MS will force it on
> > all DCs.
> > But with this mode active it's no longer possible to join a Linux-Client
> > to a MS-Domain. I could not find out if this will affect Samba or only
> > SSSD. If it affect Samba will it affect all Samba-version?
>
> This isn't something that I expected to fail/change based on the
> intensive discussions I had with Microsoft during development, so I
> think this is an unintentional regression.
>
> David Mulder is chasing this down via the protocols team.
>
> Samba sets passwords via LDAP typically during the join, so isn't as
> impacted compared with the tools around sssd (adcli), as I understand
> it.
It is relatively new that we set passwords over ldap. We used DCERPC before. I
think adcli is also just using LDAP.
More information about the samba-technical
mailing list