[Samba] R: upgrade from 4.17 to samba 4.18.1
Rowland Penny
rpenny at samba.org
Thu Mar 30 12:37:52 UTC 2023
On 30/03/2023 13:20, Corrado Ravinetto via samba wrote:
> Mmmmm
> Strange i checked my smb.conf before upgrade and no one parameter is present.
> Now i added
> allow nt4 crypto = yes
> reject md5 clients = no
>
> but nothing change in my logs:
>
> Mar 30 14:09:58 dc3 samba[1879231]: [2023/03/30 14:09:58.225659, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:357(dcesrv_netr_ServerAuthenticate3_check_downgrade)
> Mar 30 14:09:58 dc3 samba[1879231]: CVE-2022-38023: Check if option 'server reject md5 schannel:ARRQUADRO_2_16$ = no' might be needed for a legacy client.
> Mar 30 14:09:58 dc3 samba[1879237]: [2023/03/30 14:09:58.795431, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:1567(dcesrv_netr_LogonSamLogon_base_reply)
> Mar 30 14:09:58 dc3 samba[1879237]: dcesrv_netr_LogonSamLogon_base_reply: netlogon_creds_encrypt_samlogon_validation() failed - NT_STATUS_INVALID_INFO_CLASS
>
>
I could be totally wrong here, but, from my reading of that CVE, I think
you should be adding lines like this to your smb.conf, instead of what
you have added:
server reject md5 schannel:ARRQUADRO_2_16$ = no
Then see if you can upgrade ARRQUADRO_2_16 to use a better cipher.
Rowland
More information about the samba
mailing list