From dmulder at samba.org  Fri Jan 14 18:35:56 2022
From: dmulder at samba.org (David Mulder)
Date: Fri, 14 Jan 2022 11:35:56 -0700
Subject: [cifs-protocol] Fwd: machine join not working if
 PacRequestorEnforcement set to 2 (CVE-2021-42287)
In-Reply-To: <972ad8d1-b7ee-85cb-be17-0c13bb48fb7d@samba.org>
References: <972ad8d1-b7ee-85cb-be17-0c13bb48fb7d@samba.org>
Message-ID: <6c8d85c3-5279-6a92-1af7-194cd2ba2122@samba.org>




-------- Forwarded Message --------
Subject: machine join not working if PacRequestorEnforcement set to 2 
(CVE-2021-42287)
Date: Fri, 14 Jan 2022 11:35:21 -0700
From: David Mulder <dmulder at samba.org>
To: dochelp at microsoft.com
CC: Ivanova, Nadezhda <nivanova at samba.org>, Bose, Sumit 
<sbose at redhat.com>, Andrew Bartlett <abartlet at samba.org>

An adcli machine join now fails when PacRequestorEnforcement is set to 2 
(as explained in this support doc: 
https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041). 
Sumit has produced a network trace which can be found here: 
https://bugzilla.redhat.com/show_bug.cgi?id=2039349

What appears to be happening is the Administrator account fails to set 
the machine account password after the account has been created. Can we 
confirm whether this is the correct behavior, and if so, what 
mitigations can we take?

-- 
*David Mulder*
Labs Software Engineer, Samba
SUSE
1221 Valley Grove Way
Pleasant Grove, UT 84062
(P)+1 385.666.5660
dmulder at suse.com
  <http://www.suse.com/>