Microsoft Enforcement Mode

Andrew Bartlett abartlet at
Sun Jan 30 07:47:50 UTC 2022

On Sat, 2022-01-29 at 11:41 +0100, Stefan Kania via samba-technical
> I just read, that Microsoft uses a new Enforcement Mode on all MS DCs to
> protect the DC against CVE-2021-42287 and CVE-2021-42278. The
> Enforcement Mode can be deactivated until June, then MS will force it on
> all DCs.
> But with this mode active it's no longer possible to join a Linux-Client
> to a MS-Domain. I could not find out if this will affect Samba or only
> SSSD. If it affect Samba will it affect all Samba-version?

This isn't something that I expected to fail/change based on the
intensive discussions I had with Microsoft during development, so I
think this is an unintentional regression. 

David Mulder is chasing this down via the protocols team.

Samba sets passwords via LDAP typically during the join, so isn't as
impacted compared with the tools around sssd (adcli), as I understand

Andrew Bartlett

Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Developer, Catalyst IT

More information about the samba-technical mailing list