Microsoft Enforcement Mode

Andreas Schneider asn at
Sun Jan 30 16:41:55 UTC 2022

On Sunday, 30 January 2022 08:47:50 CET Andrew Bartlett via samba-technical 
> On Sat, 2022-01-29 at 11:41 +0100, Stefan Kania via samba-technical
> wrote:
> > I just read, that Microsoft uses a new Enforcement Mode on all MS DCs to
> > protect the DC against CVE-2021-42287 and CVE-2021-42278. The
> > Enforcement Mode can be deactivated until June, then MS will force it on
> > all DCs.
> > But with this mode active it's no longer possible to join a Linux-Client
> > to a MS-Domain. I could not find out if this will affect Samba or only
> > SSSD. If it affect Samba will it affect all Samba-version?
> This isn't something that I expected to fail/change based on the
> intensive discussions I had with Microsoft during development, so I
> think this is an unintentional regression.
> David Mulder is chasing this down via the protocols team.
> Samba sets passwords via LDAP typically during the join, so isn't as
> impacted compared with the tools around sssd (adcli), as I understand
> it.

It is relatively new that we set passwords over ldap. We used DCERPC before. I 
think adcli is also just using LDAP.

More information about the samba-technical mailing list