Microsoft Enforcement Mode
Andrew Bartlett
abartlet at samba.org
Sun Jan 30 20:55:42 UTC 2022
On Sun, 2022-01-30 at 17:41 +0100, Andreas Schneider wrote:
> On Sunday, 30 January 2022 08:47:50 CET Andrew Bartlett via samba-technical
> wrote:
> > On Sat, 2022-01-29 at 11:41 +0100, Stefan Kania via samba-technical
> >
> > wrote:
> > > I just read, that Microsoft uses a new Enforcement Mode on all MS DCs to
> > > protect the DC against CVE-2021-42287 and CVE-2021-42278. The
> > > Enforcement Mode can be deactivated until June, then MS will force it on
> > > all DCs.
> > > But with this mode active it's no longer possible to join a Linux-Client
> > > to a MS-Domain. I could not find out if this will affect Samba or only
> > > SSSD. If it affect Samba will it affect all Samba-version?
> >
> > This isn't something that I expected to fail/change based on the
> > intensive discussions I had with Microsoft during development, so I
> > think this is an unintentional regression.
> >
> > David Mulder is chasing this down via the protocols team.
> >
> > Samba sets passwords via LDAP typically during the join, so isn't as
> > impacted compared with the tools around sssd (adcli), as I understand
> > it.
>
> It is relatively new that we set passwords over ldap. We used DCERPC before. I
> think adcli is also just using LDAP.
The traces I saw were showing an issue with KPASSWD. David has the
details.
Andrew,
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list