[Samba] NT_STATUS_INVALID_TOKEN after update to 4.13.14

[Rowland Penny]

On Fri, 2021-11-12 at 15:34 +0100, Benedikt Kaleß via samba wrote:
> Dear list,
> 
> we updatet a file-server to 4.13.14 and we are not able to access
> the 
> shares as an Administrator anymore.
> 
> root at file-server:~# smbstatus -V
> Version 4.13.13-SerNet-Debian-12.buster
> 
> user at client:~$ smbclient -W DOMAIN -U Administrator //file-
> server/Share
> Enter DOMAIN\Administrator's password:
> Try "help" to get a list of possible commands.
> smb: \>
> 
> Then we updated:
> 
> root at file-server:~# smbstatus -V
> Version 4.13.14-SerNet-Debian-13.buster
> 
> user at client:~$ smbclient -W DOMAIN -U Administrator //file-
> server/Share
> Enter DOMAIN\Administrator's password:
> session setup failed: NT_STATUS_INVALID_TOKEN
> 
> An "id administrator" works well, a "su - administrator" as well.
> 
> We are a hesitating to update all our ADs to the newest version
> 4.13.14 
> as we want to avoid to loose the administrative access to the Shares.
> A 
> few RODCs in subnets are updated, the ADs are still on 4.13.13
> 
> Does somebody observes the same issue? Where could I start searching?

You really shouldn't be using Administrator on a Unix domain member,
Administrator is a Windows admin user.

However, my DC's are using 4.15.1, one Unix domain member is using
4.13.14 , another is using 4.14.8

>From the 4.14.8 machine to the 4.13.14 machine, I get this:

adminuser at mintmate:~$ smbclient -W SAMDOM -U Administrator
//devstation/data
Enter SAMDOM\Administrator's password: 
Try "help" to get a list of possible commands.
smb: \>

Or to put it another way. it works

>From the 4.13.14 machine to the 4.14.8 machine, I get this:

 rowland at devstation:~$ smbclient -W SAMDOM -U Administrator
//mintmate//data1
Enter SAMDOM\Administrator's password: 
session setup failed: NT_STATUS_INVALID_TOKEN

It doesn't work. I think it 'might' have something to do with this:

https://wiki.samba.org/index.php/CVE-2020-25717

Rowland