[Samba] NT_STATUS_INVALID_TOKEN after update to 4.13.14
Rowland Penny
rpenny at samba.org
Fri Nov 12 17:37:02 UTC 2021
On Fri, 2021-11-12 at 17:11 +0000, Rowland Penny via samba wrote:
> On Fri, 2021-11-12 at 15:34 +0100, Benedikt Kaleß via samba wrote:
> > Dear list,
> >
> > we updatet a file-server to 4.13.14 and we are not able to access
> > the
> > shares as an Administrator anymore.
> >
> > root at file-server:~# smbstatus -V
> > Version 4.13.13-SerNet-Debian-12.buster
> >
> > user at client:~$ smbclient -W DOMAIN -U Administrator //file-
> > server/Share
> > Enter DOMAIN\Administrator's password:
> > Try "help" to get a list of possible commands.
> > smb: \>
> >
> > Then we updated:
> >
> > root at file-server:~# smbstatus -V
> > Version 4.13.14-SerNet-Debian-13.buster
> >
> > user at client:~$ smbclient -W DOMAIN -U Administrator //file-
> > server/Share
> > Enter DOMAIN\Administrator's password:
> > session setup failed: NT_STATUS_INVALID_TOKENunenforcable
> >
> > An "id administrator" works well, a "su - administrator" as well.
> >
> > We are a hesitating to update all our ADs to the newest version
> > 4.13.14
> > as we want to avoid to loose the administrative access to the
> > Shares.
> > A
> > few RODCs in subnets are updated, the ADs are still on 4.13.13
> >
> > Does somebody observes the same issue? Where could I start
> > searching?unenforcable
>
> You really shouldn't be using Administrator on a Unix domain member,
> Administrator is a Windows admin user.
>
> However, my DC's are using 4.15.1, one Unix domain member is using
> 4.13.14 , another is using 4.14.8
>
> From the 4.14.8 machine to the 4.13.14 machine, I get this:
>
> adminuser at mintmate:~$ smbclient -W SAMDOM -U Administrator
> //devstation/data
> Enter SAMDOM\Administrator's password:
> Try "help" to get a list of possible commands.
> smb: \>
>
> Or to put it another way. it works
>
> From the 4.13.14 machine to the 4.14.8 machine, I get this:
>
> rowland at devstation:~$ smbclient -W SAMDOM -U Administrator
> //mintmate//data1
> Enter SAMDOM\Administrator's password:
> session setup failed: NT_STATUS_INVALID_TOKEN
>
> It doesn't work. I think it 'might' have something to do with this:
>
> https://wiki.samba.org/index.php/CVE-2020-25717
>
> Rowland
OOPS :"-)
And then I noticed that I had fat fingered the last command, too many
'\'.
So when I do it correctly:
rowland at devstation:~$ smbclient -W SAMDOM -U Administrator
//mintmate/data1
Enter SAMDOM\Administrator's password:
session setup failed: NT_STATUS_INVALID_TOKEN
It still doesn't work, but if I use a normal user:
rowland at devstation:~$ smbclient -W SAMDOM -U rowland //mintmate/data1
Enter SAMDOM\rowland's password:
Try "help" to get a list of possible commands.
smb: \>
It works!
So, I think that the CVE I pointed to, is doing its job, you need to
stop logging into Samba as Administrator. Not sure where this leaves us
with '!root = SAMDOM\Administrator' in a usermap, I am going to have to
do some testing.
Rowland
More information about the samba
mailing list