[Samba] NT_STATUS_INVALID_TOKEN after update to 4.13.14

Rowland Penny rpenny at samba.org
Fri Nov 12 17:37:02 UTC 2021 

On Fri, 2021-11-12 at 17:11 +0000, Rowland Penny via samba wrote:
> On Fri, 2021-11-12 at 15:34 +0100, Benedikt Kaleß via samba wrote:
> > Dear list,
> > 
> > we updatet a file-server to 4.13.14 and we are not able to access
> > the 
> > shares as an Administrator anymore.
> > 
> > root at file-server:~# smbstatus -V
> > Version 4.13.13-SerNet-Debian-12.buster
> > 
> > user at client:~$ smbclient -W DOMAIN -U Administrator //file-
> > server/Share
> > Enter DOMAIN\Administrator's password:
> > Try "help" to get a list of possible commands.
> > smb: \>
> > 
> > Then we updated:
> > 
> > root at file-server:~# smbstatus -V
> > Version 4.13.14-SerNet-Debian-13.buster
> > 
> > user at client:~$ smbclient -W DOMAIN -U Administrator //file-
> > server/Share
> > Enter DOMAIN\Administrator's password:
> > session setup failed: NT_STATUS_INVALID_TOKENunenforcable
> > 
> > An "id administrator" works well, a "su - administrator" as well.
> > 
> > We are a hesitating to update all our ADs to the newest version
> > 4.13.14 
> > as we want to avoid to loose the administrative access to the
> > Shares.
> > A 
> > few RODCs in subnets are updated, the ADs are still on 4.13.13
> > 
> > Does somebody observes the same issue? Where could I start
> > searching?unenforcable
> 
> You really shouldn't be using Administrator on a Unix domain member,
> Administrator is a Windows admin user.
> 
> However, my DC's are using 4.15.1, one Unix domain member is using
> 4.13.14 , another is using 4.14.8
> 
> From the 4.14.8 machine to the 4.13.14 machine, I get this:
> 
> adminuser at mintmate:~$ smbclient -W SAMDOM -U Administrator
> //devstation/data
> Enter SAMDOM\Administrator's password: 
> Try "help" to get a list of possible commands.
> smb: \>
> 
> Or to put it another way. it works
> 
> From the 4.13.14 machine to the 4.14.8 machine, I get this:
> 
>  rowland at devstation:~$ smbclient -W SAMDOM -U Administrator
> //mintmate//data1
> Enter SAMDOM\Administrator's password: 
> session setup failed: NT_STATUS_INVALID_TOKEN
> 
> It doesn't work. I think it 'might' have something to do with this:
> 
> https://wiki.samba.org/index.php/CVE-2020-25717
> 
> Rowland

OOPS :"-)

And then I noticed that I had fat fingered the last command, too many
'\'.

So when I do it correctly:

rowland at devstation:~$ smbclient -W SAMDOM -U Administrator
//mintmate/data1
Enter SAMDOM\Administrator's password: 
session setup failed: NT_STATUS_INVALID_TOKEN

It still doesn't work, but if I use a normal user:

rowland at devstation:~$ smbclient -W SAMDOM -U rowland //mintmate/data1
Enter SAMDOM\rowland's password: 
Try "help" to get a list of possible commands.
smb: \> 

It works!

So, I think that the CVE I pointed to, is doing its job, you need to
stop logging into Samba as Administrator. Not sure where this leaves us
with '!root = SAMDOM\Administrator' in a usermap, I am going to have to
do some testing.

Rowland

More information about the samba mailing list