[Samba] smbclient with kerberos

Rowland Penny rpenny at samba.org
Sat Nov 13 16:56:38 UTC 2021 

On Sat, 2021-11-13 at 17:00 +0100, Stefan Kania via samba wrote:
> 	Error verifying signature: parse error
> --------------ms040604070808030205090303
> Content-Type: text/plain; charset=utf-8
> Content-Language: en-US
> Content-Transfer-Encoding: quoted-printable
> 
> 
> 
> Am 13.11.21 um 16:44 schrieb Rowland Penny via samba:
> > Of course, now I peer very closely at the above, I notice
> > something,
> > why is 'EXAMPLE\root' being asked for a password ? root should not
> > be
> > in your domain, it should be mapped to the domain Administrator. I
> > get
> > this:
> > =20
> > smbclient -L rpidc1
> > Password for [Administrator at SAMDOM.EXAMPLE.COM]:
> > Anonymous login successful
> 
> I version 4.14 I could do a "smbclient -L addc01" with any user even
> local users from passwd and I get:
> 
> ----------
> root at addc01:~# smbclient -L addc01
> Password for [EXAMPLE\root]:
> Anonymous login successful
> 
>         Sharename       Type      Comment
>         ---------       ----      -------
>         sysvol          Disk
>         netlogon        Disk
>         IPC$            IPC       IPC Service
> SMB1 disabled -- no workgroup available
> ----------
> With version 4.15 the default is "client use kerberos =3D desired" is
> the=
> 
> default, so smbclient for local users still works.
> 
> With activating "client use kerberos =3D required" it's not possible
> anymore. That's great, no local user should be able to use smbclient.
> I
> BUT i also expect the same behavior with an AD-user WITHOUT ticket.
> That's what I don't understand
> 
> 
> --------------ms040604070808030205090303--

The CVE seems to have possibly broken most (if not all) the join
instructions on the internet, including the Samba wiki. If I leave a
domain:

adminuser at mintmate:~$ sudo net ads leave -U Administrator
Enter Administrator's password:
Deleted account for 'MINTMATE' in realm 'SAMDOM.EXAMPLE.COM'

But If now try to join again:

adminuser at mintmate:~$ sudo net ads join -U Administrator
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain
'SAMDOM.EXAMPLE.COM' over rpc: An invalid parameter was passed to a
service or function.

I have to use a user that is a member of 'Domain Admins':

adminuser at mintmate:~$ sudo net ads join -U SAMDOM\\rowland
Enter SAMDOM\rowland's password:
Using short domain name -- SAMDOM
Joined 'MINTMATE' to dns domain 'samdom.example.com'

Can someone else try this, to confirm it one way or the other.

Rowland

More information about the samba mailing list