[Samba] smbclient with kerberos

[cn at brain-biotech.de]

Hello all,
what I can confirm that on domain members the Administrator Account does 
not work any more.
You get an [NT_STATUS_INVALID_TOKEN] if you try and the account is 
mapped to root. If it is not mapped to root you get 
[NT_STATUS_NO_SUCH_USER].

Conenctions to Samba Servers without the latest updates continue to work 
as well as connections to DCs.


Regards

Christian


Am 13.11.21 um 17:56 schrieb Rowland Penny via samba:
> On Sat, 2021-11-13 at 17:00 +0100, Stefan Kania via samba wrote:
>> 	Error verifying signature: parse error
>> --------------ms040604070808030205090303
>> Content-Type: text/plain; charset=utf-8
>> Content-Language: en-US
>> Content-Transfer-Encoding: quoted-printable
>>
>>
>>
>> Am 13.11.21 um 16:44 schrieb Rowland Penny via samba:
>>> Of course, now I peer very closely at the above, I notice
>>> something,
>>> why is 'EXAMPLE\root' being asked for a password ? root should not
>>> be
>>> in your domain, it should be mapped to the domain Administrator. I
>>> get
>>> this:
>>> =20
>>> smbclient -L rpidc1
>>> Password for [Administrator at SAMDOM.EXAMPLE.COM]:
>>> Anonymous login successful
>>
>> I version 4.14 I could do a "smbclient -L addc01" with any user even
>> local users from passwd and I get:
>>
>> ----------
>> root at addc01:~# smbclient -L addc01
>> Password for [EXAMPLE\root]:
>> Anonymous login successful
>>
>>          Sharename       Type      Comment
>>          ---------       ----      -------
>>          sysvol          Disk
>>          netlogon        Disk
>>          IPC$            IPC       IPC Service
>> SMB1 disabled -- no workgroup available
>> ----------
>> With version 4.15 the default is "client use kerberos =3D desired" is
>> the=
>>
>> default, so smbclient for local users still works.
>>
>> With activating "client use kerberos =3D required" it's not possible
>> anymore. That's great, no local user should be able to use smbclient.
>> I
>> BUT i also expect the same behavior with an AD-user WITHOUT ticket.
>> That's what I don't understand
>>
>>
>> --------------ms040604070808030205090303--
> 
> The CVE seems to have possibly broken most (if not all) the join
> instructions on the internet, including the Samba wiki. If I leave a
> domain:
> 
> adminuser at mintmate:~$ sudo net ads leave -U Administrator
> Enter Administrator's password:
> Deleted account for 'MINTMATE' in realm 'SAMDOM.EXAMPLE.COM'
> 
> But If now try to join again:
> 
> adminuser at mintmate:~$ sudo net ads join -U Administrator
> Enter Administrator's password:
> Failed to join domain: failed to lookup DC info for domain
> 'SAMDOM.EXAMPLE.COM' over rpc: An invalid parameter was passed to a
> service or function.
> 
> I have to use a user that is a member of 'Domain Admins':
> 
> adminuser at mintmate:~$ sudo net ads join -U SAMDOM\\rowland
> Enter SAMDOM\rowland's password:
> Using short domain name -- SAMDOM
> Joined 'MINTMATE' to dns domain 'samdom.example.com'
> 
> Can someone else try this, to confirm it one way or the other.
> 
> Rowland
> 
> 
> 

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen