[Samba] smbclient with kerberos

cn at brain-biotech.de cn at brain-biotech.de
Mon Nov 15 14:29:32 UTC 2021

Hello all,
what I can confirm that on domain members the Administrator Account does 
not work any more.
You get an [NT_STATUS_INVALID_TOKEN] if you try and the account is 
mapped to root. If it is not mapped to root you get 

Conenctions to Samba Servers without the latest updates continue to work 
as well as connections to DCs.



Am 13.11.21 um 17:56 schrieb Rowland Penny via samba:
> On Sat, 2021-11-13 at 17:00 +0100, Stefan Kania via samba wrote:
>> 	Error verifying signature: parse error
>> --------------ms040604070808030205090303
>> Content-Type: text/plain; charset=utf-8
>> Content-Language: en-US
>> Content-Transfer-Encoding: quoted-printable
>> Am 13.11.21 um 16:44 schrieb Rowland Penny via samba:
>>> Of course, now I peer very closely at the above, I notice
>>> something,
>>> why is 'EXAMPLE\root' being asked for a password ? root should not
>>> be
>>> in your domain, it should be mapped to the domain Administrator. I
>>> get
>>> this:
>>> =20
>>> smbclient -L rpidc1
>>> Password for [Administrator at SAMDOM.EXAMPLE.COM]:
>>> Anonymous login successful
>> I version 4.14 I could do a "smbclient -L addc01" with any user even
>> local users from passwd and I get:
>> ----------
>> root at addc01:~# smbclient -L addc01
>> Password for [EXAMPLE\root]:
>> Anonymous login successful
>>          Sharename       Type      Comment
>>          ---------       ----      -------
>>          sysvol          Disk
>>          netlogon        Disk
>>          IPC$            IPC       IPC Service
>> SMB1 disabled -- no workgroup available
>> ----------
>> With version 4.15 the default is "client use kerberos =3D desired" is
>> the=
>> default, so smbclient for local users still works.
>> With activating "client use kerberos =3D required" it's not possible
>> anymore. That's great, no local user should be able to use smbclient.
>> I
>> BUT i also expect the same behavior with an AD-user WITHOUT ticket.
>> That's what I don't understand
>> --------------ms040604070808030205090303--
> The CVE seems to have possibly broken most (if not all) the join
> instructions on the internet, including the Samba wiki. If I leave a
> domain:
> adminuser at mintmate:~$ sudo net ads leave -U Administrator
> Enter Administrator's password:
> Deleted account for 'MINTMATE' in realm 'SAMDOM.EXAMPLE.COM'
> But If now try to join again:
> adminuser at mintmate:~$ sudo net ads join -U Administrator
> Enter Administrator's password:
> Failed to join domain: failed to lookup DC info for domain
> 'SAMDOM.EXAMPLE.COM' over rpc: An invalid parameter was passed to a
> service or function.
> I have to use a user that is a member of 'Domain Admins':
> adminuser at mintmate:~$ sudo net ads join -U SAMDOM\\rowland
> Enter SAMDOM\rowland's password:
> Using short domain name -- SAMDOM
> Joined 'MINTMATE' to dns domain 'samdom.example.com'
> Can someone else try this, to confirm it one way or the other.
> Rowland

Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list