[Samba] samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing

Kacper Wirski kacper.wirski at gmail.com
Tue Aug 16 19:31:35 UTC 2022 

Thank You,

So, I suppose, the issue is that a client can still obtain ticket from 
one of the older DC's without PAC and when presenting to new DC, error 
appears? If that's so, then simply upgrading all DC's to min. 4.13.14 or 
higher should "fix" it, right?

Regards,

Kacper Wirski

W dniu 16.08.2022 o 20:09, Rowland Penny via samba pisze:
> On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba wrote:
>> Hello,
>>
>> Recently we added new DC to existing samba domain. It was supposed to
>> be
>> start of the process of migrating our centos-7 based AD-DC to
>> Debian.
>> Samba was installed from default repo (samba-ad-dc), it's version
>> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x
>> 4.11.4 and one new 4.13.13
>>
>> Everything seems to working fine with the new DC except for this
>> error/warning that occasionally pops up:
>>
>> samba[15490]: [2022/08/16 16:07:18.885749,  1]
>> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
>> samba[15490]:   PAC_TYPE_REQUESTER_SID missing
>>
>> It's mostly corresponding to a java 1.8 application that is using
>> kerberos (keytab) to re-authenticate to a database. It's not that
>> java
>> is unable to authenticate, just every few or so minutes (let's say
>> 20-ish) I see this error, but not every time. We've had the setup
>> running for last 4 years and it's the first time I see issue.
>>
>> I would be glad for some pointers, I'm not sure what exactly does
>> this
>> error/warning mean and what's causing it? Obviously it's related to
>> kerberos. On my other 2 DC's I've never seen this and googling
>> doesn't
>> help me much either.
>>
>> I read that in 4.13.14 there was a security change that seems
>> related,
>> but I don't "get" why it mostly works only sometimes I see this
>> warning/error.
> That error will be coming from your new DC (it is the only one that
> will have that piece of code), but whatever is causing it will not be
> using the new DC exclusively, it will use any of the DC's in a round
> robin fashion.
>
> I suggest you read this:
> https://www.samba.org/samba/security/CVE-2020-25719.html
>
> Rowland
>
>
>

-- 
Ta wiadomość e-mail została sprawdzona pod kątem wirusów przez oprogramowanie antywirusowe Avast.
www.avast.com

More information about the samba mailing list