[Samba] samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing

Andrew Bartlett abartlet at samba.org
Tue Aug 16 22:09:32 UTC 2022

On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba wrote:
> Hello,
> Recently we added new DC to existing samba domain. It was supposed to
> be 
> start of the process of migrating our centos-7 based AD-DC to
> Debian.  
> Samba was installed from default repo (samba-ad-dc), it's version 
> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x 
> 4.11.4 and one new 4.13.13
> Everything seems to working fine with the new DC except for this 
> error/warning that occasionally pops up:
> samba[15490]: [2022/08/16 16:07:18.885749,  1] 
> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
> samba[15490]:   PAC_TYPE_REQUESTER_SID missing

Mixed insecure and secure (unpatched/patched) DCs are not supported
after the Nov 2021 security updates. 

However, we do our best to stay secure provided there was a normal PAC,
we use the SID found there in the main LOGON_INFO.

The warning you see seems to come from the constrained delegation code,
so perhaps your application is using that. 

Microsoft intends to do strictly require patched DCs, and has a
registry key that can be set to enforce that now, but keeps putting off
the deadline for strict enforcement. 

The security issues we fixed are serious, I would strongly recommend
getting onto patched versions urgently. 

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list