[Samba] samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing
Andrew Bartlett
abartlet at samba.org
Tue Aug 16 22:09:32 UTC 2022
On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba wrote:
> Hello,
>
> Recently we added new DC to existing samba domain. It was supposed to
> be
> start of the process of migrating our centos-7 based AD-DC to
> Debian.
> Samba was installed from default repo (samba-ad-dc), it's version
> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x
> 4.11.4 and one new 4.13.13
>
> Everything seems to working fine with the new DC except for this
> error/warning that occasionally pops up:
>
> samba[15490]: [2022/08/16 16:07:18.885749, 1]
> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
> samba[15490]: PAC_TYPE_REQUESTER_SID missing
Mixed insecure and secure (unpatched/patched) DCs are not supported
after the Nov 2021 security updates.
However, we do our best to stay secure provided there was a normal PAC,
we use the SID found there in the main LOGON_INFO.
The warning you see seems to come from the constrained delegation code,
so perhaps your application is using that.
Microsoft intends to do strictly require patched DCs, and has a
registry key that can be set to enforce that now, but keeps putting off
the deadline for strict enforcement.
The security issues we fixed are serious, I would strongly recommend
getting onto patched versions urgently.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list