[Samba] samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing
Kacper Wirski
kacper.wirski at gmail.com
Wed Aug 17 09:24:49 UTC 2022
Hello,
Yes, I of course plan to upgrade all the DC's, I just wanted to be sure
everything is working after the upgrade, as it wasn't just samba
upgrade, but also different OS.
As for the issue I think it was the case of obtaining ticket from older
DC then trying to reauthenticate with the newer.
For the time being (i.e. before rest of DC's are upgraded) i set in
krb5.conf dns_lookup_kdc = false and set specific kdc (the one that was
upgraded).
Problematic host is using now (for the time being) only upgraded DC for
kerberos authentication and errors stopped to appear.
Regards,
Kacper Wirski
W dniu 17.08.2022 o 00:09, Andrew Bartlett pisze:
> On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba wrote:
>> Hello,
>>
>> Recently we added new DC to existing samba domain. It was supposed to
>> be
>> start of the process of migrating our centos-7 based AD-DC to
>> Debian.
>> Samba was installed from default repo (samba-ad-dc), it's version
>> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x
>> 4.11.4 and one new 4.13.13
>>
>> Everything seems to working fine with the new DC except for this
>> error/warning that occasionally pops up:
>>
>> samba[15490]: [2022/08/16 16:07:18.885749, 1]
>> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
>> samba[15490]: PAC_TYPE_REQUESTER_SID missing
> Mixed insecure and secure (unpatched/patched) DCs are not supported
> after the Nov 2021 security updates.
>
> However, we do our best to stay secure provided there was a normal PAC,
> we use the SID found there in the main LOGON_INFO.
>
> The warning you see seems to come from the constrained delegation code,
> so perhaps your application is using that.
>
> Microsoft intends to do strictly require patched DCs, and has a
> registry key that can be set to enforce that now, but keeps putting off
> the deadline for strict enforcement.
>
> The security issues we fixed are serious, I would strongly recommend
> getting onto patched versions urgently.
>
> Andrew Bartlett
>
--
Ta wiadomość e-mail została sprawdzona pod kątem wirusów przez oprogramowanie antywirusowe Avast.
www.avast.com
More information about the samba
mailing list