[Samba] samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing

Kacper Wirski kacper.wirski at gmail.com
Wed Aug 17 09:24:49 UTC 2022


Yes, I of course plan to upgrade all the DC's, I just wanted to be sure 
everything is working after the upgrade, as it wasn't just samba 
upgrade, but also different OS.

As for the issue I think it was the case of obtaining ticket from older 
DC then trying to reauthenticate with the newer.

For the time being (i.e. before rest of DC's are upgraded) i set in 
krb5.conf dns_lookup_kdc = false and set specific kdc (the one that was 

Problematic host is using now (for the time being) only upgraded DC for 
kerberos authentication and errors stopped to appear.


Kacper Wirski

W dniu 17.08.2022 o 00:09, Andrew Bartlett pisze:
> On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba wrote:
>> Hello,
>> Recently we added new DC to existing samba domain. It was supposed to
>> be
>> start of the process of migrating our centos-7 based AD-DC to
>> Debian.
>> Samba was installed from default repo (samba-ad-dc), it's version
>> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x
>> 4.11.4 and one new 4.13.13
>> Everything seems to working fine with the new DC except for this
>> error/warning that occasionally pops up:
>> samba[15490]: [2022/08/16 16:07:18.885749,  1]
>> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
>> samba[15490]:   PAC_TYPE_REQUESTER_SID missing
> Mixed insecure and secure (unpatched/patched) DCs are not supported
> after the Nov 2021 security updates.
> However, we do our best to stay secure provided there was a normal PAC,
> we use the SID found there in the main LOGON_INFO.
> The warning you see seems to come from the constrained delegation code,
> so perhaps your application is using that.
> Microsoft intends to do strictly require patched DCs, and has a
> registry key that can be set to enforce that now, but keeps putting off
> the deadline for strict enforcement.
> The security issues we fixed are serious, I would strongly recommend
> getting onto patched versions urgently.
> Andrew Bartlett

Ta wiadomość e-mail została sprawdzona pod kątem wirusów przez oprogramowanie antywirusowe Avast.

More information about the samba mailing list