[Samba] CVE-2022-38023 and Samba versions

Andrew Bartlett abartlet at samba.org
Fri Jun 9 20:14:14 UTC 2023

On Fri, 2023-06-09 at 19:28 +0000, Jim Brand via samba wrote:
> Just to clarify we are only running Samba file servers.   And we
> would certainly add the workarounds in smb.conf
> But will we have problems communicating with Windows domain
> controllers if we are still running samba-4.10 after July 2023?   Per
> https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25
> the July Windows updates will enforce RPC sealing and RPC signing
> will not be allowed.  Does Samba 4.10.16-20/24 use the sealing or the
> signing netlogon protocol talking to Windows DCs?

Yes, it will all be fine, the advisory notes RC4 cryptography in
NETLOGON is unused (by default in our client) since Samba 4.0.  

On the signing/sealing question, you can note this warning in the

> 'winbind sealed pipes = yes' should also be kept at its default

That is, 'out of the box' we are already using the more advanced
cryptography by default, and always encrypt (not just sign, this always
seemed a bad idea) our post connection-setup NETLOGON requests.

Testing is good, but I don't have any major concerns about this update.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list