[Samba] upgrade from 4.17 to samba 4.18.1
Rowland Penny
rpenny at samba.org
Thu Mar 30 10:19:10 UTC 2023
On 30/03/2023 11:06, Corrado Ravinetto via samba wrote:
> Hello all
> On my centos 8 i upgraded compiling my self from source.
> After upgrade of my dc from samba 4.17 to samba 4.18.1 my logs are full of :
>
> Mar 30 11:58:00 dc3 samba[708393]: CVE-2022-38023: client_account[MAGCAMPIONI$] computer_name[MAGCAMPIONI] schannel_type[2] client_negotiate_flags[0x600fffff] real_account[magcampioni$] NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1]
> Mar 30 11:58:00 dc3 samba[708393]: [2023/03/30 11:58:00.117240, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_ServerAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708393]: CVE-2022-38023: Check if option 'server reject md5 schannel:magcampioni$ = no' might be needed for a legacy client.
> Mar 30 11:58:00 dc3 samba[708379]: [2023/03/30 11:58:00.136897, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_ServerAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708379]: CVE-2022-38023: client_account[PASSAPZXP$] computer_name[PASSAPZXP] schannel_type[2] client_negotiate_flags[0x600fffff] real_account[passapzxp$] NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1]
> Mar 30 11:58:00 dc3 samba[708379]: [2023/03/30 11:58:00.136993, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_ServerAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708379]: CVE-2022-38023: Check if option 'server reject md5 schannel:passapzxp$ = no' might be needed for a legacy client.
> Mar 30 11:58:48 dc3 samba[708379]: [2023/03/30 11:58:48.782007, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_ServerAuthenticate3_check_downgrade)
> Mar 30 11:58:48 dc3 samba[708379]: CVE-2022-38023: client_account[DATACOLOR0719$] computer_name[DATACOLOR0719] schannel_type[2] client_negotiate_flags[0x600fffff] real_account[DATACOLOR0719$] NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1]
> Mar 30 11:58:48 dc3 samba[708379]: [2023/03/30 11:58:48.782116, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_ServerAuthenticate3_check_downgrade)
> Mar 30 11:58:48 dc3 samba[708379]: CVE-2022-38023: Check if option 'server reject md5 schannel:DATACOLOR0719$ = no' might be needed for a legacy client.
> Mar 30 12:00:05 dc3 samba[708379]: [2023/03/30 12:00:05.691763, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_ServerAuthenticate3_check_downgrade)
> Mar 30 12:00:05 dc3 samba[708379]: CVE-2022-38023: client_account[PASSA_PZ2$] computer_name[PASSA_PZ2] schannel_type[2] client_negotiate_flags[0x600fffff] real_account[PASSA_PZ2$] NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1]
> Mar 30 12:00:05 dc3 samba[708379]: [2023/03/30 12:00:05.691850, 0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_ServerAuthenticate3_check_downgrade)
> Mar 30 12:00:05 dc3 samba[708379]: CVE-2022-38023: Check if option 'server reject md5 schannel:PASSA_PZ2$ = no' might be needed for a legacy client.
>
> How can i do ??
> At this moment my clients not experiencing particular problem.
> thanks
A bit weird that, the CVE referred to in the logs was in the security
release 4.16.8 and reading this might help:
https://www.samba.org/samba/security/CVE-2022-38023.html
Rowland
More information about the samba
mailing list