[Samba] R: upgrade from 4.17 to samba 4.18.1

Corrado Ravinetto corrado.ravinetto at lanificiocerruti.com
Thu Mar 30 12:20:09 UTC 2023 

Mmmmm
Strange i checked my smb.conf before upgrade and no one parameter is present.
Now i added
        allow nt4 crypto = yes
        reject md5 clients = no

but nothing change in my logs:

Mar 30 14:09:58 dc3 samba[1879231]: [2023/03/30 14:09:58.225659,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:357(dcesrv_netr_ServerAuthenticate3_check_downgrade)
Mar 30 14:09:58 dc3 samba[1879231]:  CVE-2022-38023: Check if option 'server reject md5 schannel:ARRQUADRO_2_16$ = no' might be needed for a legacy client.
Mar 30 14:09:58 dc3 samba[1879237]: [2023/03/30 14:09:58.795431,  0] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:1567(dcesrv_netr_LogonSamLogon_base_reply)
Mar 30 14:09:58 dc3 samba[1879237]:  dcesrv_netr_LogonSamLogon_base_reply: netlogon_creds_encrypt_samlogon_validation() failed - NT_STATUS_INVALID_INFO_CLASS


-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny via samba
Inviato: giovedì 30 marzo 2023 12:19
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] upgrade from 4.17 to samba 4.18.1



On 30/03/2023 11:06, Corrado Ravinetto via samba wrote:
> Hello all
> On my centos 8 i upgraded compiling my self from source.
> After upgrade of my dc from samba 4.17 to samba 4.18.1 my logs are full of :
>
> Mar 30 11:58:00 dc3 samba[708393]:  CVE-2022-38023:
> client_account[MAGCAMPIONI$] computer_name[MAGCAMPIONI]
> schannel_type[2] client_negotiate_flags[0x600fffff]
> real_account[magcampioni$] NT_STATUS_DOWNGRADE_DETECTED reject_des[0]
> reject_md5[1] Mar 30 11:58:00 dc3 samba[708393]: [2023/03/30
> 11:58:00.117240,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708393]:  CVE-2022-38023: Check if option 'server reject md5 schannel:magcampioni$ = no' might be needed for a legacy client.
> Mar 30 11:58:00 dc3 samba[708379]: [2023/03/30 11:58:00.136897,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708379]:  CVE-2022-38023:
> client_account[PASSAPZXP$] computer_name[PASSAPZXP] schannel_type[2]
> client_negotiate_flags[0x600fffff] real_account[passapzxp$]
> NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1] Mar 30
> 11:58:00 dc3 samba[708379]: [2023/03/30 11:58:00.136993,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:00 dc3 samba[708379]:  CVE-2022-38023: Check if option 'server reject md5 schannel:passapzxp$ = no' might be needed for a legacy client.
> Mar 30 11:58:48 dc3 samba[708379]: [2023/03/30 11:58:48.782007,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:48 dc3 samba[708379]:  CVE-2022-38023:
> client_account[DATACOLOR0719$] computer_name[DATACOLOR0719]
> schannel_type[2] client_negotiate_flags[0x600fffff]
> real_account[DATACOLOR0719$] NT_STATUS_DOWNGRADE_DETECTED
> reject_des[0] reject_md5[1] Mar 30 11:58:48 dc3 samba[708379]:
> [2023/03/30 11:58:48.782116,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 11:58:48 dc3 samba[708379]:  CVE-2022-38023: Check if option 'server reject md5 schannel:DATACOLOR0719$ = no' might be needed for a legacy client.
> Mar 30 12:00:05 dc3 samba[708379]: [2023/03/30 12:00:05.691763,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 12:00:05 dc3 samba[708379]:  CVE-2022-38023:
> client_account[PASSA_PZ2$] computer_name[PASSA_PZ2] schannel_type[2]
> client_negotiate_flags[0x600fffff] real_account[PASSA_PZ2$]
> NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1] Mar 30
> 12:00:05 dc3 samba[708379]: [2023/03/30 12:00:05.691850,  0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 12:00:05 dc3 samba[708379]:  CVE-2022-38023: Check if option 'server reject md5 schannel:PASSA_PZ2$ = no' might be needed for a legacy client.
>
> How can i do ??
> At this moment my clients not experiencing particular problem.
> thanks


A bit weird that, the CVE referred to in the logs was in the security release 4.16.8 and reading this might help:

https://www.samba.org/samba/security/CVE-2022-38023.html

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Corrado Ravinetto
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at lanificiocerruti.com>
T: +39 015 3591283
[Lanificio F.lli CERRUTI]
Lanificio F.lli Cerruti S.p.A.
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>

[Twitter] <https://twitter.com/Lan_Cerruti> [Facebook]  <https://www.facebook.com/LanificioCerruti> [Instagram]  <https://www.instagram.com/lanificiocerruti/>

Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary

[Unesco]

More information about the samba mailing list