[Samba] NT_STATUS_DOWNGRADE_DETECTED

Tue May 2 09:36:44 UTC 2023

Hi,

We recently upgraded to Samba Version 4.18.1 from 4.15.6.

While adding new users to Vcenter console, new user addition is getting 
refused. While assessing the problem we see a peculiar error in the log. 
This was working properly earlier with 4.15.6

The error log shows as follows:

{"timestamp": "2023-05-02T11:13:08.478955+0530", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": 
"NT_STATUS_DOWNGRADE_DETECTED", "localAddress": 
"ipv4:172.16.202.175:445", "remoteAddress": "ipv4:172.16.223.16:35096", 
"serviceDescription": "NETLOGON", "authDescription": 
"ServerAuthenticate", "clientDomain": "KTKBANKLTD", "clientAccount": 
"KBLVCENT-TUZ6BW$", "workstation": null, "becameAccount": &quo 
t;KBLVCENT-TUZ6BW$", "becameDomain": "KTKBANKLTD", "becameSid": null, 
"mappedAccount": "KBLVCENT-TUZ6BW$", "mappedDomain": null, &quo 
t;netlogonComputer": "KBLVCENT-TUZ6BW", "netlogonTrustAccount": 
"KBLVCENT-TUZ6BW$", "netlogonNegotiateFlags": "0x6007FFFF", 
"netlogonSecureChannelType": 2, "netlogonTrustAccountSid": null, 
"passwordType": "HMAC-MD5"}}

Samba is installed on RHEL 8

our smb.conf shown below.

*smb.conf*

# Global parameters
[global]
         netbios name = PDC
         realm = KTKBANKLTD.COM
         server role = active directory domain controller
         workgroup = KTKBANKLTD
         idmap_ldb:use rfc2307 = yes
         ldap server require strong auth = No
         dns forwarder = x.x.x.x
         allow dns updates = nonsecure
         tls priority = NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2
         log level = 3 auth_audit:0 auth_json_audit:3 dsdb_json_audit:5
         log file = /var/log/samba/pdc.log
         max log size = 1000000000

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts
         read only = No

Request someone to help us fix the issue.

-- 

Thanks & Regards,

Raghav

DISCLAIMER:
This e-mail communication and any attachments may be privileged and 
confidential to Exzatech Consulting And Services Pvt. Ltd., Bangalore, 
and are intended only for the use of the recipients named above If you 
are not the addressee you may not copy, forward, disclose or use any 
part of it. If you have received this message in error, please delete it 
and all copies from your system and notify the sender immediately by 
return e-mail. Internet communications cannot be guaranteed to be 
timely, secure, error or virus-free. The sender does not accept 
liability for any errors or omissions.

Do not print this e-mail unless required. Save Paper & trees.