[Samba] NT_STATUS_DOWNGRADE_DETECTED
Rowland Penny
rpenny at samba.org
Tue May 2 09:52:50 UTC 2023
On 02/05/2023 10:36, Anantha Raghava via samba wrote:
> Hi,
>
> We recently upgraded to Samba Version 4.18.1 from 4.15.6.
>
> While adding new users to Vcenter console, new user addition is getting
> refused. While assessing the problem we see a peculiar error in the log.
> This was working properly earlier with 4.15.6
>
> The error log shows as follows:
>
> {"timestamp": "2023-05-02T11:13:08.478955+0530", "type":
> "Authentication", "Authentication": {"version": {"major": 1, "minor":
> 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status":
> "NT_STATUS_DOWNGRADE_DETECTED", "localAddress":
> "ipv4:172.16.202.175:445", "remoteAddress": "ipv4:172.16.223.16:35096",
> "serviceDescription": "NETLOGON", "authDescription":
> "ServerAuthenticate", "clientDomain": "KTKBANKLTD", "clientAccount":
> "KBLVCENT-TUZ6BW$", "workstation": null, "becameAccount": &quo
> t;KBLVCENT-TUZ6BW$", "becameDomain": "KTKBANKLTD", "becameSid": null,
> "mappedAccount": "KBLVCENT-TUZ6BW$", "mappedDomain": null, &quo
> t;netlogonComputer": "KBLVCENT-TUZ6BW", "netlogonTrustAccount":
> "KBLVCENT-TUZ6BW$", "netlogonNegotiateFlags": "0x6007FFFF",
> "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": null,
> "passwordType": "HMAC-MD5"}}
HMAC-MD5 ????
>
> Samba is installed on RHEL 8
>
> our smb.conf shown below.
>
> *smb.conf*
>
> # Global parameters
> [global]
> netbios name = PDC
> realm = KTKBANKLTD.COM
Hmm, with a realm like 'KTKBANKLTD.COM' it is a fair assumption that you
are a bank, but seemingly not one that cares about security
> server role = active directory domain controller
> workgroup = KTKBANKLTD
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = No
Why not require strong auth ?
> dns forwarder = x.x.x.x
> allow dns updates = nonsecure
Again, why do you not require secure dns updates ?
> tls priority = NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2
Oh, come on, TLS 1.2 ?
> log level = 3 auth_audit:0 auth_json_audit:3 dsdb_json_audit:5
> log file = /var/log/samba/pdc.log
> max log size = 1000000000
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts
> read only = No
>
> Request someone to help us fix the issue.
>
Read this, I think you will find it relevant:
https://www.samba.org/samba/security/CVE-2022-37966.html
Rowland
More information about the samba
mailing list