[Samba] NT_STATUS_DOWNGRADE_DETECTED

Rowland Penny rpenny at samba.org
Tue May 2 09:52:50 UTC 2023 


On 02/05/2023 10:36, Anantha Raghava via samba wrote:
> Hi,
> 
> We recently upgraded to Samba Version 4.18.1 from 4.15.6.
> 
> While adding new users to Vcenter console, new user addition is getting 
> refused. While assessing the problem we see a peculiar error in the log. 
> This was working properly earlier with 4.15.6
> 
> The error log shows as follows:
> 
> {"timestamp": "2023-05-02T11:13:08.478955+0530", "type": 
> "Authentication", "Authentication": {"version": {"major": 1, "minor": 
> 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": 
> "NT_STATUS_DOWNGRADE_DETECTED", "localAddress": 
> "ipv4:172.16.202.175:445", "remoteAddress": "ipv4:172.16.223.16:35096", 
> "serviceDescription": "NETLOGON", "authDescription": 
> "ServerAuthenticate", "clientDomain": "KTKBANKLTD", "clientAccount": 
> "KBLVCENT-TUZ6BW$", "workstation": null, "becameAccount": &quo 
> t;KBLVCENT-TUZ6BW$", "becameDomain": "KTKBANKLTD", "becameSid": null, 
> "mappedAccount": "KBLVCENT-TUZ6BW$", "mappedDomain": null, &quo 
> t;netlogonComputer": "KBLVCENT-TUZ6BW", "netlogonTrustAccount": 
> "KBLVCENT-TUZ6BW$", "netlogonNegotiateFlags": "0x6007FFFF", 
> "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": null, 
> "passwordType": "HMAC-MD5"}}

HMAC-MD5 ????

> 
> Samba is installed on RHEL 8
> 
> our smb.conf shown below.
> 
> *smb.conf*
> 
> # Global parameters
> [global]
>          netbios name = PDC
>          realm = KTKBANKLTD.COM

Hmm, with a realm like 'KTKBANKLTD.COM' it is a fair assumption that you 
are a bank, but seemingly not one that cares about security

>          server role = active directory domain controller
>          workgroup = KTKBANKLTD
>          idmap_ldb:use rfc2307 = yes
>          ldap server require strong auth = No

Why not require strong auth ?

>          dns forwarder = x.x.x.x
>          allow dns updates = nonsecure

Again, why do you not require secure dns updates ?

>          tls priority = NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2

Oh, come on, TLS 1.2 ?

>          log level = 3 auth_audit:0 auth_json_audit:3 dsdb_json_audit:5
>          log file = /var/log/samba/pdc.log
>          max log size = 1000000000
> 
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> 
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts
>          read only = No
> 
> Request someone to help us fix the issue.
> 

Read this, I think you will find it relevant:

https://www.samba.org/samba/security/CVE-2022-37966.html

Rowland

More information about the samba mailing list