[Samba] NT_STATUS_DOWNGRADE_DETECTED
Anantha Raghava
raghav at exzatechconsulting.com
Tue May 2 10:15:15 UTC 2023
Hello Rowloand,
Thanks for quick response.
Yes, we are a bank.
Unfortunately, we have no choice but to allow insecure methods and lower
version of TLS since there are many applications that still do not
support the secure methods. Even if we enable, secure methods,
applications fail to authenticate and start throwing many errors. AD
alone enabling secure methods while the other applications still lag
behind creates a havoc. VCenter integration is one such example, which
still uses HMAC-MD5. Switching them to AES is a herculean task and many
missiles will also fly ;) .
Is there any quick workaround to get the work going while we get the
application vendors to upgrade themselves?
Thanks & Regards,
Anantha Raghava H A
DISCLAIMER:
This e-mail communication and any attachments may be privileged and
confidential to Exzatech Consulting And Services Pvt. Ltd., Bangalore,
and are intended only for the use of the recipients named above If you
are not the addressee you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete it
and all copies from your system and notify the sender immediately by
return e-mail. Internet communications cannot be guaranteed to be
timely, secure, error or virus-free. The sender does not accept
liability for any errors or omissions.
Do not print this e-mail unless required. Save Paper & trees.
On 02/05/23 3:22 pm, Rowland Penny via samba wrote:
>
>
> On 02/05/2023 10:36, Anantha Raghava via samba wrote:
>> Hi,
>>
>> We recently upgraded to Samba Version 4.18.1 from 4.15.6.
>>
>> While adding new users to Vcenter console, new user addition is
>> getting refused. While assessing the problem we see a peculiar error
>> in the log. This was working properly earlier with 4.15.6
>>
>> The error log shows as follows:
>>
>> {"timestamp": "2023-05-02T11:13:08.478955+0530", "type":
>> "Authentication", "Authentication": {"version": {"major": 1, "minor":
>> 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status":
>> "NT_STATUS_DOWNGRADE_DETECTED", "localAddress":
>> "ipv4:172.16.202.175:445", "remoteAddress":
>> "ipv4:172.16.223.16:35096", "serviceDescription": "NETLOGON",
>> "authDescription": "ServerAuthenticate", "clientDomain":
>> "KTKBANKLTD", "clientAccount": "KBLVCENT-TUZ6BW$", "workstation":
>> null, "becameAccount": &quo t;KBLVCENT-TUZ6BW$", "becameDomain":
>> "KTKBANKLTD", "becameSid": null, "mappedAccount": "KBLVCENT-TUZ6BW$",
>> "mappedDomain": null, &quo t;netlogonComputer": "KBLVCENT-TUZ6BW",
>> "netlogonTrustAccount": "KBLVCENT-TUZ6BW$", "netlogonNegotiateFlags":
>> "0x6007FFFF", "netlogonSecureChannelType": 2,
>> "netlogonTrustAccountSid": null, "passwordType": "HMAC-MD5"}}
>
> HMAC-MD5 ????
>
>>
>> Samba is installed on RHEL 8
>>
>> our smb.conf shown below.
>>
>> *smb.conf*
>>
>> # Global parameters
>> [global]
>> netbios name = PDC
>> realm = KTKBANKLTD.COM
>
> Hmm, with a realm like 'KTKBANKLTD.COM' it is a fair assumption that
> you are a bank, but seemingly not one that cares about security
>
>> server role = active directory domain controller
>> workgroup = KTKBANKLTD
>> idmap_ldb:use rfc2307 = yes
>> ldap server require strong auth = No
>
> Why not require strong auth ?
>
>> dns forwarder = x.x.x.x
>> allow dns updates = nonsecure
>
> Again, why do you not require secure dns updates ?
>
>> tls priority = NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2
>
> Oh, come on, TLS 1.2 ?
>
>> log level = 3 auth_audit:0 auth_json_audit:3 dsdb_json_audit:5
>> log file = /var/log/samba/pdc.log
>> max log size = 1000000000
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>> [netlogon]
>> path = /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts
>> read only = No
>>
>> Request someone to help us fix the issue.
>>
>
> Read this, I think you will find it relevant:
>
> https://www.samba.org/samba/security/CVE-2022-37966.html
>
> Rowland
>
More information about the samba
mailing list