[Samba] NT_STATUS_DOWNGRADE_DETECTED

Andrew Bartlett abartlet at samba.org
Tue May 2 10:54:05 UTC 2023 

On Tue, 2023-05-02 at 10:52 +0100, Rowland Penny via samba wrote:
> On 02/05/2023 10:36, Anantha Raghava via samba wrote:
> > Hi,
> > We recently upgraded to Samba Version 4.18.1 from 4.15.6.
> > While adding new users to Vcenter console, new user addition is
> > getting refused. While assessing the problem we see a peculiar
> > error in the log. This was working properly earlier with 4.15.6
> > The error log shows as follows:
> > {"timestamp": "2023-05-02T11:13:08.478955+0530", "type":
> > "Authentication", "Authentication": {"version": {"major": 1,
> > "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3,
> > "status": "NT_STATUS_DOWNGRADE_DETECTED", "localAddress":
> > "ipv4:172.16.202.175:445", "remoteAddress":
> > "ipv4:172.16.223.16:35096", "serviceDescription": "NETLOGON",
> > "authDescription": "ServerAuthenticate", "clientDomain":
> > "KTKBANKLTD", "clientAccount": "KBLVCENT-TUZ6BW$", "workstation":
> > null, "becameAccount": &quo t;KBLVCENT-TUZ6BW$", "becameDomain":
> > "KTKBANKLTD", "becameSid": null, "mappedAccount": "KBLVCENT-
> > TUZ6BW$", "mappedDomain": null, &quo t;netlogonComputer":
> > "KBLVCENT-TUZ6BW", "netlogonTrustAccount": "KBLVCENT-TUZ6BW$",
> > "netlogonNegotiateFlags": "0x6007FFFF",
> > "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": null,
> > "passwordType": "HMAC-MD5"}}
> 
> HMAC-MD5 ????
> > Samba is installed on RHEL 8
> > our smb.conf shown below.
> > *smb.conf*
> > # Global parameters[global]         netbios name = PDC        
> > realm = KTKBANKLTD.COM
> 
> Hmm, with a realm like 'KTKBANKLTD.COM' it is a fair assumption that
> you are a bank, but seemingly not one that cares about security
> >          server role = active directory domain controller        
> > workgroup = KTKBANKLTD         idmap_ldb:use rfc2307 = yes        
> > ldap server require strong auth = No
> 
> Why not require strong auth ?
> >          dns forwarder = x.x.x.x         allow dns updates =
> > nonsecure
> 
> Again, why do you not require secure dns updates ?
> >          tls priority = NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2
> 
> Oh, come on, TLS 1.2 ?
> >          log level = 3 auth_audit:0 auth_json_audit:3
> > dsdb_json_audit:5         log file = /var/log/samba/pdc.log        
> > max log size = 1000000000
> > [sysvol]         path = /usr/local/samba/var/locks/sysvol        
> > read only = No
> > [netlogon]         path =
> > /usr/local/samba/var/locks/sysvol/ktkbankltd.com/scripts        
> > read only = No
> > Request someone to help us fix the issue.
> 
> Read this, I think you will find it relevant:
> https://www.samba.org/samba/security/CVE-2022-37966.html

This is actually NETLOGON, so this is the advisory, with the options to
set for the Vcenter.
https://www.samba.org/samba/security/CVE-2022-38023.html id="-x-evo-selection-start-marker">
> Rowland
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst.Net Limited
Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions

More information about the samba mailing list