[Samba] Error when joining new DC
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Thu Dec 12 04:20:59 UTC 2024
On 12/12/24 06:25, Peter Mittermayer via samba wrote:
> In the meantime I also did a lot of testing to find out where exactly the issue starts. This is what I found:
> 4.13.13 still works. I can joing a DC running this version without problem.
> 4.13.14 show exactly the same error as I also see on 4.21.
Good work tracking that down.
Do 4.14.9 or 4.15.1 work?
If it is something in the security patches themselves, these will work,
but 4.14.10 and 4.15.2 won't.
Otherwise, the issue is with a patch backported to 4.13 to allow the
security patch to apply.
> So what exactly was changed between these two versions? According to release notes there have just been a few security fixes. I don't see how any of these can be responsible for the changed behavior:
There might be more subtlety in these than the headlines imply. Those
few security fixes were actually quite complicated, reflecting many
months of work. They tightened restrictions on a number of things.
For example, this one might cause problems if your domain has objects
that don't match the new requirements:
> o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
> checking of data stored.
> https://www.samba.org/samba/security/CVE-2020-25722.html
and this one's PLEASE READ might be worth a go
> o CVE-2020-25717: A user on the domain can become root on domain members.
> https://www.samba.org/samba/security/CVE-2020-25717.html
> (PLEASE READ! There are important behaviour changes described)
... BUT first if you try 4.14.9, you might be able to avoid that,
because it might indeed be something unrelated that was pulled in to
help the backport.
I haven't been following this thread properly, so apologies if I missed
something.
Douglas
More information about the samba
mailing list