[Samba] Error when joining new DC

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Thu Dec 12 22:05:45 UTC 2024


On 13/12/24 02:11, Peter Mittermayer via samba wrote:
> So, without doing a fresh install on the system the join succeeded with 4.14.9.
> What does it mean?

It means the change that broke the security patches themselves, not in 
some change that 4.13 needed to make it ready for the security patches.

So,

> This leads to the conclusion that there is something in my current domain databases which does not meet the new security constraints introduced with 4.14.10 (or 4.13.14, or 4.15.2).
> 
> Questions how do I find the culprit, and how to fix it?

Yes.

There were changes in what names are acceptable, whether they can alias 
each other in subtle ways, and what was acceptable in SPNs and UPNs.

https://www.samba.org/samba/security/CVE-2020-25722.html is possibly 
relevant.

For example, maybe you have a user with sAMAccountName "Peter", and a 
*different* user with userPrincipalName "peter at example.com". Old Samba 
was OK with this, new Samba is not.

If you are able to turn up the debug level on the join with a `-d 10` 
argument, you might get to see exactly where it fails.

Douglas




More information about the samba mailing list