[Samba] Error when joining new DC
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Thu Dec 12 22:05:45 UTC 2024
On 13/12/24 02:11, Peter Mittermayer via samba wrote:
> So, without doing a fresh install on the system the join succeeded with 4.14.9.
> What does it mean?
It means the change that broke the security patches themselves, not in
some change that 4.13 needed to make it ready for the security patches.
So,
> This leads to the conclusion that there is something in my current domain databases which does not meet the new security constraints introduced with 4.14.10 (or 4.13.14, or 4.15.2).
>
> Questions how do I find the culprit, and how to fix it?
Yes.
There were changes in what names are acceptable, whether they can alias
each other in subtle ways, and what was acceptable in SPNs and UPNs.
https://www.samba.org/samba/security/CVE-2020-25722.html is possibly
relevant.
For example, maybe you have a user with sAMAccountName "Peter", and a
*different* user with userPrincipalName "peter at example.com". Old Samba
was OK with this, new Samba is not.
If you are able to turn up the debug level on the join with a `-d 10`
argument, you might get to see exactly where it fails.
Douglas
More information about the samba
mailing list