[Samba] Error when joining new DC
Peter Mittermayer
samba.lists at outlook.com
Fri Dec 13 05:43:49 UTC 2024
Hi Douglas,
Doing an online backup is running the same checks as during join? I noted the same behavior. I already went up to debug level 9 without seeing any additional information. But will try 10 too.
This is only about sam.ldb or any of the other DB files as well?
Thanks
________________________________
From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Sent: Thursday, December 12, 2024 11:05:45 PM
To: Peter Mittermayer <samba.lists at outlook.com>; samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Error when joining new DC
On 13/12/24 02:11, Peter Mittermayer via samba wrote:
> So, without doing a fresh install on the system the join succeeded with 4.14.9.
> What does it mean?
It means the change that broke the security patches themselves, not in
some change that 4.13 needed to make it ready for the security patches.
So,
> This leads to the conclusion that there is something in my current domain databases which does not meet the new security constraints introduced with 4.14.10 (or 4.13.14, or 4.15.2).
>
> Questions how do I find the culprit, and how to fix it?
Yes.
There were changes in what names are acceptable, whether they can alias
each other in subtle ways, and what was acceptable in SPNs and UPNs.
https://www.samba.org/samba/security/CVE-2020-25722.html is possibly
relevant.
For example, maybe you have a user with sAMAccountName "Peter", and a
*different* user with userPrincipalName "peter at example.com". Old Samba
was OK with this, new Samba is not.
If you are able to turn up the debug level on the join with a `-d 10`
argument, you might get to see exactly where it fails.
Douglas
More information about the samba
mailing list