[Samba] Fwd: Domain member fails to map SID>*ID after DC migrated from Server 2022 to 2025
Dustin Howett
dustin at howett.net
Mon Apr 28 03:46:05 UTC 2025
On Sun, Apr 27, 2025 at 6:43 PM Dustin Howett <dustin at howett.net> wrote:
>
> It appears there is a new access control check for DsrGetDcName in
> netlogon (which is visible with debug logging enabled) which fails for
> Samba clients.
>
Aaaaand it works fine with the experimental feature "client use krb5 netlogon".
Considering that server 2025 introduced the new Kerberos-authenticated
netlogon channel, I suspect that the older one was missed (or
intentionally omitted) in the security fix introduced in the 2025.02B
update.
Thanks for playing along. :)
More information about the samba
mailing list