Authentication broken: Centos 7.9, Samba 4.10.16-19. RC4 concern?
Posted: 2022/09/20 15:52:46
Context: Centos 7.9, updated from 7.6. Samba version upgraded from 4.8.3-4.el7 to 4.10.16-19.el7_9.Security is "ADS", passdb backend "tdbsam." Samba config includes: protocol = SMB3.
Upstream security team disabled encryption type RC4 on their cluster of Active Directory servers. It is no longer possible to access shares againbst this. Users are endlessly challenged with authentication window and failed login with known, working passwords. The shares used to be present at login, without need for password due to tored credential. The Windows 10 desktop environment includes GPO forcing at least SMB2. Samba logs show at least SMB3 attempt ("Selected protocol SMB3_11"). But they are filled with "[NTLMv2] status [NT_STATUS_NO_SUCH_USER]" after the process has failed to accept known working password. The Samba node is actually joined to the domain; wbinfo provides correct output about domain groups, usernames, and domain controllers. The command "lsof -i -n | grep winbind" does show connection with a controller.
Access was broken before OS and Samba update. It was hoped that action would improve things; we found out about the RC4 action when escalating later.
Do my Samba/winbind configurations need anything else to account for the disabling of RC4? Are there any end-user actions which must follow? (i.e. changing passwords since the implementation of that drop from Active Directory.) Any leads would be greatly appreciated.
Upstream security team disabled encryption type RC4 on their cluster of Active Directory servers. It is no longer possible to access shares againbst this. Users are endlessly challenged with authentication window and failed login with known, working passwords. The shares used to be present at login, without need for password due to tored credential. The Windows 10 desktop environment includes GPO forcing at least SMB2. Samba logs show at least SMB3 attempt ("Selected protocol SMB3_11"). But they are filled with "[NTLMv2] status [NT_STATUS_NO_SUCH_USER]" after the process has failed to accept known working password. The Samba node is actually joined to the domain; wbinfo provides correct output about domain groups, usernames, and domain controllers. The command "lsof -i -n | grep winbind" does show connection with a controller.
Access was broken before OS and Samba update. It was hoped that action would improve things; we found out about the RC4 action when escalating later.
Do my Samba/winbind configurations need anything else to account for the disabling of RC4? Are there any end-user actions which must follow? (i.e. changing passwords since the implementation of that drop from Active Directory.) Any leads would be greatly appreciated.