Microsoft CVE-2021-42287 and PacRequestorEnforcement: Unable to join Linux instance to Active Directory domain.

Latest response

Hi, after MS releases the KB5008380 to address the CVE-2021-42287 I did some test on our infrastructrure (to tell the truth, using a vm running Oracle Linux 8.5) and I noticed that enabling the "Enforcement phase" I'm no longer able to complete a join of a new VM to our Microsoft Active Directory domain (Windows 2019 DCs, fully updated to 2021-12).

Setting the "PacRequestorEnforcement" to "2" (so early enabling the enforcement of PAC evaluation which will become mandatory from July 2022) we got this results:

 root@TEST-PAC:~ # kinit --request-pac -k -t /tmp/user.keytab user@AD.DOMAIN.COM | /usr/sbin/adcli join -D AD.DOMAIN.COM -S dc01vm.ad.domain.com -U user@AD.DOMAIN.COM --login-ccache=/tmp/ad.domain.com -v
Using domain name: ad.domain.com
Calculated computer account name from fqdn: TEST-PAC
Calculated domain realm from name: AD.DOMAIN.COM
Sending NetLogon ping to domain controller: dc01vm.ad.domain.com
Received NetLogon info from: DC01VM.AD.DOMAIN.COM
Wrote out krb5.conf snippet to /tmp/adcli-krb5-W5N5fG/krb5.d/adcli-krb5-conf-giTsVF
Using GSS-SPNEGO for SASL bind
Looked up short domain name: AD
Looked up domain SID: S-1-5-21-994023112-3112520415-3963116401
Using fully qualified name: TEST-PAC.ad.domain.com
Using domain name: ad.domain.com
Using computer account name: TEST-PAC
Using domain realm: ad.domain.com
Calculated computer account name from fqdn: TEST-PAC
Generated 120 character computer password
Using keytab: FILE:/etc/krb5.keytab
A computer account for TEST-PAC$ does not exist
Found well known computer container at: CN=Computers,DC=AD,DC=DOMAIN,DC=COM
Calculated computer account: CN=TEST-PAC,CN=Computers,DC=AD,DC=DOMAIN,DC=COM
Encryption type [16] not permitted.
Encryption type [3] not permitted.
Encryption type [1] not permitted.
Created computer account: CN=TEST-PAC,CN=Computers,DC=AD,DC=DOMAIN,DC=COM
Sending NetLogon ping to domain controller: dc01vm.ad.domain.com
* Received NetLogon info from: DC01VM.AD.DOMAIN.COM
! Cannot set computer password: Authentication error
adcli: joining domain ad.domain.com failed: Cannot set computer password: Authentication error

So the new computer account was created in our domain but the join procedure is unable to update the computer password, leaving an orphaned computer object.
I think this is a quite important breaking changes but I can't find so much rumors on this so: I'm missing something about this changes or is a known issue?

Responses