Microsoft CVE-2021-42287 and PacRequestorEnforcement: Unable to join Linux instance to Active Directory domain.
Hi, after MS releases the KB5008380 to address the CVE-2021-42287 I did some test on our infrastructrure (to tell the truth, using a vm running Oracle Linux 8.5) and I noticed that enabling the "Enforcement phase" I'm no longer able to complete a join of a new VM to our Microsoft Active Directory domain (Windows 2019 DCs, fully updated to 2021-12).
Setting the "PacRequestorEnforcement" to "2" (so early enabling the enforcement of PAC evaluation which will become mandatory from July 2022) we got this results:
root@TEST-PAC:~ # kinit --request-pac -k -t /tmp/user.keytab user@AD.DOMAIN.COM | /usr/sbin/adcli join -D AD.DOMAIN.COM -S dc01vm.ad.domain.com -U user@AD.DOMAIN.COM --login-ccache=/tmp/ad.domain.com -v Using domain name: ad.domain.com Calculated computer account name from fqdn: TEST-PAC Calculated domain realm from name: AD.DOMAIN.COM Sending NetLogon ping to domain controller: dc01vm.ad.domain.com Received NetLogon info from: DC01VM.AD.DOMAIN.COM Wrote out krb5.conf snippet to /tmp/adcli-krb5-W5N5fG/krb5.d/adcli-krb5-conf-giTsVF Using GSS-SPNEGO for SASL bind Looked up short domain name: AD Looked up domain SID: S-1-5-21-994023112-3112520415-3963116401 Using fully qualified name: TEST-PAC.ad.domain.com Using domain name: ad.domain.com Using computer account name: TEST-PAC Using domain realm: ad.domain.com Calculated computer account name from fqdn: TEST-PAC Generated 120 character computer password Using keytab: FILE:/etc/krb5.keytab A computer account for TEST-PAC$ does not exist Found well known computer container at: CN=Computers,DC=AD,DC=DOMAIN,DC=COM Calculated computer account: CN=TEST-PAC,CN=Computers,DC=AD,DC=DOMAIN,DC=COM Encryption type [16] not permitted. Encryption type [3] not permitted. Encryption type [1] not permitted. Created computer account: CN=TEST-PAC,CN=Computers,DC=AD,DC=DOMAIN,DC=COM Sending NetLogon ping to domain controller: dc01vm.ad.domain.com * Received NetLogon info from: DC01VM.AD.DOMAIN.COM ! Cannot set computer password: Authentication error adcli: joining domain ad.domain.com failed: Cannot set computer password: Authentication error
So the new computer account was created in our domain but the join procedure is unable to update the computer password, leaving an orphaned computer object.
I think this is a quite important breaking changes but I can't find so much rumors on this so: I'm missing something about this changes or is a known issue?
Responses