Bug #13169


CVE-2020-1472 (ZeroLogon) and SMB authentication

Added by Lee Damon over 2 years ago. Updated over 2 years ago.

Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:
External Bug:


I originally filed this against OmniOSCE but was advised it would be better posted here.

MSFT is pushing a new set of requirements for authenticating.

It looks like the native auth in OmniOS (based on illumos) runs afoul of this. We have auth configured via svc:/network/shares/group:smb (joined with "smbadm join") and we're seeing our primary OmniOS SMB/CIFS file server showing up in the DC's logs with:

"The Netlogon service allowed a vulnerable Netlogon secure channel connection.
Warning: This connection will be denied once the enforcement phase is released. To better understand the enforcement phase, please visit"

(This is with the temporary "let them in anyway" configuration in place.)

Are there plans to update the service to be compliant with the tighter requirements?



Actions #1

Updated by Gordon Ross over 2 years ago

  • Description updated (diff)
Actions #2

Updated by Christophe ROCCHIETTA over 2 years ago

Is an SMB / CIFS client update already scheduled? If so, what date of availability is envisaged?

Actions #3

Updated by Gordon Ross over 2 years ago

  • Status changed from New to In Progress
  • Assignee set to Matt Barden

Note that while the native SMB service is not vulnerable to CVE-2020-1472, the new restrictions implemented by MS on their AD servers in response to that CVE will disable the particular variant of the NetLogon RPC service that the server currently uses.

We will need to implement integrity features in the NetLogon RPC client-side code in order to maintain compatibility with MS AD servers with the new restrictions. In the interim, customers should add their SMB servers to the list of servers exempt from the new restrictions. To do so, see this MS KB article: , particularly the group policy setting:
"Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.

Note that the native SMB server already has integrity features at the SMB level (which is the "transport" below RPC for NetLogon)
but that's not sufficient for MS AD servers with the new restrictions.

Actions #4

Updated by Gordon Ross over 2 years ago

  • Subject changed from CVE-2020-1472 & SMB auth to CVE-2020-1472 (ZeroLogon) and SMB authentication
Actions #5

Updated by Christophe ROCCHIETTA over 2 years ago

Is a date scheduled for this compatibility with MS AD?
In my company, I don't manage domain controllers. My servers have been added to the list of exceptions, but this is only temporary. This list will be cleared by February 2021.

Actions #6

Updated by Electric Monk over 2 years ago

  • Gerrit CR set to 1162
Actions #7

Updated by Matt Barden over 2 years ago

Testing Notes:
Install, configure, and run the included libmlrpc-tests.
Connect to a domain-joined server, with both NTLM (ip-based) and Kerberos (FQDN-based) authentication, using a user who has both a few (e.g. 5) and many (e.g. 800) groups.
Run "smbutil view //'DOMAIN;user'@server", and verify the output, whether the server has a small or large (enough to cause the response to be fragmented) number of shares.

Actions #8

Updated by Electric Monk over 2 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit ce8560eeb961d528e27685fcdd2ffb03e9478dbf

commit  ce8560eeb961d528e27685fcdd2ffb03e9478dbf
Author: Matt Barden <>
Date:   2021-01-30T19:02:54.000Z

    13169 CVE-2020-1472 (ZeroLogon) and SMB authentication
    Reviewed by: Joyce McIntosh <>
    Reviewed by: Evan Layton <>
    Reviewed by: Gordon Ross <>
    Reviewed by: Prashanth Badari <>
    Reviewed by: Andy Fiddaman <>
    Reviewed by: C Fraire <>
    Approved by: Robert Mustacchi <>


Also available in: Atom PDF