We are running both AD controllers and file servers using Samba 4.17.8 on Debian 11. With the installation of the new MS patch KB5028166 on Windows 10 clients (and the corresponding Windows 11 patch) I'm seeing odd behavior in our Windows login script, which mounts various file shares conditionally based on a user's group membership(s). With the patch installed, none of the "conditional" shares get mapped and I traced it to a problem with ifmember.exe, an MS utility that tests for group membership. None of the groups being maintained in Active Directory by the Samba servers are visible when the patch is installed. So, before patch installation I use "ifmember /v /l" to list all the groups this user is in (I've sanitized our domain name): User is a member of group MYDOMAIN\ResearchStaff. User is a member of group \Everyone. User is a member of group BUILTIN\Administrators. User is a member of group BUILTIN\Users. User is a member of group NT AUTHORITY\INTERACTIVE. User is a member of group \CONSOLE LOGON. User is a member of group NT AUTHORITY\Authenticated Users. User is a member of group NT AUTHORITY\This Organization. User is a member of group NT AUTHORITY\LogonSessionId_0_721064. User is a member of group \LOCAL. User is a member of group MYDOMAIN\AllStaff. User is a member of group MYDOMAIN\Domain Users. User is a member of group MYDOMAIN\AdminStaff. User is a member of group MYDOMAIN\SecurityStaff. User is a member of group MYDOMAIN\TimecardStaff. User is a member of group MYDOMAIN\TechStaff. User is a member of group MYDOMAIN\QMSStaff. User is a member of group MYDOMAIN\ProcessStaff. User is a member of group \Authentication authority asserted identity. User is a member of group Mandatory Label\Medium Mandatory Level. Once the patch is installed, all the "MYDOMAIN" groups are gone: User is a member of group \Everyone. User is a member of group BUILTIN\Administrators. User is a member of group BUILTIN\Users. User is a member of group NT AUTHORITY\INTERACTIVE. User is a member of group \CONSOLE LOGON. User is a member of group NT AUTHORITY\Authenticated Users. User is a member of group NT AUTHORITY\This Organization. User is a member of group NT AUTHORITY\LogonSessionId_0_1047015. User is a member of group \LOCAL. User is a member of group \Authentication authority asserted identity. User is a member of group Mandatory Label\Medium Mandatory Level. Uninstalling the KB5028166 fixes the problem. I tested against a MS Server 2012R2 domain controller and the problem did not occur, so it appears to somehow be Samba related. I'm hoping that whatever fixes the NT4 domain-related issues fixes this one as well, but since we are not using NT4 domains I'm not optimistic? Is anyone else seeing this problem or is able to reproduce it? Be glad to test and/or submit any other info as needed. -- Barry A. Trent 952-829-5864 x109 barry.trent at atcorp.com