samba - Aug 2016 - Can Logon & Join NT4-style Domain, Can't Change Password

Hi All,

Our users started having issues late last week when trying to change their
passwords. They receive the following message:

"The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you."

Client computers are running Windows 7 Ultimate & Enterprise x64. We are
still running (I know, I know) and NT4-style PDC domain (DC is running
Samba 3.6.24-45).

Users are able to use network drives normally. We can add computers to our
domain successfully.
>From some searching, this appears to sometimes happen when a domain running
AD also has an NT4-style server available and the system is trying to use
the NT4-style server instead of AD? I'm just not sure how this could be
possible, since we don't have any servers that are configured this way
(only two people have access, and definitely didn't modify things).

I am also seeing some results saying it might be a DNS issue. I have done
some testing and as far as I can tell, my DNS & WINS is operating as
expected.

Has anyone seen this before? Or have any ideas on what I can do to
troubleshoot?

Thanks!

--Bill

Uninstalling MS16-101 fixed our issue.

https://technet.microsoft.com/library/security/MS16-101

I ran "wusa /uninstall /kb:3167679", rebooting, and now we are back to
normal.

On Wed, Aug 17, 2016 at 1:43 PM, Bill Baird <bill.baird at phoenixmi.com>
wrote:
> Hi All,
>
> Our users started having issues late last week when trying to change their
> passwords. They receive the following message:
>
> "The system detected a possible attempt to compromise security. Please
> ensure that you can contact the server that authenticated you."
>
> Client computers are running Windows 7 Ultimate & Enterprise x64. We
are
> still running (I know, I know) and NT4-style PDC domain (DC is running
> Samba 3.6.24-45).
>
> Users are able to use network drives normally. We can add computers to our
> domain successfully.
>
> From some searching, this appears to sometimes happen when a domain
> running AD also has an NT4-style server available and the system is trying
> to use the NT4-style server instead of AD? I'm just not sure how this
could
> be possible, since we don't have any servers that are configured this
way
> (only two people have access, and definitely didn't modify things).
>
> I am also seeing some results saying it might be a DNS issue. I have done
> some testing and as far as I can tell, my DNS & WINS is operating as
> expected.
>
> Has anyone seen this before? Or have any ideas on what I can do to
> troubleshoot?
>
> Thanks!
>
> --Bill
>


-- 
*Bill Baird*
Chief Technology Officer
Office: 845-876-8228 x311
Mobile: 203-545-0437
www.phoenixmi.com

Il giorno 17/ago/2016, alle ore 21:30, Bill Baird via samba <samba at
lists.samba.org> ha scritto:
> Uninstalling MS16-101 fixed our issue.
> 
> https://technet.microsoft.com/library/security/MS16-101
> 
> I ran "wusa /uninstall /kb:3167679", rebooting, and now we are
back to
> normal.
Hi,

After removing and masking on 19 sep 2016 the KB3167679 the same problem
happens.
The fix KB3167679 seems now superseeded by KB3175024.

Taken from:
https://www.microsoft.com/en-us/download/details.aspx?id=36982
The relevant line on Windows Seven:
13/09/2016	MS16-111	3186973	Important	Elevation of Privilege	Security Update for
Windows Kernel	Windows 7 for x64-based Systems Service Pack 1	3175024		Elevation
of Privilege	Important	MS16-101[3167679]	Yes
CVE-2016-3305,CVE-2016-3306,CVE-2016-3371,CVE-2016-3372,CVE-2016-3373

This seems the only package superseeding the KB3167679, and seems that no
packages superseed KB3175024 so far.

But also removing KB3175024 hotfix the same problem is still present, at least
from the test done so far.

Anyone else with the same issue?

Regards,
Daniele
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160919/815da002/signature.sig>