samba - Aug 2016 - Can Logon & Join NT4-style Domain, Can't Change Password

Hello Bill,

We have the same problems with our users. After some recent updates they
are unable to change there passwords. We have many networks at different
locations and more and more reports are starting to come in now.

We are using:
centos 6.8
kernel: 2.6.32.-642.1.1.el6.x86_64
smbd -V: 3.6.23-25.el6_7

I noticed Windows 10 enterprise machines are not affected yet.

I am sorry if my post was not correctly formatted, this is the first time
and i did not have time to read all the rules. Just wanted to let you now
we are facing the same issues. I still have to test the update rollback.

I will let you all now if this also worked for us.

Greetings,

Wietse Driever

Hallo All,

After updating Windows 10 to the latest versions i can confirm Windows 10
is also unable to change passwords.

I found this information:
https://support.microsoft.com/en-us/kb/3167679
----
Known issues in this security update

This security update disables the ability of the Negotiate process to fall
back to NTLM when Kerberos authentication fails for password change
operations.

Currently, the ability to change the passwords of disabled or locked-out
accounts is supported only by NTLM. It is not supported by the Kerberos
protocol.
This security update prevents the Negotiate process from falling back to
NTLM for password change operations when Kerberos authentication fails.
therefore, you will no longer be able to change the password for disabled
or locked-out accounts after you install this security update.
It is not secure to change disabled or locked-out user account passwords by
using NTLM. This is why the ability of Negotiate to fall back to NTLM is
disabled by this security update.

Note Even though you can no longer change the password for disabled or
locked accounts, you can set the password by using Active Directory-based
tools.
----

I hope someone can help me fix this without having to block updates.
Because in Windows 10 it is part of a large cumulative update.

Greetings,

Wietse


2016-08-19 10:27 GMT+02:00 Wietse Driever <wdriever at gmail.com>:
> Hello Bill,
>
> We have the same problems with our users. After some recent updates they
> are unable to change there passwords. We have many networks at different
> locations and more and more reports are starting to come in now.
>
> We are using:
> centos 6.8
> kernel: 2.6.32.-642.1.1.el6.x86_64
> smbd -V: 3.6.23-25.el6_7
>
> I noticed Windows 10 enterprise machines are not affected yet.
>
> I am sorry if my post was not correctly formatted, this is the first time
> and i did not have time to read all the rules. Just wanted to let you now
> we are facing the same issues. I still have to test the update rollback.
>
> I will let you all now if this also worked for us.
>
> Greetings,
>
> Wietse Driever
>
>

With samba 4 in AD mode.. I can change, without any problem my password. 
(Win7 64bit and win 10 64 Bit), with all ms patches on the systems. 

So maybe.. its time to upgrade you samba NT4 style to AD. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Wietse Driever
> via samba
> Verzonden: vrijdag 19 augustus 2016 11:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Can Logon & Join NT4-style Domain, Can't
Change
> Password
> 
> Hallo All,
> 
> After updating Windows 10 to the latest versions i can confirm Windows 10
> is also unable to change passwords.
> 
> I found this information:
> https://support.microsoft.com/en-us/kb/3167679
> ----
> Known issues in this security update
> 
> This security update disables the ability of the Negotiate process to fall
> back to NTLM when Kerberos authentication fails for password change
> operations.
> 
> Currently, the ability to change the passwords of disabled or locked-out
> accounts is supported only by NTLM. It is not supported by the Kerberos
> protocol.
> This security update prevents the Negotiate process from falling back to
> NTLM for password change operations when Kerberos authentication fails.
> therefore, you will no longer be able to change the password for disabled
> or locked-out accounts after you install this security update.
> It is not secure to change disabled or locked-out user account passwords
> by
> using NTLM. This is why the ability of Negotiate to fall back to NTLM is
> disabled by this security update.
> 
> Note Even though you can no longer change the password for disabled or
> locked accounts, you can set the password by using Active Directory-based
> tools.
> ----
> 
> I hope someone can help me fix this without having to block updates.
> Because in Windows 10 it is part of a large cumulative update.
> 
> Greetings,
> 
> Wietse
> 
> 
> 2016-08-19 10:27 GMT+02:00 Wietse Driever <wdriever at gmail.com>:
> 
> > Hello Bill,
> >
> > We have the same problems with our users. After some recent updates
they
> > are unable to change there passwords. We have many networks at
different
> > locations and more and more reports are starting to come in now.
> >
> > We are using:
> > centos 6.8
> > kernel: 2.6.32.-642.1.1.el6.x86_64
> > smbd -V: 3.6.23-25.el6_7
> >
> > I noticed Windows 10 enterprise machines are not affected yet.
> >
> > I am sorry if my post was not correctly formatted, this is the first
> time
> > and i did not have time to read all the rules. Just wanted to let you
> now
> > we are facing the same issues. I still have to test the update
rollback.
> >
> > I will let you all now if this also worked for us.
> >
> > Greetings,
> >
> > Wietse Driever
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi!

There's not much Samba can do here except recommend moving to a recent
Samba version and switch to AD. Windows 10 more and more expects AD.

Volker

On Fri, Aug 19, 2016 at 11:20:51AM +0200, Wietse Driever via samba
wrote:
> Hallo All,
> 
> After updating Windows 10 to the latest versions i can confirm Windows 10
> is also unable to change passwords.
> 
> I found this information:
> https://support.microsoft.com/en-us/kb/3167679
> ----
> Known issues in this security update
> 
> This security update disables the ability of the Negotiate process to fall
> back to NTLM when Kerberos authentication fails for password change
> operations.
> 
> Currently, the ability to change the passwords of disabled or locked-out
> accounts is supported only by NTLM. It is not supported by the Kerberos
> protocol.
> This security update prevents the Negotiate process from falling back to
> NTLM for password change operations when Kerberos authentication fails.
> therefore, you will no longer be able to change the password for disabled
> or locked-out accounts after you install this security update.
> It is not secure to change disabled or locked-out user account passwords by
> using NTLM. This is why the ability of Negotiate to fall back to NTLM is
> disabled by this security update.
> 
> Note Even though you can no longer change the password for disabled or
> locked accounts, you can set the password by using Active Directory-based
> tools.
> ----
> 
> I hope someone can help me fix this without having to block updates.
> Because in Windows 10 it is part of a large cumulative update.
> 
> Greetings,
> 
> Wietse
> 
> 
> 2016-08-19 10:27 GMT+02:00 Wietse Driever <wdriever at gmail.com>:
> 
> > Hello Bill,
> >
> > We have the same problems with our users. After some recent updates
they
> > are unable to change there passwords. We have many networks at
different
> > locations and more and more reports are starting to come in now.
> >
> > We are using:
> > centos 6.8
> > kernel: 2.6.32.-642.1.1.el6.x86_64
> > smbd -V: 3.6.23-25.el6_7
> >
> > I noticed Windows 10 enterprise machines are not affected yet.
> >
> > I am sorry if my post was not correctly formatted, this is the first
time
> > and i did not have time to read all the rules. Just wanted to let you
now
> > we are facing the same issues. I still have to test the update
rollback.
> >
> > I will let you all now if this also worked for us.
> >
> > Greetings,
> >
> > Wietse Driever
> >
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Please try uninstalling the version of this patch for your OS. That worked
for us!

https://technet.microsoft.com/library/security/MS16-101

On Fri, Aug 19, 2016 at 4:27 AM, Wietse Driever via samba <
samba at lists.samba.org> wrote:
> Hello Bill,
>
> We have the same problems with our users. After some recent updates they
> are unable to change there passwords. We have many networks at different
> locations and more and more reports are starting to come in now.
>
> We are using:
> centos 6.8
> kernel: 2.6.32.-642.1.1.el6.x86_64
> smbd -V: 3.6.23-25.el6_7
>
> I noticed Windows 10 enterprise machines are not affected yet.
>
> I am sorry if my post was not correctly formatted, this is the first time
> and i did not have time to read all the rules. Just wanted to let you now
> we are facing the same issues. I still have to test the update rollback.
>
> I will let you all now if this also worked for us.
>
> Greetings,
>
> Wietse Driever
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
*Bill Baird*
Chief Technology Officer
Office: 845-876-8228 x311
Mobile: 203-545-0437
www.phoenixmi.com