Rowland Penny
2023-Jul-12 13:19 UTC
[Samba] Test-ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023
On 12/07/2023 14:03, Samuel Wolf via samba wrote:> Hello, > > since we install the most recent windows updates from 07/2023 > Test-ComputerSecureChannel -Verbose > show False [4]. > > Moved the machine to local workgroup, deleted machine account on the > ad controller > and rejoined it (which works), but Test-ComputerSecureChannel -Verbose > show again False. > > I'm not sure this is an issue on the samba or on the windows side. > > Affected samba versions so far: > 4.17.8+dfsg-2 (Debian 12) [1] > 4.18.x (mjt packages) [2] > 4.15.13+dfsg-0 (ubuntu) [3] > > Any ideas what we can do/test? > > Thank you. > > Samuel > > [1] https://lists.samba.org/archive/samba/2023-July/245749.html > [2] https://lists.samba.org/archive/samba/2023-July/245763.html > [3] https://lists.samba.org/archive/samba/2023-July/245761.html > > [4] https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1 >I am not convinced this is a Samba problem. It could be that Samba isn't providing something that Windows now expects, or Samba is providing something that Windows doesn't expect, but I think it is more likely that it has something to do with the 130 CVE's that Microsoft shipped yesterday: https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul It wouldn't be the first time Microsoft broke something while fixing something else. By all means open a bug report, Samba may need to change something to get things working again, but it will probably require level 10 logs and network traces to workout just what is going on. Rowland
Samuel Wolf
2023-Jul-12 13:51 UTC
[Samba] Test-ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023
Hello Rowland,> By all means open a bug report, Samba may need to change something toI don't have an account in samba bugzilla yet.> get things working again, but it will probably require level 10 logs and > network traces to workout just what is going on.What I see when I try to repair the secure channel (Test-ComputerSecureChannel -Repair) with log level 5/6: [...] [2023/07/11 23:02:11.348659, 3] ../../libcli/auth/schannel_state_tdb.c:129(schannel_store_session_key_tdb) schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/CADMACHINE [2023/07/11 23:02:11.348684, 1] ../../librpc/ndr/ndr.c:668(_ndr_push_error) ndr_push_netr_Capabilities: ndr_push_error(Bad Switch): Bad switch value 2 at librpc/gen_ndr/ndr_netlogon.c:7652 [...] But, I don't know this was the same output with an older windows patch level, so maybe useless. Samuel
Arnaud FLORENT
2023-Jul-12 14:07 UTC
[Samba] Test-ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023
Hello having also issues with KB5028166on window 10 22H2 with samba 4.15.13-Ubuntu used as old NT domain PDC Le 12/07/2023 ? 15:19, Rowland Penny via samba a ?crit?:> > > On 12/07/2023 14:03, Samuel Wolf via samba wrote: >> Hello, >> >> since we install the most recent windows updates from 07/2023 >> Test-ComputerSecureChannel -Verbose >> show False [4]. >> >> Moved the machine to local workgroup, deleted machine account on the >> ad controller >> and rejoined it (which works), but Test-ComputerSecureChannel -Verbose >> show again False. >> >> I'm not sure this is an issue on the samba or on the windows side. >> >> Affected samba versions so far: >> 4.17.8+dfsg-2 (Debian 12) [1] >> 4.18.x (mjt packages) [2] >> 4.15.13+dfsg-0 (ubuntu) [3] >> >> Any ideas what we can do/test? >> >> Thank you. >> >> Samuel >> >> [1] https://lists.samba.org/archive/samba/2023-July/245749.html >> [2] https://lists.samba.org/archive/samba/2023-July/245763.html >> [3] https://lists.samba.org/archive/samba/2023-July/245761.html >> >> [4] >> https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1 >> > > > I am not convinced this is a Samba problem. It could be that Samba > isn't providing something that Windows now expects, or Samba is > providing something that Windows doesn't expect, but I think it is > more likely that it has something to do with the 130 CVE's that > Microsoft shipped yesterday: > > https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul > > It wouldn't be the first time Microsoft broke something while fixing > something else. > > By all means open a bug report, Samba may need to change something to > get things working again, but it will probably require level 10 logs > and network traces to workout just what is going on. > > Rowland > >-- Arnaud FLORENT IRIS Technologies