Rowland Penny
2023-Jul-12 16:45 UTC
[Samba] Test-ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023
On 12/07/2023 15:07, Arnaud FLORENT via samba wrote:> Hello > > having also issues with KB5028166on window 10 22H2 with samba > 4.15.13-Ubuntu used as old NT domain PDC >At least that points to it not being solely an AD problem, something in basic authentication ? Rowland
Rowland Penny
2023-Jul-12 18:24 UTC
[Samba] Test-ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023
On 12/07/2023 17:45, Rowland Penny via samba wrote:> > > On 12/07/2023 15:07, Arnaud FLORENT via samba wrote: >> Hello >> >> having also issues with KB5028166on window 10 22H2 with samba >> 4.15.13-Ubuntu used as old NT domain PDC >> > > At least that points to it not being solely an AD problem, something in > basic authentication ? > > Rowland > >This could be interesting, someone going by the pseudonym 'dosmage' is echoing my comments to Reddit, but not getting them exactly correct, so: I have no real idea why Samba has started failing after Microsoft's massive 130 CVE's yesterday, is it Samba's problem ? Well probably, but only because of something that Microsoft has done, but who knows what ? Rowland (who goes by another name on Reddit)
Peter Milesson
2023-Jul-12 18:46 UTC
[Samba] Test-ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023
On 12.07.2023 18:45, Rowland Penny via samba wrote:> > > On 12/07/2023 15:07, Arnaud FLORENT via samba wrote: >> Hello >> >> having also issues with KB5028166on window 10 22H2 with samba >> 4.15.13-Ubuntu used as old NT domain PDC >> > > At least that points to it not being solely an AD problem, something > in basic authentication ? > > Rowland > >Hi folks, I did some testing with xfreerdp on Windows 10 PCs (22H2) and a Windows 2016 server (1607), just updated. 1. xfreerdp as a Samba (4.17.8) domain user with sec:nla to updated Windows 10 PC - does not work 2. xfreerdp as a local user with sec:nla to updated Windows 10 PC - works 3. xfreerdp as a Samba domain user with sec:tls to updated Windows 10 PC - works after disabling mandatory NLA in the PC. The roaming profile seems to load without warnings or errors 4. xfreerdp as the same Samba domain user to a Windows 10 PC that was not updated - works 5. xfreerdp with sec:nla to a recently updated Windows 2016 (1607) server in a Windows AD domain - works So for those that need access via RDP as domain users, the only (hopefully very temporary) way seems to disable mandatory NLA in the PC, and connect with sec:tls. There seems to be quite a few TLS options for raising the TLS security level. The drawback is, that the user is presented with the classic login window, but I guess that is not a big hurdle. Regards, Peter