samba - Jul 2023 - ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023

Hallo,

now alot of bug reports are coming in.

For RDP you HAVE to connect via DNS and DOMAIN\user.name. Connecting via 
IP or without the domain does not work anymore. You have to disable NLA too.

Same for SMB access (at least from MacOS and linux clients). Weve got 
some clients that never got the connection working - even with the above 
changes so we had to uninstall the update. Ive disabled Win 10 Updates 
for the next 35 days ... hopefully the bug is solved until then!

If theres anything we can help to fix this please let us know. This is 
getting critical for us.

Thanks and have a nice day, Matthias.

Am 13.07.23 um 09:13 schrieb Jakob Curdes via samba:
>
> Am 12.07.2023 um 23:50 schrieb Fabio Muzzi via samba:
>> On 12/07/2023 21.47, Jakob Curdes via samba wrote:
>>
>>> Just to understand this, we also might be affected with several
>>> customers:
>>>
>>> - after installing the July Windows update on W10 22H2 KB5028166,
the
>>> following symptoms appear: 1) Test-ComputerSecureChannel -Verbose
>>> says "False" 2) RDPing into the system does not work 3)
some reports
>>> about broken SMB connections?
>>>
>>> I just tested this in our environment on an Ubuntu 18 server (I
know,
>>> must be updated asap), there I see the Test-ComputerSecureChannel
>>> "False", while on a system without the update it says
"true", but I
>>> cannot see any problems with RDP or SMB network connetions, so
maybe
>>> there are more border conditions to this?
>>>
>>> If I can help with further tests I am ready to go.
>>
>>
>> Hi Jacob, can you please tell me what version is your Samba DC? I 
>> suppose it's 4.7.6 if it's the original Ubuntu 18.04 version,
am I
>> right?
>>
>> I'm trying to understand in how much manure I am drowning right
now,
>> I have about 10 small domains that use Samba (various versions) and 
>> I'm trying to understand what is expected to work and what is 
>> expected to fail.
>>
>> Can your clients still connect to the domain? I mean, if the user 
>> logs on locally on the PC, not using RDP.
>>
>> I know RDP is broken if using NLA.
>
> Hello Fabio, the? DCs where I tested this are on 4.7.6 as you guessed, 
> the Ubuntu version with backported patches etc.
> We have several samba-controlled domains with different versions and 
> we did not observer any problems with local logon, and no prolems 
> witth RDP other that we had to deactivate NLA in some cases, which is 
> bad but in this case a workaround. We do not observer any other 
> problems right now.
>
> HTH, Jakob
>
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
Twitter: https://twitter.com/EllerholdGruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und
um sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

Hi Matthias,

You are writing about linux and macos CLIENTS that do not work... connecting to
what? To windows server with latest patches or to a share on a win10 pc with
latest patches?

The issues I am seeing are all with windows 10 clients and linux servers (I have
not tried the other way around, I don't have any such configuration).

For RDP using hostname and specifying the domain still does not work (in my
configuration, the RDP client is a non-domain PC with windows 10 or 11 and the
RDP server is a windows 10 PC that is in the domain, and the username involved
is a domain user, not a local one). I have not yet tried disabling NLA. Can you
please tell me how to do it in windows 10?

Thanks.

Fabio Muzzi


On 13/07/2023 09.23, Matthias K?hne | Ellerhold Aktiengesellschaft via samba
wrote:
> Hallo,
> 
> now alot of bug reports are coming in.
> 
> For RDP you HAVE to connect via DNS and DOMAIN\user.name. Connecting via
> IP or without the domain does not work anymore. You have to disable NLA
too.
> 
> Same for SMB access (at least from MacOS and linux clients). Weve got
> some clients that never got the connection working - even with the above
> changes so we had to uninstall the update. Ive disabled Win 10 Updates
> for the next 35 days ... hopefully the bug is solved until then!
> 
> If theres anything we can help to fix this please let us know. This is
> getting critical for us.
> 
> Thanks and have a nice day, Matthias.
> 
> Am 13.07.23 um 09:13 schrieb Jakob Curdes via samba:
>>
>> Am 12.07.2023 um 23:50 schrieb Fabio Muzzi via samba:
>>> On 12/07/2023 21.47, Jakob Curdes via samba wrote:
>>>
>>>> Just to understand this, we also might be affected with several
>>>> customers:
>>>>
>>>> - after installing the July Windows update on W10 22H2
KB5028166, the
>>>> following symptoms appear: 1) Test-ComputerSecureChannel
-Verbose
>>>> says "False" 2) RDPing into the system does not work
3) some reports
>>>> about broken SMB connections?
>>>>
>>>> I just tested this in our environment on an Ubuntu 18 server (I
know,
>>>> must be updated asap), there I see the
Test-ComputerSecureChannel
>>>> "False", while on a system without the update it says
"true", but I
>>>> cannot see any problems with RDP or SMB network connetions, so
maybe
>>>> there are more border conditions to this?
>>>>
>>>> If I can help with further tests I am ready to go.
>>>
>>>
>>> Hi Jacob, can you please tell me what version is your Samba DC? I
>>> suppose it's 4.7.6 if it's the original Ubuntu 18.04
version, am I
>>> right?
>>>
>>> I'm trying to understand in how much manure I am drowning right
now,
>>> I have about 10 small domains that use Samba (various versions) and
>>> I'm trying to understand what is expected to work and what is
>>> expected to fail.
>>>
>>> Can your clients still connect to the domain? I mean, if the user
>>> logs on locally on the PC, not using RDP.
>>>
>>> I know RDP is broken if using NLA.
>>
>> Hello Fabio, the? DCs where I tested this are on 4.7.6 as you guessed,
>> the Ubuntu version with backported patches etc.
>> We have several samba-controlled domains with different versions and
>> we did not observer any problems with local logon, and no prolems
>> witth RDP other that we had to deactivate NLA in some cases, which is
>> bad but in this case a workaround. We do not observer any other
>> problems right now.
>>
>> HTH, Jakob
>>
>>