samba - Jul 2023 - ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023

Hi Matthias,

You are writing about linux and macos CLIENTS that do not work... connecting to
what? To windows server with latest patches or to a share on a win10 pc with
latest patches?

The issues I am seeing are all with windows 10 clients and linux servers (I have
not tried the other way around, I don't have any such configuration).

For RDP using hostname and specifying the domain still does not work (in my
configuration, the RDP client is a non-domain PC with windows 10 or 11 and the
RDP server is a windows 10 PC that is in the domain, and the username involved
is a domain user, not a local one). I have not yet tried disabling NLA. Can you
please tell me how to do it in windows 10?

Thanks.

Fabio Muzzi


On 13/07/2023 09.23, Matthias K?hne | Ellerhold Aktiengesellschaft via samba
wrote:
> Hallo,
> 
> now alot of bug reports are coming in.
> 
> For RDP you HAVE to connect via DNS and DOMAIN\user.name. Connecting via
> IP or without the domain does not work anymore. You have to disable NLA
too.
> 
> Same for SMB access (at least from MacOS and linux clients). Weve got
> some clients that never got the connection working - even with the above
> changes so we had to uninstall the update. Ive disabled Win 10 Updates
> for the next 35 days ... hopefully the bug is solved until then!
> 
> If theres anything we can help to fix this please let us know. This is
> getting critical for us.
> 
> Thanks and have a nice day, Matthias.
> 
> Am 13.07.23 um 09:13 schrieb Jakob Curdes via samba:
>>
>> Am 12.07.2023 um 23:50 schrieb Fabio Muzzi via samba:
>>> On 12/07/2023 21.47, Jakob Curdes via samba wrote:
>>>
>>>> Just to understand this, we also might be affected with several
>>>> customers:
>>>>
>>>> - after installing the July Windows update on W10 22H2
KB5028166, the
>>>> following symptoms appear: 1) Test-ComputerSecureChannel
-Verbose
>>>> says "False" 2) RDPing into the system does not work
3) some reports
>>>> about broken SMB connections?
>>>>
>>>> I just tested this in our environment on an Ubuntu 18 server (I
know,
>>>> must be updated asap), there I see the
Test-ComputerSecureChannel
>>>> "False", while on a system without the update it says
"true", but I
>>>> cannot see any problems with RDP or SMB network connetions, so
maybe
>>>> there are more border conditions to this?
>>>>
>>>> If I can help with further tests I am ready to go.
>>>
>>>
>>> Hi Jacob, can you please tell me what version is your Samba DC? I
>>> suppose it's 4.7.6 if it's the original Ubuntu 18.04
version, am I
>>> right?
>>>
>>> I'm trying to understand in how much manure I am drowning right
now,
>>> I have about 10 small domains that use Samba (various versions) and
>>> I'm trying to understand what is expected to work and what is
>>> expected to fail.
>>>
>>> Can your clients still connect to the domain? I mean, if the user
>>> logs on locally on the PC, not using RDP.
>>>
>>> I know RDP is broken if using NLA.
>>
>> Hello Fabio, the? DCs where I tested this are on 4.7.6 as you guessed,
>> the Ubuntu version with backported patches etc.
>> We have several samba-controlled domains with different versions and
>> we did not observer any problems with local logon, and no prolems
>> witth RDP other that we had to deactivate NLA in some cases, which is
>> bad but in this case a workaround. We do not observer any other
>> problems right now.
>>
>> HTH, Jakob
>>
>>

Hello Fabio,

we're using these connections:

  * via RDP from Mac OS Client to Windows 10 using an AD user
  * via SMB from Mac OS Client to Windows 10 using an AD user
  * via SMB from a CentOS client to Windows 10 using an AD user

The windows 10 machine(s) are domain-joined to samba 4.18.4 DCs.

Have a nice day, Matthias.

Am 13.07.23 um 10:06 schrieb Fabio Muzzi via samba:
>
> Hi Matthias,
>
> You are writing about linux and macos CLIENTS that do not work... 
> connecting to what? To windows server with latest patches or to a 
> share on a win10 pc with latest patches?
>
> The issues I am seeing are all with windows 10 clients and linux 
> servers (I have not tried the other way around, I don't have any such 
> configuration).
>
> For RDP using hostname and specifying the domain still does not work 
> (in my configuration, the RDP client is a non-domain PC with windows 
> 10 or 11 and the RDP server is a windows 10 PC that is in the domain, 
> and the username involved is a domain user, not a local one). I have 
> not yet tried disabling NLA. Can you please tell me how to do it in 
> windows 10?
>
> Thanks.
>
> Fabio Muzzi
>
>
> On 13/07/2023 09.23, Matthias K?hne | Ellerhold Aktiengesellschaft via 
> samba wrote:
>> Hallo,
>>
>> now alot of bug reports are coming in.
>>
>> For RDP you HAVE to connect via DNS and DOMAIN\user.name. Connecting
via
>> IP or without the domain does not work anymore. You have to disable 
>> NLA too.
>>
>> Same for SMB access (at least from MacOS and linux clients). Weve got
>> some clients that never got the connection working - even with the
above
>> changes so we had to uninstall the update. Ive disabled Win 10 Updates
>> for the next 35 days ... hopefully the bug is solved until then!
>>
>> If theres anything we can help to fix this please let us know. This is
>> getting critical for us.
>>
>> Thanks and have a nice day, Matthias.
>>
>> Am 13.07.23 um 09:13 schrieb Jakob Curdes via samba:
>>>
>>> Am 12.07.2023 um 23:50 schrieb Fabio Muzzi via samba:
>>>> On 12/07/2023 21.47, Jakob Curdes via samba wrote:
>>>>
>>>>> Just to understand this, we also might be affected with
several
>>>>> customers:
>>>>>
>>>>> - after installing the July Windows update on W10 22H2
KB5028166, the
>>>>> following symptoms appear: 1) Test-ComputerSecureChannel
-Verbose
>>>>> says "False" 2) RDPing into the system does not
work 3) some reports
>>>>> about broken SMB connections?
>>>>>
>>>>> I just tested this in our environment on an Ubuntu 18
server (I know,
>>>>> must be updated asap), there I see the
Test-ComputerSecureChannel
>>>>> "False", while on a system without the update it
says "true", but I
>>>>> cannot see any problems with RDP or SMB network connetions,
so maybe
>>>>> there are more border conditions to this?
>>>>>
>>>>> If I can help with further tests I am ready to go.
>>>>
>>>>
>>>> Hi Jacob, can you please tell me what version is your Samba DC?
I
>>>> suppose it's 4.7.6 if it's the original Ubuntu 18.04
version, am I
>>>> right?
>>>>
>>>> I'm trying to understand in how much manure I am drowning
right now,
>>>> I have about 10 small domains that use Samba (various versions)
and
>>>> I'm trying to understand what is expected to work and what
is
>>>> expected to fail.
>>>>
>>>> Can your clients still connect to the domain? I mean, if the
user
>>>> logs on locally on the PC, not using RDP.
>>>>
>>>> I know RDP is broken if using NLA.
>>>
>>> Hello Fabio, the? DCs where I tested this are on 4.7.6 as you
guessed,
>>> the Ubuntu version with backported patches etc.
>>> We have several samba-controlled domains with different versions
and
>>> we did not observer any problems with local logon, and no prolems
>>> witth RDP other that we had to deactivate NLA in some cases, which
is
>>> bad but in this case a workaround. We do not observer any other
>>> problems right now.
>>>
>>> HTH, Jakob
>>>
>>>
>
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web:www.ellerhold.de
Facebook:www.facebook.com/ellerhold.gruppe
Instagram:www.instagram.com/ellerhold.gruppe
Twitter:https://twitter.com/EllerholdGruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold


---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und
um sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

Hi Fabio,
> For RDP using hostname and specifying the domain still does not work (in my
configuration, the RDP client is a non-domain PC with windows 10 or 11 and the
RDP server is a windows 10 PC that is in the domain, and the username involved
is a domain user, not a local one).
thats what I see, domain pc's work (because cache?) over RDP but
non-domain pc's don't work.

Example from Debian workstation with freerdp:
NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE

I don't want to think about what happens when the cache expires if I'm
correct with my theory.

Samuel