On Thu, 2023-08-10 at 20:56 +0200, Fabio Muzzi via samba wrote:> On 10/08/2023 17.52, Philippe LeCavalier via samba wrote: > > > The solution is to update Samba to (security update to 4.17) so > > that 166 > > (and possible 244) work from the client side. If you rely on a > > client side > > solution you will likely continuously revisit this issue. > > I know I have to update Samba, but it's a hard job on a lot of small > installations, and it requires quite a lot of time. > > Windows has been backwards (Samba NT and Samba AD) compatible for > almost 25 years (win98 to win10) and now it seems it's all over. > Every patch breaks something. >To be clear, Microsoft has shown no indication that they intend to unbreak this. The change (which could have been less strict and so not boken Samba) was made for security reasons. The have discussed with us the change and the expected behaviour we need to meet, but no suggestion has been made that they were going to update the client on their side. Even if they did, it wouldn't be fast, the last time (when they changed a kerberos 'end of time' to 9999 and hit an overflow in Heimdal) it took a number of months and was done via the quality branch, not the urgent things. If there are still issues after you patch Samba, please let us know. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
If there are still issues after you patch Samba, please let us know. Per my test which could confirm that: 1. Win11 22H2 with KB5029244 (2023/Aug) installed, cannot establish secure channel against non-patched samba ad dc; just like KB5028166 (2023/Jul). 2. Several symptoms are caused by broken secure channel, and all of them could be addressed by Bug 15418 bugfixes patch. Thank you, Metze! These symptoms like: a. join ad fail, error is "The trust relationship between this workstation and the primary domain failed." b. access fail, error is "The trust relationship between this workstation and the primary domain failed." and "System error 1789 has occurred.". c. rdp fail, error is "The remote computer that you are trying to connect to require Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box." And Event Viewer could see 2 kinds of Event ID: Event ID 3210 (NETLOGON), or Event ID 1058 (GroupPolicy). -- Regards, Jones Syue | ??? QNAP Systems, Inc.