samba - Jul 2025 - Important Change in Upcoming Microsoft Update

Hi all!

On 8th of July, Microsoft will release an important security update for 
Active Directory Domain Controllers for Windows Server versions prior to 
2025.

This update includes a change to the Microsoft RPC Netlogon protocol, 
which improves security by tightening access checks for a set of RPC 
requests. Samba running as domain members in these environments will be 
impacted by this change if a specific configuration is used, see below 
for which configuration is affected.

Windows Server version 2025 is already equipped with these specific 
security hardenings, and Microsoft is now planning to deploy them to all 
supported Windows Server versions down to Windows Server 2008.


Who is affected?

Samba installations acting as member servers in Windows AD domains will 
be affected if they are configured to use the 'ad' idmapping backend. 
Samba servers not using this configuration will not be affected by the 
change ? at least to our current knowledge and understanding of the 
change ? and no further action is required.

Current versions of Samba with the affected configuration will no longer 
function correctly once the Microsoft update has been applied. Users 
will not be able to connect to the SMB service provided by Samba for any 
domain configured to use the 'ad' idmapping backend.


What the Samba Team is doing and what you should do

Members of the Samba team have been collaborating with Microsoft and 
changes to Samba are currently being developed and tested to ensure full 
compatibility between Samba and Microsoft products. The Samba team is 
aiming to provide updated Samba releases on Monday evening (UTC+2).


What you should do:

If you?re running Samba in a Windows AD environment, check your 
configuration. Keep an eye out for new Samba package updates early next 
week (starting 7 July).


References

https://bugzilla.samba.org/show_bug.cgi?id=15876


On behalf of the Samba team
-slow
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20250706/5aa368f6/OpenPGP_signature.sig>

Hi everyone,

Quick question on this.? Does this MS patch affect Samba 4.7.x? Yeah, I 
know it's older but we've been having a lot of trouble getting a newer 
version to work (winbind).? This is a whole other email I'll be sending 
out at some point for help. :-)

Thank you.

mike

On 7/6/2025 7:40 AM, Ralph Boehme via samba wrote:
> Hi all!
>
> On 8th of July, Microsoft will release an important security update 
> for Active Directory Domain Controllers for Windows Server versions 
> prior to 2025.
>
> This update includes a change to the Microsoft RPC Netlogon protocol, 
> which improves security by tightening access checks for a set of RPC 
> requests. Samba running as domain members in these environments will 
> be impacted by this change if a specific configuration is used, see 
> below for which configuration is affected.
>
> Windows Server version 2025 is already equipped with these specific 
> security hardenings, and Microsoft is now planning to deploy them to 
> all supported Windows Server versions down to Windows Server 2008.
>
>
> Who is affected?
>
> Samba installations acting as member servers in Windows AD domains 
> will be affected if they are configured to use the 'ad' idmapping 
> backend. Samba servers not using this configuration will not be 
> affected by the change ? at least to our current knowledge and 
> understanding of the change ? and no further action is required.
>
> Current versions of Samba with the affected configuration will no 
> longer function correctly once the Microsoft update has been applied. 
> Users will not be able to connect to the SMB service provided by Samba 
> for any domain configured to use the 'ad' idmapping backend.
>
>
> What the Samba Team is doing and what you should do
>
> Members of the Samba team have been collaborating with Microsoft and 
> changes to Samba are currently being developed and tested to ensure 
> full compatibility between Samba and Microsoft products. The Samba 
> team is aiming to provide updated Samba releases on Monday evening 
> (UTC+2).
>
>
> What you should do:
>
> If you?re running Samba in a Windows AD environment, check your 
> configuration. Keep an eye out for new Samba package updates early 
> next week (starting 7 July).
>
>
> References
>
> https://bugzilla.samba.org/show_bug.cgi?id=15876
>
>
> On behalf of the Samba team
> -slow
>