Topic: Domain login broken after - windows update KB5028166

[tdbsoft]

Hi everyone,

I just wanted to report it seems windows update KB5028166 has completely broken domain login on SME 10.1 as well as the older SME 9.2.

It seems once the update is applied. you will get a trust relationship error when logging in on your windows 10 computers.

In our case i was able to roll-back KB5028166 and hide the update with a tool. but i was wondering if anyone else has experienced this problem? and know of a better long-term fix.

I tried the following...
*Re-applying Registry fixes
*Updating SME 10.1 to latest Samba packages
*restarts of both SME 10.1 and windows clients

I know the list is bit lean - unfortunately we working a few different issues currently. but i will try some more items when we get a chance

[bunkobugsy]

For Windows 11 remove and block KB 5028185. Wonder if this can be worked around with a registry patch.

Having no network connection to PDC seems to allow logins for the moment. (aka pull the network cable to login)

https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25#one-5021130

[nicolatiana]

+1


I join to the party: received alreadry three calls from customers 

[jayraym]

same here. Will test to remove KB5028166

[cno]

same here

what i did
rebooted in safe mode
removed last quality update

hold shift while restarting >advanced > and remove last quality update when done “continue to windows

[bunkobugsy]

Can be checked by signing in to Windows under the local administrator account, start the PowerShell console,
and run the   Test-ComputerSecureChannel -Verbose    cmdlet.

[nicolatiana]

Tested on W11: removed KB5028185 and then disabled with wushowhide.diagcab

https://www.tenforums.com/tutorials/8280-hide-show-windows-updates-windows-10-a.html


The tool is warned as "deprecated" but is still working for both 10 and 11.
After hidding I've forced an update and KB5028185 was not retrieved.

[jayraym]

Yep, looks like it's the KB5028185 that needs to be removed, it worked for me.
I'm new to Linux/Samba/Koozali so I have a question: how does it usually work? Does a patch comes out fairly quickly or something like that? No one wants to block windows security updates for too long obviously.

[nicolatiana]

Should we open a bug on BT ?

[nicolatiana]

Server side it was:
[2023/07/12 03:37:19.106022,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PIGRECO-42 machine account PIGRECO-42$
[2023/07/12 03:37:19.121343,  0] rpc_server/srv_pipe.c:1925(api_rpcTNP)
  api_rpcTNP: \netlogon: NETR_LOGONGETCAPABILITIES failed.

[bunkobugsy]

https://www.samba.org/samba/security/CVE-2022-38023.html

https://access.redhat.com/errata/RHSA-2023:1090

https://bugzilla.redhat.com/show_bug.cgi?id=2154362

[bunkobugsy]

Should we open a bug on BT ?

https://bugzilla.redhat.com/show_bug.cgi?id=2222250

[ReetP]

Should we open a bug on BT ?

You can, and add notes there.

Note this too - not sure if we need to modify Samba settings.

https://access.redhat.com/security/cve/cve-2022-38023

[john56]

have we to do it ? add this to smb.conf ?

Code: [Select]

reject md5 clients = yes

[nicolatiana]

This is from the Samba mailing list:

"I am not convinced this is a Samba problem. It could be that Samba isn't providing something that Windows now expects, or Samba is providing something that Windows doesn't expect, but I think it is more likely that it has something to do with the 130 CVE's that Microsoft shipped yesterday:
https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul
It wouldn't be the first time Microsoft broke something while fixing something else.
By all means open a bug report, Samba may need to change something to get things working again, but it will probably require level 10 logs and network traces to workout just what is going on."