Topic: Domain login broken after - windows update KB5028166

[tdbsoft]

Hi everyone,

I just wanted to report it seems windows update KB5028166 has completely broken domain login on SME 10.1 as well as the older SME 9.2.

It seems once the update is applied. you will get a trust relationship error when logging in on your windows 10 computers.

In our case i was able to roll-back KB5028166 and hide the update with a tool. but i was wondering if anyone else has experienced this problem? and know of a better long-term fix.

I tried the following...
*Re-applying Registry fixes
*Updating SME 10.1 to latest Samba packages
*restarts of both SME 10.1 and windows clients

I know the list is bit lean - unfortunately we working a few different issues currently. but i will try some more items when we get a chance

[bunkobugsy]

For Windows 11 remove and block KB 5028185. Wonder if this can be worked around with a registry patch.

Having no network connection to PDC seems to allow logins for the moment. (aka pull the network cable to login)

https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25#one-5021130

[nicolatiana]

+1


I join to the party: received alreadry three calls from customers 

[jayraym]

same here. Will test to remove KB5028166

[cno]

same here

what i did
rebooted in safe mode
removed last quality update

hold shift while restarting >advanced > and remove last quality update when done “continue to windows

[bunkobugsy]

Can be checked by signing in to Windows under the local administrator account, start the PowerShell console,
and run the   Test-ComputerSecureChannel -Verbose    cmdlet.

[nicolatiana]

Tested on W11: removed KB5028185 and then disabled with wushowhide.diagcab

https://www.tenforums.com/tutorials/8280-hide-show-windows-updates-windows-10-a.html


The tool is warned as "deprecated" but is still working for both 10 and 11.
After hidding I've forced an update and KB5028185 was not retrieved.

[jayraym]

Yep, looks like it's the KB5028185 that needs to be removed, it worked for me.
I'm new to Linux/Samba/Koozali so I have a question: how does it usually work? Does a patch comes out fairly quickly or something like that? No one wants to block windows security updates for too long obviously.

[nicolatiana]

Should we open a bug on BT ?

[nicolatiana]

Server side it was:
[2023/07/12 03:37:19.106022,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PIGRECO-42 machine account PIGRECO-42$
[2023/07/12 03:37:19.121343,  0] rpc_server/srv_pipe.c:1925(api_rpcTNP)
  api_rpcTNP: \netlogon: NETR_LOGONGETCAPABILITIES failed.

[bunkobugsy]

https://www.samba.org/samba/security/CVE-2022-38023.html

https://access.redhat.com/errata/RHSA-2023:1090

https://bugzilla.redhat.com/show_bug.cgi?id=2154362

[bunkobugsy]

Should we open a bug on BT ?

https://bugzilla.redhat.com/show_bug.cgi?id=2222250

[ReetP]

Should we open a bug on BT ?

You can, and add notes there.

Note this too - not sure if we need to modify Samba settings.

https://access.redhat.com/security/cve/cve-2022-38023

[john56]

have we to do it ? add this to smb.conf ?

Code: [Select]

reject md5 clients = yes

[nicolatiana]

This is from the Samba mailing list:

"I am not convinced this is a Samba problem. It could be that Samba isn't providing something that Windows now expects, or Samba is providing something that Windows doesn't expect, but I think it is more likely that it has something to do with the 130 CVE's that Microsoft shipped yesterday:
https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul
It wouldn't be the first time Microsoft broke something while fixing something else.
By all means open a bug report, Samba may need to change something to get things working again, but it will probably require level 10 logs and network traces to workout just what is going on."

[bunkobugsy]

This is from the Samba mailing list:

https://lists.samba.org/archive/samba/2023-July/245765.html

[dvdsmith]

For some Windows LTS versions the update may be KB5028168.

Also, in my mitigate I found the following.

If you just remove it and pause updates, on restart it should sign into the domain no problem. If however you removed then readded the machine from the domain prior to uninstalling the update, you will need to remove/readd it again.

[bunkobugsy]

Bad news: https://bugzilla.samba.org/show_bug.cgi?id=15418#c3

undocumented "Bad switch value 2 at librpc/gen_ndr/ndr_netlogon.c:7652"

"Hope Microsoft takes back this update asap since it will take at least a half year until a fix for this will be downstream"

Actually this might be CVE-2023-21526  Windows Netlogon Information Disclosure Vulnerability

For now only solution seems to be removing and blocking KB5028166 (Win10) or KB5028185 (Win11).

[ReetP]

have we to do it ? add this to smb.conf ?

Code: [Select]

reject md5 clients = yes

I (now) believe that will only work on patched versions of samba.

We are reliant on RH fixing this.

Only option right now is to roll back your update as per bunkobugsy above.

https://forums.koozali.org/index.php/topic,55017.msg289810.html#msg289810

[darmasanthi]

I have the same problem that mostly happens on Windows 10 clients,
what is the fix solution that solve the problem

please help me

thank you,
darmasanthi

Hi everyone,

I just wanted to report it seems windows update KB5028166 has completely broken domain login on SME 10.1 as well as the older SME 9.2.

It seems once the update is applied. you will get a trust relationship error when logging in on your windows 10 computers.

In our case i was able to roll-back KB5028166 and hide the update with a tool. but i was wondering if anyone else has experienced this problem? and know of a better long-term fix.

I tried the following...
*Re-applying Registry fixes
*Updating SME 10.1 to latest Samba packages
*restarts of both SME 10.1 and windows clients

I know the list is bit lean - unfortunately we working a few different issues currently. but i will try some more items when we get a chance

[ReetP]

I have the same problem that mostly happens on Windows 10 clients,
what is the fix solution that solve the problem

See above.

For now only solution seems to be removing and blocking KB5028166 (Win10) or KB5028185 (Win11).

[bunkobugsy]

SME tracking bug: https://bugs.koozali.org/show_bug.cgi?id=12378

[bunkobugsy]

Installing a WSUS server could help a lot for big domains
https://www.prajwaldesai.com/install-configure-wsus-on-windows-server-2019/

On every workstation add something like this via regedit as administrator:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://wsus.domain.tld:8530"
"WUStatusServer"="http://wsus.domain.tld:8530"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

Then in WSUS administration you have to approve every update, but also for removal faulty ones:



https://serverfault.com/questions/296429/how-to-roll-back-or-uninstall-microsoft-patch-using-wsus

[Jáder]

I have no tested it yet but I think something like: wusa /uninstall /kb:5028166 run as ADMIN or from any package installation software would work.
I still working on a WPKG package for removal it from my clients machines. I`ll keep you updated.

[dvdsmith]

I have no tested it yet but I think something like: wusa /uninstall /kb:5028166 run as ADMIN or from any package installation software would work...

Yes, this works from an elevated command prompt or powershell. Of course it has to be from a local account with the trust issue breaking any domain admin access. Might be an issue for some remote package management that authenticate via those accounts?

[dvdsmith]

FYI, they seem to be having progress in here.

https://bugzilla.samba.org/show_bug.cgi?id=15418

A patch they are experimenting with reported as working in samba 4.13 and 4.18. Not sure if applicable though to Koozali 10.1 which currently uses samba 4.10.16.

[ReetP]

Remember we don't build our own samba rpms so are dependent on upstream ie RH/CentOS packages.

I have no idea currently of the feasability of trying a backport - we'll need to look at the patches and see, but building samba is no mean feat with a mountain of dependencies when building.

[Jáder]

Yes, this works from an elevated command prompt or powershell. Of course it has to be from a local account with the trust issue breaking any domain admin access. Might be an issue for some remote package management that authenticate via those accounts?

Yes, I have a best practice to create a local account as admin .Usually it's the name of company and a default password.
All managed by WPKG installer.
Right now I have a half-way package to fix this. It removes the KB5028166 and deny download later.
I cannot find a way (yet) to test if those things are already done so it slow down the startup a minute.
I know about DOS errorlevel but it isn't working...not sure why:
This command call a PowerShell

Code: [Select]

     <install timeout="300" cmd='%comspec% /C powershell -NoProfile -NonInteractive -ExecutionPolicy bypass -File "%SOFTWARE%\kb5028166.ps1"' />
and this is the powershell script:

Code: [Select]

If(-not(Get-InstalledModule pswindowsupdate -ErrorAction silentlycontinue)){
    Set-PSRepository NuGet     -InstallationPolicy Trusted
    Set-PSRepository PSGallery -InstallationPolicy Trusted
    Install-Module pswindowsupdate -Confirm:$False -Force
}

hide-windowsupdate -KBArticleID KB5028166
wusa /uninstall /kb:5028166 /quiet /norestart

If anyone knows how to verify a KB is installed better than:

Code: [Select]

wmic qfe list brief /format:table|findstr KB5028166I'd thank you.
later something like:

Code: [Select]

if errorlevel 0 wusa /uninstall /kb:5028166would make all automagically... but this ERRORLEVEL is a problem right now.

I think we could use if errorlevel 1 to run all other commands:

Code: [Select]

If(-not(Get-InstalledModule pswindowsupdate -ErrorAction silentlycontinue)){
    Set-PSRepository NuGet     -InstallationPolicy Trusted
    Set-PSRepository PSGallery -InstallationPolicy Trusted
    Install-Module pswindowsupdate -Confirm:$False -Force
}

hide-windowsupdate -KBArticleID KB5028166
and otherwise just remove it with wusa /uninstall /kb:5028166

just do not find the right sintax till now. My best guess till now in PS is this as KB5028166.ps1 file content:

Code: [Select]

$instalado = wmic qfe list brief /format:table|findstr KB5028166
if ($instalado){
   write-host "Encontrei o KB5028166, removendo... aguarde"
   write-host "run: wusa /uninstall /kb:5028166"}
else{
        If(-not(Get-InstalledModule pswindowsupdate -ErrorAction silentlycontinue)){
        Set-PSRepository NuGet     -InstallationPolicy Trusted
        Set-PSRepository PSGallery -InstallationPolicy Trusted
        Install-Module pswindowsupdate -Confirm:$False -Force
       write-host "Nao encontrei o KB5028166, evitando instalacao... aguarde"
        write-host "run: hide-windowupdate -KBArticle KB5028166"
        }
}

Note the write-host is SHOWING the commands instead of running them.

Any tips are welcome.

[Gary Douglas]

a solution in some cases, i.e. single user, might be to leave the domain and set to workgroup. Microsoft have done this before. Then use ForensIT User Profile Wizard to restore the domain user profile to the new local user profile. There is a free edition here;  https://www.forensit.com/Downloads/Profwiz.msi

[dvdsmith]

[/code]and this is the powershell script:

Code: [Select]

If(-not(Get-InstalledModule pswindowsupdate -ErrorAction silentlycontinue)){
    Set-PSRepository NuGet     -InstallationPolicy Trusted
    Set-PSRepository PSGallery -InstallationPolicy Trusted
    Install-Module pswindowsupdate -Confirm:$False -Force
}

hide-windowsupdate -KBArticleID KB5028166
wusa /uninstall /kb:5028166 /quiet /norestart


Correct me if I'm wrong, but I'm pretty sure the /quiet flag is depreciated for wusa in Win10 for security reasons.
https://learn.microsoft.com/en-us/answers/questions/636329/unable-to-use-wusa-to-uninstall-updates-in-quiet-m

[Jáder]

Correct me if I'm wrong, but I'm pretty sure the /quiet flag is depreciated for wusa in Win10 for security reasons.
https://learn.microsoft.com/en-us/answers/questions/636329/unable-to-use-wusa-to-uninstall-updates-in-quiet-m

Hum... that's eexplain why my batch is not working.
Can someone find out the DISM number for this update?

[Jáder]

I find out this info:

Code: [Select]

C:\Windows\system32>dism /online /get-packages /format:table |findstr -i  "package_for"|findstr -i "07/2023"
Package_for_DotNetRollup_481~31bf3856ad364e35~amd64~~10.0.9167.9                                    | Instalado   | Update          | 14/07/2023 07:56
Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3208.1.10                                       | Instalado   | Security Update | 14/07/2023 07:56
Package_for_ServicingStack_3205~31bf3856ad364e35~amd64~~19041.3205.1.1                              | Instalado   | Update          | 12/07/2023 12:22
But cannot find a way to know for sure what`s the name (it`s one of those 3!) to remove using DISM!
How can I match a KB# to this name? Where the info is stored ?

[Jáder]

I think I found a way!
Search google for KB5028166 point me to https://support.microsoft.com/en-us/topic/july-11-2023-kb5028166-os-builds-19044-3208-and-19045-3208-eab49ea6-3133-41c8-845f-a14a329c6c20
where I can see the the expression 19044-3208 and 19045-3208, so I searched for 3208:

Code: [Select]

C:\Windows\system32>dism /online /get-packages /format:table |findstr -i  "package_for"|findstr -i "3208"
Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3208.1.10                                       | Instalado   | Security Update | 14/07/2023 07:56
So the name used as parameter to DISM should be Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3208.1.10

And because I have nothing to loose (WUSA is not working anyway!) I`ll update my batch with this info!

[Jean-Philippe Pialasse]

make sur your powershell script is read execute only for users.

[bunkobugsy]

WSUS is a mess, but samba patch works fine.

[dvdsmith]

hide-windowupdate -KBArticle KB5028166"

One quirk I found messing around with your script. If KB5028166 is not currently installed and updates have been pause, the above may fail.

The following from powershell will tell you the day/time it is paused until

Code: [Select]

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'| Select-Object PauseUpdatesExpiryTime
This registry entry does not exist if updates are not paused. In my case removing it immediately allowed the Get command to work.

Code: [Select]

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "PauseUpdatesExpiryTime"
Get-WindowsUpdate


[jayraym]

Again, sorry I'm new here: how does that work for the patch to be available? It seems our friend bunkobugsy published it 9 days ago, are we waiting for some kind of approval?

[ReetP]

Again, sorry I'm new here: how does that work for the patch to be available? It seems our friend bunkobugsy published it 9 days ago, are we waiting for some kind of approval?

Hi.

So officially we do not maintain these packages. You will have to wait for an upstream fix that will percolate down like this:

samba -> Wherever in the RH eco systems -> RHEL -> CentOS -> Koozali SME

In the meantime you can revert the M$ patches as above as a workaround.

bunkobugsy has done a test build with the samba patch and the RHEL packages to see if it works which apparently it does.

However, we are not going to officially build that here. There are just way too many security risks involved for us to have the resources to fully test any patch. Remember, it gets releases to a lot of people.....

You can of course do the same as bunkobugsy did and have a go at patching yourself if you are interested in how it works.

He has got his built packages that he is testing but I need to check whether he is happy for anyone else to use them at the minute - he uses them at his own risk but he might not be happy for anyone else to take that chance - the risk is lots of people will try them for 'testing' and then just forget them and then get hacked.

[jayraym]

Noted, thank you!

[Jean-Philippe Pialasse]

even if the patch works and has no side effect maintaining ourself samba in place of upstream means checking in real time all security issues related with samba.
which we do not have the ressources for and would compromise security of members of the community in the long run and reduce our capacity to maintain the rest of the distro.


RH is slow in releasing something currently, but best workaround has been explained. RH recently annonced a 4 years extend support instead of 2 for Rhel7 and maintenance update is on up to june 2024.  So I do not think they will leave this as is.

[bunkobugsy]

RH bug https://bugzilla.redhat.com/show_bug.cgi?id=2222250 just changed status:
Fixed In Version:   samba-4.10.16-25.el7_9
Status:   ON_QA

meaning they built a new version and it's in testing so it shouldn't take long to reach our upstream repos (if RH decides to release)

[nicolatiana]

Obviously every further update can reproduce the problem.
The subsequent kb5028244 update contains some update involving again netlogon so if you install it you get back the problem.
So the definitve solution waiting samba patch is disabling automatic updates via GPEDIT.MSC (non through WU panel where you can suspend for 5 weeks).


W10:

Open Start.
Search for gpedit.msc and click the top result to launch the Local Group Policy Editor.
Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Windows Update
Double-click the "Configure Automatic Updates" policy on the right side.
Configure Automatic Updates policy
Check the Disabled option to turn off automatic Windows 10 updates permanently.
Group Policy disable Windows Update
Click the Apply button.
Click the OK button.


W11, the same but replace:
Computer Configuration > Administrative Templates > Windows Components > Windows Update
with:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience.


To be adapted to various languages

[Jáder]

Obviously every further update can reproduce the problem.
The subsequent kb5028244 update contains some update involving again netlogon so if you install it you get back the problem.
So the definitve solution waiting samba patch is disabling automatic updates via GPEDIT.MSC (non through WU panel where you can suspend for 5 weeks).


W10:

Open Start.
Search for gpedit.msc and click the top result to launch the Local Group Policy Editor.
Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Windows Update
Double-click the "Configure Automatic Updates" policy on the right side.
Configure Automatic Updates policy
Check the Disabled option to turn off automatic Windows 10 updates permanently.
Group Policy disable Windows Update
Click the Apply button.
Click the OK button.


W11, the same but replace:
Computer Configuration > Administrative Templates > Windows Components > Windows Update
with:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience.


To be adapted to various languages

On https://www.minitool.com/backup-tips/disable-windows-11-automatic-updates.html they say:

#6 How to Turn off Windows 11 Automatic Updates with Command?
Let’s directly go to the steps!

Search “cmd” in Windows Search and open it as Administrator.
To disable Windows Update service (wuauserv) in Windows 11, type sc config wuauserv start= disabled and press Enter.
To enable Windows update service (wuauserv) in Windows 11, type sc config wuauserv start= auto and press Enter.


I'll test themlater on Win10 and Win11. It's easy to put that command in a package manager , and later even remove it!

[groyk]

I im thinking.

Is it possible to shutdown domainserver and map networkdrives manually until patch is coming.

I tant find where to disable other than in the server configuration procedure.

I believe if i shut down domain login i can still access email ibays ect. Correct.

[dvdsmith]

I im thinking.

Is it possible to shutdown domainserver and map networkdrives manually until patch is coming.

I tant find where to disable other than in the server configuration procedure.

I believe if i shut down domain login i can still access email ibays ect. Correct.

To my knowledge you can map network drives without having to changing anything to the domain server.

That said, I'd recommend against turning off the domain. I haven't tested lately but I fear you might have to rejoin the workstations to the domain when you turn it on later. Also, a fix is in the works. Just a matter of it working through the pipeline and eventually as a samba update via "yum update". Could be days, or weeks, or whatever. I can say a patch is already out for newer samba versions (4.18 and 4.17). We just have to be patient and wait.

https://bugzilla.redhat.com/show_bug.cgi?id=2222250

[jayraym]

FYI, I just downloaded and installed the next Windows updates (KB5028254): once it's done it doesn't give you the opportunity to uninstall KB5028185 through the GUI, I tried with wusa /uninstall /kb:5028185 no luck neither so I guess no more workaround (other thans unplugging the network cable) once it's installed.

[dvdsmith]

FYI, I just downloaded and installed the next Windows updates (KB5028254): once it's done it doesn't give you the opportunity to uninstall KB5028185 through the GUI, I tried with wusa /uninstall /kb:5028185 no luck neither so I guess no more workaround (other thans unplugging the network cable) once it's installed.

I am assuming the netlogon patch in KB5028185 is rolled into KB5028254. You could uninstall and block KB5028254 as well as a stop gap. Hopefully the samba fix is out before patch tuesday.

FYI, those are the KBs for Windows 11 22H2. For those running Windows 10 22H2, they are KB5028166 and KB5028244.

[ReetP]

I'm pretty sure that RH will get a patch out eventually - they are offering extended support.

However, they will probably drag their heels trying to force more users to upgrade......

[ReetP]

So they've released fixes for EL8

https://listman.redhat.com/archives/rhsa-announce/2023-July/012541.html

And EL9

https://listman.redhat.com/archives/rhsa-announce/2023-July/012542.html

Still waiting for EL7. Why doesn't that surprise me..... ?

[yythoss]

Hello Forum,

i have compiled the samba rpm's for SME9 and SME10.

delete by yythoss

If anyone is interested please send me a PN.
For this update you need linux knowledge on the console!
The associated risk is explained further below.
For this reason I have removed this post.

=====================

Admin edit.
V9 is NOT supported. Please do NOT publish ANY v9 information here thanks.

V10 - please think at least 4 times before grabbing rpms from unknown sources.

We cannot support your server if you install these.

Your server is totally at risk if you install these rpms.

You have been warned

[Jean-Philippe Pialasse]

While yythoss, a long term member of the community, is trying to help other by providing an easy and fast solution, this is not best practice to grab rpm from outside a legitimate repo to maintain the security of your server.  If you start with this approach you might end with a rpm with security issues. (not saying there that yythoss has any bad intentions)

Also this is not a definitive fix because it will be overriden by any update using a higher version or higher release number from upstream repo. And if they did mot provide the same fix you will see the bug again without understanding why…

An option would also to disable updates, but then you will miss security fixes.

so yes, they take a long walk before releasing something for rhel7/centos7 but this is best to wait using the client side workaround, or patch yourself and get ready to repatch in case of reoccurrence. 

[yythoss]

Wow!
I don't think any of the admins here have customers who call every day because of the Windows login problem!

I've been working on the patch for a week and had a lot of help from Stefan Metzmacher from Samba, who fixed the problem.
The source code is direct from Samba:

https://download.samba.org/pub/samba/stable/

The last update for 4.10.16 was 2020!
I think there will be no more updates, neither for Samba 3 nor for Samba 4.10.16.

The SME10 will also be End of Life next year.
As there are certainly many customers who will be keeping the SME 10 for some time, I thought I would help.

You are welcome to delete my post.
For those who have already installed the rpm's, you can always go back to the old Samba version.

SME 10

Code: [Select]

yum --disablerepo="*" --enablerepo="updates" downgrade samba\* lib\*
SME9

Code: [Select]

yum downgrade samba\* libsmbclient
That was the last time I helped here.

[bunkobugsy]

https://bugzilla.redhat.com/show_bug.cgi?id=2222250
Status:   VERIFIED
Fixed In Version:   samba-4.10.16-25.el7_9

This means there will be an official fix, however anyone installing custom -25 rpms won't see them released.

[sages]

Wow!
I don't think any of the admins here have customers who call every day because of the Windows login problem!

I've been working on the patch for a week and had a lot of help from Stefan Metzmacher from Samba, who fixed the problem.
The source code is direct from Samba:

https://download.samba.org/pub/samba/stable/

The last update for 4.10.16 was 2020!
I think there will be no more updates, neither for Samba 3 nor for Samba 4.10.16.

The SME10 will also be End of Life next year.
As there are certainly many customers who will be keeping the SME 10 for some time, I thought I would help.

You are welcome to delete my post.
For those who have already installed the rpm's, you can always go back to the old Samba version.

SME 10

Code: [Select]

yum --disablerepo="*" --enablerepo="updates" downgrade samba\* lib\*
SME9

Code: [Select]

yum downgrade samba\* libsmbclient
That was the last time I helped here.

Nothing you have replied negates the warning that has been posted. Get off your high horse and read the warnings again. Yes, you have a patched update, congratulations on working through the issue. Are you going to maintain the patched package for future users? Pick up your dummy and stop taking legitimate and valid feedback as an attack.
Good luck with future FOSS endeavours.

[ReetP]

Wow!
I don't think any of the admins here have customers who call every day because of the Windows login problem!

This thread is by admins who have experienced this problem......

I've been working on the patch for a week and had a lot of help from Stefan Metzmacher from Samba, who fixed the problem.
The source code is direct from Samba:

https://download.samba.org/pub/samba/stable/

The last update for 4.10.16 was 2020!
I think there will be no more updates, neither for Samba 3 nor for Samba 4.10.16.

Bunkobugsy built patched rpms over a week ago by himself. Same thing applies. Installing them for most people is not best practice and we may end up with more issues than those it resolves.

Our policy is to wait for upstream. That's it. We understand the frustration but as already pointed out, we do not have the manpower to maintain packages like this ourselves.

Also as pointed out, there will be a patch from RHEL - they are offering extended support so they can't NOT offer a patch. They are just dragging their feet.

The SME10 will also be End of Life next year.

It will, and we hope that Koozali SME 11 will be there to replace it, but it won't get done unless people like you get involved and help.

As there are certainly many customers who will be keeping the SME 10 for some time, I thought I would help.

It doesn't really help anyone per se. Like v9 they should not use it beyond the EOL date. Your rpms will make no difference when v10 is EOL. RHEL will likely have released updates long before that.

This is about best practice. We are not trying to criticise you but there things need to be done in a certain way. As I have said to people many times before contact me for a Rocket.Chat account and talk to those of us who develop directly and we can advise the best way to do things.

You are welcome to delete my post.

Editing to remove v9 was sufficient, along with a large warning about potential risks with v10.

That was the last time I helped here.

That would be sad. It would be much better to speak to us directly and understand our policies than have a shouting match here.

[yythoss]

This thread is by admins who have experienced this problem......

I know I mean the admins of the forum.

Nothing you have replied negates the warning that has been posted. Get off your high horse and read the warnings again. Yes, you have a patched update, congratulations on working through the issue. Are you going to maintain the patched package for future users? Pick up your dummy and stop taking legitimate and valid feedback as an attack.
Good luck with future FOSS endeavours.

I just wanted to help.

It should be a quick help for all administrators so that they don't have to go to every Windows Computer to deinstall the Update.
You can always uninstall my RPMs as soon as new ones are officially available.
I don't understand this uprising at all and I'm really disappointed.

[ReetP]

I know I mean the admins of the forum.

I just wanted to help.

Yes we know. But as explained there are ways to this and there are ways not to do this. Talk to us and we will happily guide you - the hard part is getting people to get involved.... You can DM or email me for a Rocket.Chat account and come and help.

It should be a quick help for all administrators so that they don't have to go to every Windows Computer to deinstall the Update.
You can always uninstall my RPMs as soon as new ones are officially available.
I don't understand this uprising at all and I'm really disappointed.

Please read Jean-Philippe Pialasse's comments above as to why this is bad practice.

Remember, there are a lot of inexperienced admins out there who may follow this and then find themselves in all sorts of trouble as they miss more updates.

They tend to install, think it solves the issue, not be aware of the security implications, forget about it, and then miss another vital update.

Manual updates to core upstream built packages should always be avoided unless you absolutely know exactly what you are doing, and are prepared to take risks.

Take it from us - as the ones who try and solve/fix a lot of issues people experience - it can waste an awful lot of our time and energy. We have the t-shirts, and videos.

Also see this:

https://xyproblem.info/

[yythoss]

You're right, I took out my post

[ReetP]

You're right, I took out my post

Sorry - I didn't mean to be harsh, and we value what you do but we have to consider the many inexperienced admins out there - it is a direct result of SME being so 'easy' to use.

Please do contact me and get a Rocket login and talk to us directly. We need people with your skills!

We are currently working on migrating from CVS to git, and then will start on building Koozali SME v11 (and possibly 12 as well). We need all the help we can get!!

I hope that RHEL will release the EL7 fix ASAP. My cynical side says they are holding it to try and force users off EL7 We'll see.

Please be assured that even if we don't use Windows, it does not mean we are not concerned!! We feel your pain!

We will of course post here the minute we here anything more.

Thanks.

[john56]

Thank you yythoss for your contribution. we appreciate it.
We wiil wait for the security fix direct from sme10 to be in the right way.

[dvdsmith]

FYI, just had the following pop on a test Win 10 Pro client (22H2). Expected Patch Tuesday security update.

2023-08 Cumulative Update for Windows 10 Version 22H2 for x64-based Systems (KB5029244)

Installing it DOES break trust, so it must include the same fix that broke trust in KB5028166.

Just an advisory as we wait for the Samba patch to hit EL7. More details found here.
https://www.neowin.net/news/windows-10-august-2023-patch-tuesday-kb5029244-out--heres-whats-new-and-whats-broke/

EDIT: In case anyone needs it for a script the following uninstalls KB5029244 from a command prompt in Win10 22H2. Adjust parameters as necessary.

Code: [Select]

dism /Online /Remove-Package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.3324.1.7 /quiet /norestart

[ReetP]

FYI we are looking at adding patched samba rpms to the build system as a possible workaround.

We have built them as a test in my repo. However buildys is having a hissy fit right now.

We will keep you posted.

[TerryF]

There is now a patched samba rpm in /smetest only a short term fix until upstream RH release of EL7 patched rpm.

While some of us have updated to this patched package and nothing has blown up yet, doesnt guarantee that it wont, Use at your own risk, I say again YOUR OWN RISK..

On advice:

Code: [Select]

yum install samba --enablerepo=smetest 

Do NOT yum update

Enjoy

[ReetP]

As per Terrys advice above, this is strictly an emergency measure to assist Windows admins.

We make ZERO guarantees about this patch.

Only use it if absolutely necessary and please test it carefully before use.

We hope that RHEL will push updated rpms in due course.

[dloayza]

Hello

The rpm file was deleted from smetest?

I'm trying to fix a server and samba is taked from smeupdates (this file don´t fix the problem)

Some days ago the command "yum install samba --enablerepo=smetest" worked fine.

Someone knows?

Thanks

[Jean-Philippe Pialasse]

now in smeupdates-testing

yum install samba --enablerepo=smeupdates-testing

[dvdsmith]

now in smeupdates-testing

yum install samba --enablerepo=smeupdates-testing

FWIW, did this a couple days ago, no issues.

Also, on a test system installed the latest Win10 22H2 Update Preview (KB5029331) and it still works. This will likely be the September Patch Tuesday, though the actual KB number may change.

[john56]

Code: [Select]

yum install samba --enablerepo=smeupdates-testingI did it too.  No Issues. Useful to begin a school year in high school with serenity... thanks.

[ReetP]

Just remember..... This has zero guarantees.

Hence it is in a test repo.

Don't use it unless you absolutely have to.

Make sure you keep a close lookout for issues.

[jayraym]

The fix works for me as well, thanks guys!