Topic: Domain login broken after - windows update KB5028166

[bunkobugsy]

This is from the Samba mailing list:

https://lists.samba.org/archive/samba/2023-July/245765.html

[dvdsmith]

For some Windows LTS versions the update may be KB5028168.

Also, in my mitigate I found the following.

If you just remove it and pause updates, on restart it should sign into the domain no problem. If however you removed then readded the machine from the domain prior to uninstalling the update, you will need to remove/readd it again.

[bunkobugsy]

Bad news: https://bugzilla.samba.org/show_bug.cgi?id=15418#c3

undocumented "Bad switch value 2 at librpc/gen_ndr/ndr_netlogon.c:7652"

"Hope Microsoft takes back this update asap since it will take at least a half year until a fix for this will be downstream"

Actually this might be CVE-2023-21526  Windows Netlogon Information Disclosure Vulnerability

For now only solution seems to be removing and blocking KB5028166 (Win10) or KB5028185 (Win11).

[ReetP]

have we to do it ? add this to smb.conf ?

Code: [Select]

reject md5 clients = yes

I (now) believe that will only work on patched versions of samba.

We are reliant on RH fixing this.

Only option right now is to roll back your update as per bunkobugsy above.

https://forums.koozali.org/index.php/topic,55017.msg289810.html#msg289810

[darmasanthi]

I have the same problem that mostly happens on Windows 10 clients,
what is the fix solution that solve the problem

please help me

thank you,
darmasanthi

Hi everyone,

I just wanted to report it seems windows update KB5028166 has completely broken domain login on SME 10.1 as well as the older SME 9.2.

It seems once the update is applied. you will get a trust relationship error when logging in on your windows 10 computers.

In our case i was able to roll-back KB5028166 and hide the update with a tool. but i was wondering if anyone else has experienced this problem? and know of a better long-term fix.

I tried the following...
*Re-applying Registry fixes
*Updating SME 10.1 to latest Samba packages
*restarts of both SME 10.1 and windows clients

I know the list is bit lean - unfortunately we working a few different issues currently. but i will try some more items when we get a chance

[ReetP]

I have the same problem that mostly happens on Windows 10 clients,
what is the fix solution that solve the problem

See above.

For now only solution seems to be removing and blocking KB5028166 (Win10) or KB5028185 (Win11).

[bunkobugsy]

SME tracking bug: https://bugs.koozali.org/show_bug.cgi?id=12378

[bunkobugsy]

Installing a WSUS server could help a lot for big domains
https://www.prajwaldesai.com/install-configure-wsus-on-windows-server-2019/

On every workstation add something like this via regedit as administrator:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://wsus.domain.tld:8530"
"WUStatusServer"="http://wsus.domain.tld:8530"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

Then in WSUS administration you have to approve every update, but also for removal faulty ones:



https://serverfault.com/questions/296429/how-to-roll-back-or-uninstall-microsoft-patch-using-wsus

[Jáder]

I have no tested it yet but I think something like: wusa /uninstall /kb:5028166 run as ADMIN or from any package installation software would work.
I still working on a WPKG package for removal it from my clients machines. I`ll keep you updated.

[dvdsmith]

I have no tested it yet but I think something like: wusa /uninstall /kb:5028166 run as ADMIN or from any package installation software would work...

Yes, this works from an elevated command prompt or powershell. Of course it has to be from a local account with the trust issue breaking any domain admin access. Might be an issue for some remote package management that authenticate via those accounts?

[dvdsmith]

FYI, they seem to be having progress in here.

https://bugzilla.samba.org/show_bug.cgi?id=15418

A patch they are experimenting with reported as working in samba 4.13 and 4.18. Not sure if applicable though to Koozali 10.1 which currently uses samba 4.10.16.

[ReetP]

Remember we don't build our own samba rpms so are dependent on upstream ie RH/CentOS packages.

I have no idea currently of the feasability of trying a backport - we'll need to look at the patches and see, but building samba is no mean feat with a mountain of dependencies when building.

[Jáder]

Yes, this works from an elevated command prompt or powershell. Of course it has to be from a local account with the trust issue breaking any domain admin access. Might be an issue for some remote package management that authenticate via those accounts?

Yes, I have a best practice to create a local account as admin .Usually it's the name of company and a default password.
All managed by WPKG installer.
Right now I have a half-way package to fix this. It removes the KB5028166 and deny download later.
I cannot find a way (yet) to test if those things are already done so it slow down the startup a minute.
I know about DOS errorlevel but it isn't working...not sure why:
This command call a PowerShell

Code: [Select]

     <install timeout="300" cmd='%comspec% /C powershell -NoProfile -NonInteractive -ExecutionPolicy bypass -File "%SOFTWARE%\kb5028166.ps1"' />
and this is the powershell script:

Code: [Select]

If(-not(Get-InstalledModule pswindowsupdate -ErrorAction silentlycontinue)){
    Set-PSRepository NuGet     -InstallationPolicy Trusted
    Set-PSRepository PSGallery -InstallationPolicy Trusted
    Install-Module pswindowsupdate -Confirm:$False -Force
}

hide-windowsupdate -KBArticleID KB5028166
wusa /uninstall /kb:5028166 /quiet /norestart

If anyone knows how to verify a KB is installed better than:

Code: [Select]

wmic qfe list brief /format:table|findstr KB5028166I'd thank you.
later something like:

Code: [Select]

if errorlevel 0 wusa /uninstall /kb:5028166would make all automagically... but this ERRORLEVEL is a problem right now.

I think we could use if errorlevel 1 to run all other commands:

Code: [Select]

If(-not(Get-InstalledModule pswindowsupdate -ErrorAction silentlycontinue)){
    Set-PSRepository NuGet     -InstallationPolicy Trusted
    Set-PSRepository PSGallery -InstallationPolicy Trusted
    Install-Module pswindowsupdate -Confirm:$False -Force
}

hide-windowsupdate -KBArticleID KB5028166
and otherwise just remove it with wusa /uninstall /kb:5028166

just do not find the right sintax till now. My best guess till now in PS is this as KB5028166.ps1 file content:

Code: [Select]

$instalado = wmic qfe list brief /format:table|findstr KB5028166
if ($instalado){
   write-host "Encontrei o KB5028166, removendo... aguarde"
   write-host "run: wusa /uninstall /kb:5028166"}
else{
        If(-not(Get-InstalledModule pswindowsupdate -ErrorAction silentlycontinue)){
        Set-PSRepository NuGet     -InstallationPolicy Trusted
        Set-PSRepository PSGallery -InstallationPolicy Trusted
        Install-Module pswindowsupdate -Confirm:$False -Force
       write-host "Nao encontrei o KB5028166, evitando instalacao... aguarde"
        write-host "run: hide-windowupdate -KBArticle KB5028166"
        }
}

Note the write-host is SHOWING the commands instead of running them.

Any tips are welcome.

[Gary Douglas]

a solution in some cases, i.e. single user, might be to leave the domain and set to workgroup. Microsoft have done this before. Then use ForensIT User Profile Wizard to restore the domain user profile to the new local user profile. There is a free edition here;  https://www.forensit.com/Downloads/Profwiz.msi

[dvdsmith]

[/code]and this is the powershell script:

Code: [Select]

If(-not(Get-InstalledModule pswindowsupdate -ErrorAction silentlycontinue)){
    Set-PSRepository NuGet     -InstallationPolicy Trusted
    Set-PSRepository PSGallery -InstallationPolicy Trusted
    Install-Module pswindowsupdate -Confirm:$False -Force
}

hide-windowsupdate -KBArticleID KB5028166
wusa /uninstall /kb:5028166 /quiet /norestart


Correct me if I'm wrong, but I'm pretty sure the /quiet flag is depreciated for wusa in Win10 for security reasons.
https://learn.microsoft.com/en-us/answers/questions/636329/unable-to-use-wusa-to-uninstall-updates-in-quiet-m