Topic: Domain login broken after - windows update KB5028166

[jayraym]

FYI, I just downloaded and installed the next Windows updates (KB5028254): once it's done it doesn't give you the opportunity to uninstall KB5028185 through the GUI, I tried with wusa /uninstall /kb:5028185 no luck neither so I guess no more workaround (other thans unplugging the network cable) once it's installed.

[dvdsmith]

FYI, I just downloaded and installed the next Windows updates (KB5028254): once it's done it doesn't give you the opportunity to uninstall KB5028185 through the GUI, I tried with wusa /uninstall /kb:5028185 no luck neither so I guess no more workaround (other thans unplugging the network cable) once it's installed.

I am assuming the netlogon patch in KB5028185 is rolled into KB5028254. You could uninstall and block KB5028254 as well as a stop gap. Hopefully the samba fix is out before patch tuesday.

FYI, those are the KBs for Windows 11 22H2. For those running Windows 10 22H2, they are KB5028166 and KB5028244.

[ReetP]

I'm pretty sure that RH will get a patch out eventually - they are offering extended support.

However, they will probably drag their heels trying to force more users to upgrade......

[ReetP]

So they've released fixes for EL8

https://listman.redhat.com/archives/rhsa-announce/2023-July/012541.html

And EL9

https://listman.redhat.com/archives/rhsa-announce/2023-July/012542.html

Still waiting for EL7. Why doesn't that surprise me..... ?

[yythoss]

Hello Forum,

i have compiled the samba rpm's for SME9 and SME10.

delete by yythoss

If anyone is interested please send me a PN.
For this update you need linux knowledge on the console!
The associated risk is explained further below.
For this reason I have removed this post.

=====================

Admin edit.
V9 is NOT supported. Please do NOT publish ANY v9 information here thanks.

V10 - please think at least 4 times before grabbing rpms from unknown sources.

We cannot support your server if you install these.

Your server is totally at risk if you install these rpms.

You have been warned

[Jean-Philippe Pialasse]

While yythoss, a long term member of the community, is trying to help other by providing an easy and fast solution, this is not best practice to grab rpm from outside a legitimate repo to maintain the security of your server.  If you start with this approach you might end with a rpm with security issues. (not saying there that yythoss has any bad intentions)

Also this is not a definitive fix because it will be overriden by any update using a higher version or higher release number from upstream repo. And if they did mot provide the same fix you will see the bug again without understanding why…

An option would also to disable updates, but then you will miss security fixes.

so yes, they take a long walk before releasing something for rhel7/centos7 but this is best to wait using the client side workaround, or patch yourself and get ready to repatch in case of reoccurrence. 

[yythoss]

Wow!
I don't think any of the admins here have customers who call every day because of the Windows login problem!

I've been working on the patch for a week and had a lot of help from Stefan Metzmacher from Samba, who fixed the problem.
The source code is direct from Samba:

https://download.samba.org/pub/samba/stable/

The last update for 4.10.16 was 2020!
I think there will be no more updates, neither for Samba 3 nor for Samba 4.10.16.

The SME10 will also be End of Life next year.
As there are certainly many customers who will be keeping the SME 10 for some time, I thought I would help.

You are welcome to delete my post.
For those who have already installed the rpm's, you can always go back to the old Samba version.

SME 10

Code: [Select]

yum --disablerepo="*" --enablerepo="updates" downgrade samba\* lib\*
SME9

Code: [Select]

yum downgrade samba\* libsmbclient
That was the last time I helped here.

[bunkobugsy]

https://bugzilla.redhat.com/show_bug.cgi?id=2222250
Status:   VERIFIED
Fixed In Version:   samba-4.10.16-25.el7_9

This means there will be an official fix, however anyone installing custom -25 rpms won't see them released.

[sages]

Wow!
I don't think any of the admins here have customers who call every day because of the Windows login problem!

I've been working on the patch for a week and had a lot of help from Stefan Metzmacher from Samba, who fixed the problem.
The source code is direct from Samba:

https://download.samba.org/pub/samba/stable/

The last update for 4.10.16 was 2020!
I think there will be no more updates, neither for Samba 3 nor for Samba 4.10.16.

The SME10 will also be End of Life next year.
As there are certainly many customers who will be keeping the SME 10 for some time, I thought I would help.

You are welcome to delete my post.
For those who have already installed the rpm's, you can always go back to the old Samba version.

SME 10

Code: [Select]

yum --disablerepo="*" --enablerepo="updates" downgrade samba\* lib\*
SME9

Code: [Select]

yum downgrade samba\* libsmbclient
That was the last time I helped here.

Nothing you have replied negates the warning that has been posted. Get off your high horse and read the warnings again. Yes, you have a patched update, congratulations on working through the issue. Are you going to maintain the patched package for future users? Pick up your dummy and stop taking legitimate and valid feedback as an attack.
Good luck with future FOSS endeavours.

[ReetP]

Wow!
I don't think any of the admins here have customers who call every day because of the Windows login problem!

This thread is by admins who have experienced this problem......

I've been working on the patch for a week and had a lot of help from Stefan Metzmacher from Samba, who fixed the problem.
The source code is direct from Samba:

https://download.samba.org/pub/samba/stable/

The last update for 4.10.16 was 2020!
I think there will be no more updates, neither for Samba 3 nor for Samba 4.10.16.

Bunkobugsy built patched rpms over a week ago by himself. Same thing applies. Installing them for most people is not best practice and we may end up with more issues than those it resolves.

Our policy is to wait for upstream. That's it. We understand the frustration but as already pointed out, we do not have the manpower to maintain packages like this ourselves.

Also as pointed out, there will be a patch from RHEL - they are offering extended support so they can't NOT offer a patch. They are just dragging their feet.

The SME10 will also be End of Life next year.

It will, and we hope that Koozali SME 11 will be there to replace it, but it won't get done unless people like you get involved and help.

As there are certainly many customers who will be keeping the SME 10 for some time, I thought I would help.

It doesn't really help anyone per se. Like v9 they should not use it beyond the EOL date. Your rpms will make no difference when v10 is EOL. RHEL will likely have released updates long before that.

This is about best practice. We are not trying to criticise you but there things need to be done in a certain way. As I have said to people many times before contact me for a Rocket.Chat account and talk to those of us who develop directly and we can advise the best way to do things.

You are welcome to delete my post.

Editing to remove v9 was sufficient, along with a large warning about potential risks with v10.

That was the last time I helped here.

That would be sad. It would be much better to speak to us directly and understand our policies than have a shouting match here.

[yythoss]

This thread is by admins who have experienced this problem......

I know I mean the admins of the forum.

Nothing you have replied negates the warning that has been posted. Get off your high horse and read the warnings again. Yes, you have a patched update, congratulations on working through the issue. Are you going to maintain the patched package for future users? Pick up your dummy and stop taking legitimate and valid feedback as an attack.
Good luck with future FOSS endeavours.

I just wanted to help.

It should be a quick help for all administrators so that they don't have to go to every Windows Computer to deinstall the Update.
You can always uninstall my RPMs as soon as new ones are officially available.
I don't understand this uprising at all and I'm really disappointed.

[ReetP]

I know I mean the admins of the forum.

I just wanted to help.

Yes we know. But as explained there are ways to this and there are ways not to do this. Talk to us and we will happily guide you - the hard part is getting people to get involved.... You can DM or email me for a Rocket.Chat account and come and help.

It should be a quick help for all administrators so that they don't have to go to every Windows Computer to deinstall the Update.
You can always uninstall my RPMs as soon as new ones are officially available.
I don't understand this uprising at all and I'm really disappointed.

Please read Jean-Philippe Pialasse's comments above as to why this is bad practice.

Remember, there are a lot of inexperienced admins out there who may follow this and then find themselves in all sorts of trouble as they miss more updates.

They tend to install, think it solves the issue, not be aware of the security implications, forget about it, and then miss another vital update.

Manual updates to core upstream built packages should always be avoided unless you absolutely know exactly what you are doing, and are prepared to take risks.

Take it from us - as the ones who try and solve/fix a lot of issues people experience - it can waste an awful lot of our time and energy. We have the t-shirts, and videos.

Also see this:

https://xyproblem.info/

[yythoss]

You're right, I took out my post

[ReetP]

You're right, I took out my post

Sorry - I didn't mean to be harsh, and we value what you do but we have to consider the many inexperienced admins out there - it is a direct result of SME being so 'easy' to use.

Please do contact me and get a Rocket login and talk to us directly. We need people with your skills!

We are currently working on migrating from CVS to git, and then will start on building Koozali SME v11 (and possibly 12 as well). We need all the help we can get!!

I hope that RHEL will release the EL7 fix ASAP. My cynical side says they are holding it to try and force users off EL7 We'll see.

Please be assured that even if we don't use Windows, it does not mean we are not concerned!! We feel your pain!

We will of course post here the minute we here anything more.

Thanks.

[john56]

Thank you yythoss for your contribution. we appreciate it.
We wiil wait for the security fix direct from sme10 to be in the right way.