Jump to content
dummzeuch

Warning: Windows Update KB5028166 breaks NT Domains

Recommended Posts

Just in case we are not the only ones still using Samba with an NT domain:
Windows Update KB5028166 which will automatically be installed on Windows 10 today, breaks compatibility with that domain type. After the installation, a login with a domain account no longer works. Removing that update fixes the issue, but of course that’s no permanent solution.

Share this post


Link to post

I use a Samba Domain on Ubuntu (16.04) and can login with KB5028166 installed from a 22H2 W10 VM..

 

I used a new Domain account to force new profile generation to make sure..

Share this post


Link to post
6 minutes ago, FredS said:

I use a Samba Domain on Ubuntu (16.04) and can login with KB5028166 installed from a 22H2 W10 VM..

 

I used a new Domain account to force new profile generation to make sure..

That problem consistently occurred on all our computers when that update was installed (5 so far, 2 of those VMs) and disappeared when I uninstalled it. And I'm not the only one who has that problem. No idea why it works for you.

 

 

Edited by dummzeuch

Share this post


Link to post
15 minutes ago, dummzeuch said:

No idea why it works for you

Dunno, its a reasonably new install, only a handful of hotfixes installed.. will try my old noisy 'puter next 🙂

Edited by FredS

Share this post


Link to post
55 minutes ago, FredS said:

 will try my old noisy 'puter next 🙂

Updating did not install KB5028166 on that one today..

Share this post


Link to post

To be fair, Microsoft has declared SMBV1 deprecated as early as 2014 And recent installations of Wins 10 and 11 have SMBV1 deactivated by default. Finally killing it now altogether seems logic and overdue. And if you ask Ned Pyle (Microsofts guy in charge of this) you should have gotten rid of it years ago: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858

https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows

Share this post


Link to post
11 minutes ago, Sherlock said:

To be fair, Microsoft has declared SMBV1 deprecated as early as 2014 And recent installations of Wins 10 and 11 have SMBV1 deactivated by default. Finally killing it now altogether seems logic and overdue. And if you ask Ned Pyle (Microsofts guy in charge of this) you should have gotten rid of it years ago: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858

https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows

Well, blocking old SAMBA... I have some old NAS/Media center at home. And of course there are no new updates for ages. And I really don't waste money on new one because someone decides that it is not secure enough anymore and I cannot access it over LAN.

  • Like 1

Share this post


Link to post

At least you don't have to throw out a 6k$ scanner/printer because it can only scan to folders via SMB1. And it is not just someone that deems SMB1 insecure, it is the majority of users.

Share this post


Link to post

Yes, we should have been updating it years ago. As I said, there are reasons. But I won't discuss them here.

 

The point simply is that it stopped working due to an update that was forced on us without a warning (at least not one I noticed).

I have been spending several hours already to uninstall and block this update so my colleagues can finally get their work done.

 

Large companies and home users will most likely never notice because even home users who use SMBv1 will most likely not use an NT domain and accessing a stand alone Samba server still works.

Share this post


Link to post
38 minutes ago, Sherlock said:

At least you don't have to throw out a 6k$ scanner/printer because it can only scan to folders via SMB1. And it is not just someone that deems SMB1 insecure, it is the majority of users.

I have a tool for that, (not tested with the different SMB version yet). 

(when the scanner can smtp or ftp)

 

You can setup a simple virtual ftp and/or smtp server with it,  

In the configuration you can determine which ftp folder or fake smtp emailaddress goes to another protocol, e.g SMBvx, secure ftp, secure smtp, office365 etc etc.

(tool needs some work to go public)

 

The tool is named: ProtoBridge 

Of course this is a tool which would never be directly connected to the internet.

 

configuration example:

// Common Settings
[general]
queuefolder=e:\Data\MyCompany\ProtoBridge
;discardhandledmessage=false
discardhandledfiles=true
debug=false

// IP accesslist
[acl]
allowed=172.16.29.4,172.16.29.41,172.16.29.42,172.16.29.249,172.16.29.250,192.168.1.3,192.168.1.4,192.168.1.15,192.168.1.16,172.16.29.170,172.16.29.153,172.16.29.37,172.16.29.38,172.16.29.104,172.16.29.131,192.168.1.18
;blocked=127.0.0.1

// setup virtual smtpserver
[smtpserver]
smtp_listenip=172.16.29.4,192.168.1.18
smtp_listenport=25

//emails not catced with targets are send trough with smpt config  smtppassthrough
smtppassthrough=smtp.ict@company 
allowpipelining=true

// setup virtual ftpserver
[ftpserver]
enable=false
ip=127.0.0.1
port=21
pasvstart=7000
pasvend=7999
;user=myftpuser
;password=myftppassword

// setup real smtp account, O365 in this case
[smtp.ict@company]
discardhandledfiles=true

smtp_servertype=office365oauth2
smtp_username=ict@company.eu
smtp_from=ict@company.eu

oauth2_tenantname=company.onmicrosoft.com
oauth2_applicationid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
oauth2_clientsecret=XXXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


// possible conversions: localfolder, smb, smtp2localfolder,  smtp2smb, ftp2localfolder, ftp2smb, ftp2smtp, ftp2smtp, smtp2smtp


//catch smtp recipient 'localfolder@smtp.local' and put the files to  c:\temp\company\smtprelay\localfolder
[target.localfolder]
targettype=localfolder
folder=c:\temp\company\smtprelay\localfolder
catchto=localfolder@smtp.local

//catch ftp folder 'myftpfolder' and put the files to  c:\Temp\company\LocalFolder\Username\X
;[target.myftpfolder]
;targettype=ftp2localfolder
;folder=c:\Temp\company\LocalFolder\Username\X
;;fileexist=deny, overwrite, rename - default overwrite
;fileexist=rename

//catch ftp folder 'myftpfolder2' and put the files to  c:\Temp\company\LocalFolder\Username\2
// 
[target.myftpfolder2]
targettype=ftp2localfolder
folder=c:\Temp\company\LocalFolder\Username\2

//catch ftp folder 'myftpfolder3' and send tje files to Username@company.nl using smtpconfig smtp.ict@company
[target.myftpfolder3]
targettype=ftp2smtp
smtp=smtp.ict@company
smtp_to=Username@company.nl
discardhandledfiles=true

 

 

Edited by mvanrijnen

Share this post


Link to post

Autoupdate is evil and autoinstalling fresh MS updates until they're tested for at least a month is like jumping from the roof in hope there will be a haystack below.

  • Like 2

Share this post


Link to post
1 hour ago, Fr0sT.Brutal said:

Autoupdate is evil and autoinstalling fresh MS updates until they're tested for at least a month is like jumping from the roof in hope there will be a haystack below.

And that is what the WSUS is for.

Share this post


Link to post

It has reached the Samba mailing list and there is a bug report for it.

 

If understand it correctly, Microsoft did not document the changed behaviour beforehand, as apparently they promised they would.

(Microsoft was actually contributing to Samba for a while, not sure about that recently.)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×