Warning: Windows Update KB5028166 breaks NT Domains

[dummzeuch 1392]

Just in case we are not the only ones still using Samba with an NT domain:
Windows Update KB5028166 which will automatically be installed on Windows 10 today, breaks compatibility with that domain type. After the installation, a login with a domain account no longer works. Removing that update fixes the issue, but of course that’s no permanent solution.

[FredS 138]

I use a Samba Domain on Ubuntu (16.04) and can login with KB5028166 installed from a 22H2 W10 VM..

 

I used a new Domain account to force new profile generation to make sure..

[dummzeuch 1392]

6 minutes ago, FredS said:

I use a Samba Domain on Ubuntu (16.04) and can login with KB5028166 installed from a 22H2 W10 VM..

 

I used a new Domain account to force new profile generation to make sure..

That problem consistently occurred on all our computers when that update was installed (5 so far, 2 of those VMs) and disappeared when I uninstalled it. And I'm not the only one who has that problem. No idea why it works for you.

 

 

Edited July 12, 2023 by dummzeuch

[FredS 138]

15 minutes ago, dummzeuch said:

No idea why it works for you

Dunno, its a reasonably new install, only a handful of hotfixes installed.. will try my old noisy 'puter next 🙂

Edited July 12, 2023 by FredS

[FredS 138]

55 minutes ago, FredS said:

 will try my old noisy 'puter next 🙂

Updating did not install KB5028166 on that one today..

[dummzeuch 1392]

I'm not alone and it's spreading:

 

After update KB5028166 trust relationship broken.

KB5028166 update. computers are unable to join the domain.

 

So there is hope that somebody figures out a fix or a workaround.

 

In the meantime nearly 20 of our computers were affected. My warning not to install this update came to late for several of my colleagues.

[Sherlock 632]

To be fair, Microsoft has declared SMBV1 deprecated as early as 2014 And recent installations of Wins 10 and 11 have SMBV1 deactivated by default. Finally killing it now altogether seems logic and overdue. And if you ask Ned Pyle (Microsofts guy in charge of this) you should have gotten rid of it years ago: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858

https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows

[DiGi 14]

11 minutes ago, Sherlock said:

To be fair, Microsoft has declared SMBV1 deprecated as early as 2014 And recent installations of Wins 10 and 11 have SMBV1 deactivated by default. Finally killing it now altogether seems logic and overdue. And if you ask Ned Pyle (Microsofts guy in charge of this) you should have gotten rid of it years ago: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858

https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows

Well, blocking old SAMBA... I have some old NAS/Media center at home. And of course there are no new updates for ages. And I really don't waste money on new one because someone decides that it is not secure enough anymore and I cannot access it over LAN.

[Sherlock 632]

At least you don't have to throw out a 6k$ scanner/printer because it can only scan to folders via SMB1. And it is not just someone that deems SMB1 insecure, it is the majority of users.

[dummzeuch 1392]

Yes, we should have been updating it years ago. As I said, there are reasons. But I won't discuss them here.

 

The point simply is that it stopped working due to an update that was forced on us without a warning (at least not one I noticed).

I have been spending several hours already to uninstall and block this update so my colleagues can finally get their work done.

 

Large companies and home users will most likely never notice because even home users who use SMBv1 will most likely not use an NT domain and accessing a stand alone Samba server still works.

[mvanrijnen 121]

38 minutes ago, Sherlock said:

At least you don't have to throw out a 6k$ scanner/printer because it can only scan to folders via SMB1. And it is not just someone that deems SMB1 insecure, it is the majority of users.

I have a tool for that, (not tested with the different SMB version yet). 

(when the scanner can smtp or ftp)

 

You can setup a simple virtual ftp and/or smtp server with it,  

In the configuration you can determine which ftp folder or fake smtp emailaddress goes to another protocol, e.g SMBvx, secure ftp, secure smtp, office365 etc etc.

(tool needs some work to go public)

 

The tool is named: ProtoBridge 

Of course this is a tool which would never be directly connected to the internet.

 

configuration example:

// Common Settings
[general]
queuefolder=e:\Data\MyCompany\ProtoBridge
;discardhandledmessage=false
discardhandledfiles=true
debug=false

// IP accesslist
[acl]
allowed=172.16.29.4,172.16.29.41,172.16.29.42,172.16.29.249,172.16.29.250,192.168.1.3,192.168.1.4,192.168.1.15,192.168.1.16,172.16.29.170,172.16.29.153,172.16.29.37,172.16.29.38,172.16.29.104,172.16.29.131,192.168.1.18
;blocked=127.0.0.1

// setup virtual smtpserver
[smtpserver]
smtp_listenip=172.16.29.4,192.168.1.18
smtp_listenport=25

//emails not catced with targets are send trough with smpt config  smtppassthrough
smtppassthrough=smtp.ict@company 
allowpipelining=true

// setup virtual ftpserver
[ftpserver]
enable=false
ip=127.0.0.1
port=21
pasvstart=7000
pasvend=7999
;user=myftpuser
;password=myftppassword

// setup real smtp account, O365 in this case
[smtp.ict@company]
discardhandledfiles=true

smtp_servertype=office365oauth2
smtp_username=ict@company.eu
smtp_from=ict@company.eu

oauth2_tenantname=company.onmicrosoft.com
oauth2_applicationid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
oauth2_clientsecret=XXXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


// possible conversions: localfolder, smb, smtp2localfolder,  smtp2smb, ftp2localfolder, ftp2smb, ftp2smtp, ftp2smtp, smtp2smtp


//catch smtp recipient 'localfolder@smtp.local' and put the files to  c:\temp\company\smtprelay\localfolder
[target.localfolder]
targettype=localfolder
folder=c:\temp\company\smtprelay\localfolder
catchto=localfolder@smtp.local

//catch ftp folder 'myftpfolder' and put the files to  c:\Temp\company\LocalFolder\Username\X
;[target.myftpfolder]
;targettype=ftp2localfolder
;folder=c:\Temp\company\LocalFolder\Username\X
;;fileexist=deny, overwrite, rename - default overwrite
;fileexist=rename

//catch ftp folder 'myftpfolder2' and put the files to  c:\Temp\company\LocalFolder\Username\2
// 
[target.myftpfolder2]
targettype=ftp2localfolder
folder=c:\Temp\company\LocalFolder\Username\2

//catch ftp folder 'myftpfolder3' and send tje files to Username@company.nl using smtpconfig smtp.ict@company
[target.myftpfolder3]
targettype=ftp2smtp
smtp=smtp.ict@company
smtp_to=Username@company.nl
discardhandledfiles=true

 

 

Edited July 13, 2023 by mvanrijnen

[DelphiUdIT 132]

May be this should help:

 

https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704

 

It was released one month ago and I think it's now effective on the release channel.

 

[Fr0sT.Brutal 897]

Autoupdate is evil and autoinstalling fresh MS updates until they're tested for at least a month is like jumping from the roof in hope there will be a haystack below.

[Sherlock 632]

1 hour ago, Fr0sT.Brutal said:

Autoupdate is evil and autoinstalling fresh MS updates until they're tested for at least a month is like jumping from the roof in hope there will be a haystack below.

And that is what the WSUS is for.

[dummzeuch 1392]

It has reached the Samba mailing list and there is a bug report for it.

 

If understand it correctly, Microsoft did not document the changed behaviour beforehand, as apparently they promised they would.

(Microsoft was actually contributing to Samba for a while, not sure about that recently.)

[dummzeuch 1392]

There is already a patch to fix the issue. Thanks a lot @StefanMetzmacher

[Matthias 7]

Synology provides a patch to solve the problem on their NAS boxes which worked fine for me.