Windows update broke trust relationship & NLA error

sv2015vs · July 12, 2023, 2:51pm

Hi All,

Since applying the July cumulative updates KB5028166 (win10 22h2) and KB5028185 (win11 22h2) we can no longer log authenticate to our nethserver domain.

We are seeing two error.

1 - In PDQ - The trust relationship between this workstation and the primary domain failed
2 - When we try and Remote into a workstation we get the following error - The remote computer that your trying to connect to requires NLA but your windows domain controller cannot be contacted to perform NLA.

We have always had NLA enabled.

Once I uninstall those KB’s I can RDP into the computer’s.

Please advise.

bunkobugsy · July 12, 2023, 6:58pm

https://bugzilla.samba.org/show_bug.cgi?id=15418#c6

"very annoying. just debugged and after I saw Bad switch value 2 at librpc/gen_ndr/ndr_netlogon.c:7652 I immediately found this bug report.

Hope Microsoft takes back this update asap since it will take at least a half year until a fix for this will be downstream"

Rollback and block KB.

dnutan · July 12, 2023, 7:08pm

Possibly related to CVE-2022-38023.
CVE-2022-38023.

https://bugzilla.samba.org/show_bug.cgi?id=15418

Some other reports:
https://www.reddit.com/r/sysadmin/comments/14xmkw6/for_people_using_samba_and_windows_10_latest/

giacomo · July 13, 2023, 6:26am

I have opened and issue just to track the whole thing in NethServer project: Samba AD: Windows 10/11 lost trust relationship · Issue #6755 · NethServer/dev · GitHub

bunkobugsy · July 13, 2023, 8:59am

WSUS could be of real help holding problematic Windows updates and even removing them

saitobenkei · July 13, 2023, 9:48am

WSUS could be of real help holding problematic Windows updates and even removing them

I’ve been using WSUS for a few years, and I really found it to be a PitA

bunkobugsy · July 14, 2023, 3:15am

There’s a patch available that seems to work
https://bugzilla.samba.org/show_bug.cgi?id=15418#c25

giacomo · July 14, 2023, 8:34pm

If someone feels really brave, I’ve created an rpm with the patch: spec: temporary patch from upstream by gsanchietti · Pull Request #115 · NethServer/nethserver-dc · GitHub

This is highly experimental and without any warranty or support

giacomo · July 17, 2023, 7:01am

I have a new RPM which includes the latest patch from upstream, you can find it here: Samba 4.16.10 + fix for upstream 15418 by gsanchietti · Pull Request #115 · NethServer/nethserver-dc · GitHub

bunkobugsy · July 17, 2023, 9:50am

giacomo · July 17, 2023, 2:23pm

A fix for NethServer package is ready: Samba AD: Windows 10/11 lost trust relationship · Issue #6755 · NethServer/dev · GitHub

TheITGuy · July 17, 2023, 3:04pm

Great work staying up on the Samba teams developments and for getting the patch included here in NethServer. Is this updated samba rpm now included in the official software update channel if we checked for updates within our Nethserver web gui? Or does it still have to go through more testing on your end before it reaches that stage? Any ETA on that side of this?

giacomo · July 17, 2023, 3:14pm

The package is still in testing, you can install it using:

yum --enablerepo=nethserver-testing update nethserver-dc

We already received some good feedback, we are going to release it soon.

Metaverse_0022 · July 18, 2023, 2:29am

First of all, thanks for contributing to the entire community. In our case I have a version of Samba 4.13 (Centos8). Is it possible to apply this solution? If possible, I would appreciate your help. Thank you .
Gabriel

giacomo · July 18, 2023, 6:13am

Hello Metaverse and welcome to NethServer community!

Samba team is preparing the official releases, but I think they are going to backport the patch only from Samba 4.16.
I can’t help you on CentOS 8 packages, you should look for the original RPM package maintainer

giacomo · July 18, 2023, 6:50am

The fix has been released.

mmaridev · July 18, 2023, 7:14am

Hi Giacomo, thank you for the heads up.
I ran yum update but have no available update and

#  yum info nethserver-dc
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile
 * ce-base: it2.mirror.vhosting-it.com
 * ce-extras: it2.mirror.vhosting-it.com
 * ce-sclo-rh: it2.mirror.vhosting-it.com
 * ce-sclo-sclo: it2.mirror.vhosting-it.com
 * ce-updates: it2.mirror.vhosting-it.com
 * epel: it1.mirror.vhosting-it.com
 * nethforge: neth-mirror2.email4u.co.at
 * nethserver-base: neth-mirror2.email4u.co.at
 * nethserver-updates: neth-mirror2.email4u.co.at
Installed Packages
Name        : nethserver-dc
Arch        : x86_64
Version     : 1.9.1
Release     : 1.ns7
Size        : 17 M
Repo        : installed
From repo   : nethserver-updates
Summary     : NethServer Domain Controller configuration
URL         : http://github.com/NethServer/nethserver-dc
License     : GPLv3+
Description : NethServer Samba 4 Domain Controller configuration

giacomo · July 18, 2023, 7:30am

This is because you’re hitting a mirror:

nethserver-updates: neth-mirror2.email4u.co.at

Mirrors are synchronized every ~6 hours.

You can change the the yum configuration to disable mirrorlist and enable baseurl to point directly to the master mirror: nethserver-release/root/etc/e-smith/templates/etc/yum.repos.d/NethServer.repo/10base at 55132ed6eccdac15b3b53632be8daad21cfcbcdc · NethServer/nethserver-release · GitHub

mmaridev · July 18, 2023, 3:26pm

Ok, patiently waited and applied the upgrade. Can confirm everything is back to normal.
Cheers!

michelfritsch · July 18, 2023, 5:23pm

Any fix chance for NS6 version?