[Samba] Office 365, Windows 10 and Samba AD

Andrew Bartlett abartlet at samba.org
Wed Mar 23 00:44:54 UTC 2016

On Tue, 2016-03-22 at 14:07 +0100, Stefan G. Weichinger wrote:
> Am 2016-03-22 um 10:45 schrieb Garming Sam:
> > 
> > Hi,
> > 
> > As you should know, 3.x is out of support. Assuming this is related
> > to
> > the KB2992611 MS update, basically the bar was raised for clients
> > in
> > response to a security issue, and caused havoc for people on
> > Windows as
> > well. In order to fix 3.x, a good chunk of the infrastructure
> > written
> > for Samba 4 (AD) would likely have to be moved across because the
> > bar
> > really just has been raised unfortunately. There really isn't any
> > trivial fix, besides uninstalling the KB2992611 but I wouldn't
> > really
> > recommend it as it probably exposes you to a serious security
> > vulnerability.
> Thanks for pointing this out.
> To keep the momentary changes as small as possible I consider
> upgrading
> to samba-4.x at first, without touching the NT4-style domain for now.

My understanding is that this issue not only requires a current codebae
(and Samba 4.2), but also an AD DC.

> gentoo linux provides samba-4.2.9 as unstable package, I assume this
> would run OK as well for our rather simple use case. Would the move
> to
> 4.2.9 help around that specific bug as well?
> thanks for helping, Stefan

There is a way to tell windows not to use BackupKey, see 


This will avoid windows attempting to store a backup of the user
password store master key remotely.  That means if you change the
user's password on the DC, saved passwords will become inaccessible,
which may or may not matter.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba mailing list