[Samba] Printserver after latest MS updates

Tue Oct 19 17:22:30 UTC 2021

On Tue, 2021-10-19 at 10:16 -0700, Jeremy Allison via samba wrote:
> On Tue, Oct 19, 2021 at 07:13:03PM +0200, cn--- via samba wrote:
> > Am 19.10.21 um 19:10 schrieb Jeremy Allison via samba:
> > > On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote:
> > > > Hello you all,
> > > > Microsoft is still trying to fix the PrintNightmare bugs. And 
> > > > after the latest patch day we see lots of NTLMv2 auths on our 
> > > > printserver. And _only_ on our printserver and not on any
> > > > other 
> > > > member servers.
> > > > 
> > > > It is not that Kerberos does not work. I can ssh into that
> > > > machine 
> > > > using Kerberos I can connect with smbclient with kerberos.
> > > > Also 
> > > > the logs are really spammed with those messages. And it all 
> > > > started after we released the last patchday updates from MS.
> > > > This is on RockyLinux with Samba Version 4.14.8 from Sernet.
> > > > Also 
> > > > had the same Problem on 4.14.7. smb.conf is below.
> > > > Everything seems to work as expected. It just is the number of 
> > > > NTLMv2 auths that made me look at this more closely.
> > > 
> > > NTLM auths can happen when a machine isn't using name-based
> > > lookups (i.e. not using DNS names). Kerberos requires name-based
> > > lookups in order to get tickets. That's usually the cause of
> > > NTLM.
> > 
> > Good hint. I'll check if somebody altered the GPO with this
> > regard. 
> > However, could it also be that the MS patch changed something
> > there 
> > (like talking the IP instead of a name?)
> 
> That is *extremely* unlikely. Many organizations ban the use
> of NTLM and require kerberos, so that would get Windows de-certified
> in many places. So no, I doubt that very much :-).

I wouldn't be so sure about that Jeremy, you are very probably correct,
but Microsoft is getting desperate about printing now, they are likely
to try anything, either by mistake or on purpose :-D

Rowland