[Samba] ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023

Thu Jul 13 08:06:13 UTC 2023

Hi Matthias,

You are writing about linux and macos CLIENTS that do not work... connecting to what? To windows server with latest patches or to a share on a win10 pc with latest patches?

The issues I am seeing are all with windows 10 clients and linux servers (I have not tried the other way around, I don't have any such configuration).

For RDP using hostname and specifying the domain still does not work (in my configuration, the RDP client is a non-domain PC with windows 10 or 11 and the RDP server is a windows 10 PC that is in the domain, and the username involved is a domain user, not a local one). I have not yet tried disabling NLA. Can you please tell me how to do it in windows 10?

Thanks.

Fabio Muzzi

On 13/07/2023 09.23, Matthias Kühne | Ellerhold Aktiengesellschaft via samba wrote:
> Hallo,
> 
> now alot of bug reports are coming in.
> 
> For RDP you HAVE to connect via DNS and DOMAIN\user.name. Connecting via
> IP or without the domain does not work anymore. You have to disable NLA too.
> 
> Same for SMB access (at least from MacOS and linux clients). Weve got
> some clients that never got the connection working - even with the above
> changes so we had to uninstall the update. Ive disabled Win 10 Updates
> for the next 35 days ... hopefully the bug is solved until then!
> 
> If theres anything we can help to fix this please let us know. This is
> getting critical for us.
> 
> Thanks and have a nice day, Matthias.
> 
> Am 13.07.23 um 09:13 schrieb Jakob Curdes via samba:
>>
>> Am 12.07.2023 um 23:50 schrieb Fabio Muzzi via samba:
>>> On 12/07/2023 21.47, Jakob Curdes via samba wrote:
>>>
>>>> Just to understand this, we also might be affected with several
>>>> customers:
>>>>
>>>> - after installing the July Windows update on W10 22H2 KB5028166, the
>>>> following symptoms appear: 1) Test-ComputerSecureChannel -Verbose
>>>> says "False" 2) RDPing into the system does not work 3) some reports
>>>> about broken SMB connections?
>>>>
>>>> I just tested this in our environment on an Ubuntu 18 server (I know,
>>>> must be updated asap), there I see the Test-ComputerSecureChannel
>>>> "False", while on a system without the update it says "true", but I
>>>> cannot see any problems with RDP or SMB network connetions, so maybe
>>>> there are more border conditions to this?
>>>>
>>>> If I can help with further tests I am ready to go.
>>>
>>>
>>> Hi Jacob, can you please tell me what version is your Samba DC? I
>>> suppose it's 4.7.6 if it's the original Ubuntu 18.04 version, am I
>>> right?
>>>
>>> I'm trying to understand in how much manure I am drowning right now,
>>> I have about 10 small domains that use Samba (various versions) and
>>> I'm trying to understand what is expected to work and what is
>>> expected to fail.
>>>
>>> Can your clients still connect to the domain? I mean, if the user
>>> logs on locally on the PC, not using RDP.
>>>
>>> I know RDP is broken if using NLA.
>>
>> Hello Fabio, the  DCs where I tested this are on 4.7.6 as you guessed,
>> the Ubuntu version with backported patches etc.
>> We have several samba-controlled domains with different versions and
>> we did not observer any problems with local logon, and no prolems
>> witth RDP other that we had to deactivate NLA in some cases, which is
>> bad but in this case a workaround. We do not observer any other
>> problems right now.
>>
>> HTH, Jakob
>>
>>