[Samba] New KB5028166/Samba Issue?

Barry Trent barry.trent at atcorp.com
Thu Jul 13 22:09:24 UTC 2023 

We are running both AD controllers and file servers using Samba 4.17.8 
on Debian 11. With the installation of the new MS patch KB5028166 on 
Windows 10 clients (and the corresponding Windows 11 patch) I'm seeing 
odd behavior in our Windows login script, which mounts various file 
shares conditionally based on a user's group membership(s).

With the patch installed, none of the "conditional" shares get mapped 
and I traced it to a problem with ifmember.exe, an MS utility that tests 
for group membership. None of the groups being maintained in Active 
Directory by the Samba servers are visible when the patch is installed.

So, before patch installation I use "ifmember /v /l" to list all the 
groups this user is in (I've sanitized our domain name):

User is a member of group MYDOMAIN\ResearchStaff.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group \CONSOLE LOGON.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group NT AUTHORITY\This Organization.
User is a member of group NT AUTHORITY\LogonSessionId_0_721064.
User is a member of group \LOCAL.
User is a member of group MYDOMAIN\AllStaff.
User is a member of group MYDOMAIN\Domain Users.
User is a member of group MYDOMAIN\AdminStaff.
User is a member of group MYDOMAIN\SecurityStaff.
User is a member of group MYDOMAIN\TimecardStaff.
User is a member of group MYDOMAIN\TechStaff.
User is a member of group MYDOMAIN\QMSStaff.
User is a member of group MYDOMAIN\ProcessStaff.
User is a member of group \Authentication authority asserted identity.
User is a member of group Mandatory Label\Medium Mandatory Level.

Once the patch is installed, all the "MYDOMAIN" groups are gone:

User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group \CONSOLE LOGON.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group NT AUTHORITY\This Organization.
User is a member of group NT AUTHORITY\LogonSessionId_0_1047015.
User is a member of group \LOCAL.
User is a member of group \Authentication authority asserted identity.
User is a member of group Mandatory Label\Medium Mandatory Level.

Uninstalling the KB5028166 fixes the problem.

I tested against a MS Server 2012R2 domain controller and the problem 
did not occur, so it appears to somehow be Samba related. I'm hoping 
that whatever fixes the NT4 domain-related issues fixes this one as 
well, but since we are not using NT4 domains I'm not optimistic?

Is anyone else seeing this problem or is able to reproduce it?

Be glad to test and/or submit any other info as needed.

-- 
Barry A. Trent
952-829-5864 x109
barry.trent at atcorp.com

More information about the samba mailing list