This is not a BigFix issue, but I wanted to give a heads-up to the community. We have experienced issues connecting to Samba servers with NTLMv2 authentication after installing MS16-075 / MS16-076 KB3161561 on our Windows Server 2008 R2 Domain Controllers.
After installing this patch, Samba connections fail with “Access Denied” message from Windows, and “No Logon Server Available” messages in the Samba logfiles. Uninstalling this patch from the Domain Controllers restores Samba connectivity.
We’ve seen this on Samba 3.3.12 running on AIX, and Samba 3.6.23-24.el6_7 running on RHEL 6. Kerberos authentication to the Samba servers continues working as expected, only NTLMv2 connections seems to be affected.
NOTE: Edited to note the correct patch numbers, I posted the wrong KB and MS numbers due to a miscommunication with our server admin.
Argh what I wouldn’t give for a correct problem report.
Now that I’ve had a chance to dig in to it myself a bit, I think this was probably actually caused by MS16-077 KB3165151. This update limits NetBIOS over TCP/IP responses to the local subnet only in order to prevent a malicious response to WPAD name queries. However Samba in “security = domain” mode requires NBNS connections to Domain Controllers before setting up an RPC channel to authenticate users via NTLM. If the Samba server is not in the same IP subnet as the Domain Controllers, this traffic will not get a response from the DC after installing the update.
There is a registry edit noted in the KB article that can be applied to allow NetBIOS responses to out-of-subnet clients. I’ll be trying that registry edit in my environment within the next day or two.
it hasn’t been a very fun month for patching.
just sharing this in case it’s helpful - it’s a great resource. https://onedrive.live.com/view.aspx?resid=C756C44362CD94AD!2257
I’ve verified on my test environment that my problem is in the MS16-077 patch (Title for this thread updated). Removing the NetBIOS responses on the Domain Controllers breaks Samba in the “security=domain” mode, if the Samba server is not on the same IP Subnet as the Domain Controller.
Adding the “AllowNBToInternet” Registry setting referenced in the KB article restores connectivity (it requires a reboot to take effect).