Bug 12159 - MS KB3167679 breaks password changing on Win7 joined in NT style domain (samba 3.6.23)
MS KB3167679 breaks password changing on Win7 joined in NT style domain (samb...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
x64 Windows 7
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-08-17 21:05 UTC by vasarhelyizsolt
Modified: 2016-11-22 08:02 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description vasarhelyizsolt 2016-08-17 21:05:48 UTC
Since recently applied https://support.microsoft.com/en-us/kb/3167679 users trying to change password on Windows 7 that is joined in a samba 3.6.23 domain get error:

"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

Any ideas what could be done to circumvent this or is it all upto KB3167679 not to fall back to NTLM auth:
"Known issues in this security update
This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations."

The only way to fix this was to uninstall and hide KB3167679.

Comment 1 vasarhelyizsolt 2016-08-22 08:55:26 UTC
It's confirmed https://lists.samba.org/archive/samba/2016-August/202150.html
Comment 2 vasarhelyizsolt 2016-11-22 08:02:31 UTC
Big surprise: changing password from Win7 with Ctrl-Alt-Del > Change Password is working again! I guess MS changed something in recent updates...