Bug 12159 - MS KB3167679 breaks password changing on Win7 joined in NT style domain (samba 3.6.23)
Summary: MS KB3167679 breaks password changing on Win7 joined in NT style domain (samb...
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: x64 Windows 7
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-17 21:05 UTC by bunkobugsy
Modified: 2019-04-13 14:14 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description bunkobugsy 2016-08-17 21:05:48 UTC 
Since recently applied https://support.microsoft.com/en-us/kb/3167679 users trying to change password on Windows 7 that is joined in a samba 3.6.23 domain get error:

"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

Any ideas what could be done to circumvent this or is it all upto KB3167679 not to fall back to NTLM auth:
"Known issues in this security update
This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations."

The only way to fix this was to uninstall and hide KB3167679.

https://social.technet.microsoft.com/Forums/en-US/6ae0b2d5-da14-4a63-8175-5e7f889b2adf/kb3167679-breaks-password-changing-on-win7-joined-in-nt-style-domain-samba-3623?forum=w7itpronetworking
Comment 1 bunkobugsy 2016-08-22 08:55:26 UTC 
It's confirmed https://lists.samba.org/archive/samba/2016-August/202150.html
Comment 2 bunkobugsy 2016-11-22 08:02:31 UTC 
Big surprise: changing password from Win7 with Ctrl-Alt-Del > Change Password is working again! I guess MS changed something in recent updates...