Koozali.org formerly Contribs.org

KB3167679 breaks password changing on Win7

KB3167679 breaks password changing on Win7
« on: August 12, 2016, 10:02:37 AM »
https://support.microsoft.com/en-us/kb/3167679

"This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations........Even though you can no longer change the password for disabled or locked accounts, you can set the password by using Active Directory-based tools." (in our case use https://yourserver/user-password)

Since this update users trying to change password on Win7 get:

"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

Would be worth investigating registry patches (if any) to workaround this with NT style domains (samba3). Thanks
« Last Edit: August 12, 2016, 10:27:22 AM by bunkobugsy »

Re: KB3167679 breaks password changing on Win7
« Reply #1 on: August 13, 2016, 01:58:26 AM »
As always, when something doesn't work, create a bug in the bug tracker, and we'll investigate causes and corrective actions there.

Re: KB3167679 breaks password changing on Win7
« Reply #2 on: August 13, 2016, 06:07:49 AM »
Unfortunately this is a MS dependency, bug would most likely be a wontfix.
Just wanted to ring a bell, already contacted MS in the forums:
https://social.technet.microsoft.com/Forums/en-US/6ae0b2d5-da14-4a63-8175-5e7f889b2adf/kb3167679-breaks-password-changing-on-win7-joined-in-nt-style-domain-samba-3623?forum=w7itpronetworking

Re: KB3167679 breaks password changing on Win7
« Reply #3 on: August 22, 2016, 11:01:09 AM »
More people are seeing this https://lists.samba.org/archive/samba/2016-August/202150.html

Can Logon & Join NT4-style Domain, Can't Change Password

Bottomline seems to be https://lists.samba.org/archive/samba/2016-August/202197.html

"With samba 4 in AD mode.. I can change, without any problem my password.
(Win7 64bit and win 10 64 Bit), with all ms patches on the systems.

So maybe.. its time to upgrade you samba NT4 style to AD. "

I also opened a bug at samba for suggestions https://bugzilla.samba.org/show_bug.cgi?id=12159

Offline ReetP

  • *
  • 2,439
Re: KB3167679 breaks password changing on Win7
« Reply #4 on: August 22, 2016, 07:35:59 PM »
Greg Zartman has been doing trojan work on trying to add a full Samba 4 AD implementation to Koozali SME

See here for starters:

https://bugs.contribs.org/show_bug.cgi?id=8075

Also search the bug tracker for other Samba 4 related bugs - there are a lot.

There are also a number of conversations on devinfo - see this for details on how to subscribe or read:

https://forums.contribs.org/index.php/topic,52219.msg267586.html

Greg badly needs some help. He has a done a large amount of the work single handed, and having talked to him daily for the last few years, I know just how much time and effort (not to mention swearing and head banging) he has put into this.

If you want to see it on Koozali SME (and from the looks of things for a lot of Windows users it is going to become a "Must Have" very soon) then you need to get stuck in and help him.

The simplest way is to get yourself a test VM and have a go at installing things, breaking things, reporting bugs, and chat with him to give him some moral support. The more help he gets, the quicker it will get built.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: KB3167679 breaks password changing on Win7
« Reply #5 on: November 22, 2016, 09:00:59 AM »
Big surprise: changing password from Win7 with Ctrl-Alt-Del > Change Password is working again!
I guess MS changed something in recent updates...