locked
KB3167679 breaks password changing on Win7 joined in NT style domain (samba 3.6.23) RRS feed

  • Question

  • Since https://support.microsoft.com/en-us/kb/3167679 users trying to change password on Win7 get:

    "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

    Is there any registry patch that can force NTLM (disable kerberos auth), maybe similar to https://social.technet.microsoft.com/Forums/windows/en-US/dfd79bc1-cf36-42b7-9911-346912f4def6/windows-7-can-see-samba-shares-but-cannot-see-samba-domain?forum=w7itpronetworking

    Thanks.

    Friday, August 12, 2016 8:47 AM

All replies

  • Same here!
    Friday, August 12, 2016 3:12 PM
  • Also disables ability to change local user password through asp (or similar) webpage using this sort of function: https://msdn.microsoft.com/en-us/library/aa746341(v=vs.85).aspx 

    Verified on IIS 7 running on 2008R2

    edit - by the way, the error code associated with this, for bing/google searches, is 800704F1
    Saturday, August 13, 2016 4:14 PM
  • Hi,

    I noticed the error message, it seems that there is an article may relate to the problem, please refer to the link:

    You receive a "The system has detected a possible attempt to compromise security" error message :

    https://support.microsoft.com/en-us/kb/938457

    Also you could check this thread.

    The system detected a possible attempt to compromise security.

    https://community.spiceworks.com/topic/252957-the-system-detected-a-possible-attempt-to-compromise-security

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 15, 2016 9:37 AM
  • It can't be related to 938457 and port port 88 beeing open or not because we don't even have kerberos auth, we're on samba 3.6 (NT4 DC not AD) wich does NTLM - exactly this was overriden by 3167679.

    Tuesday, August 16, 2016 5:10 AM
  • I'm seeing the same thing, programmatically changing passwords using UserPrincipal/ChangePassword.    We aren't using Kerberos....    I believe it's a standard Windows Active Directory instance, not even an open source implementation....
    Thursday, August 18, 2016 4:07 PM
  • Hi, 

    My company has the same problem. We are also facing this in Windows 10 with the latest updates. 

    https://lists.samba.org/archive/samba/2016-August/202150.html

    Rolling back this update fixes it again, however this is difficult in Windows 10 because it's part of a cumulative update. Also you need to block this update to prevent it from installing again. The Samba devs say you need to update to the latest Samba and use AD. I hope a different solution will come up because we have a lot of networks at our customers.

    Greetings.

    Wietse

    Sunday, August 21, 2016 8:12 AM
  • Does anyone have a script that will allow me to prevent this update from coming back?  I was able to remove it, but want to block it for now.  We don't have WSUS or any Windows servers so I use PDQ Deploy Enterprise to perform these tasks.  I did some searches but didn't understand the scripts that I found.

    Thanks in advance,

    Bill

    Tuesday, August 30, 2016 7:16 PM
  • Hello, 

    I just resolve this issue as we speak. Kerberos needs to be opened (TCP/UDP 88) for authentication but port TCP/UDP 464 too (KPasswd). I've just modified my ACL and bam, password reset works.

    http://www.speedguide.net/port.php?port=464

    Have a nice day !

    Wednesday, September 7, 2016 2:36 PM
  • Good afternoon,

    I'm having the same problem, we have to know which registry value can change to work around this problem.

    I am performing various tests, however without success. Recalling that use SAMBA 3.5 and 3.6.

    Thank you!!

    Gustavo Valenga

    Tuesday, September 13, 2016 5:58 PM
  • Hello,

    Please could you explain in detail the workarround ?

    On the domain controller side, 88 and 464 ports are already opened.

    On client side, I add firewall rules to permit connexion to 88 ans 464 ports.

    But this is not working (error STATUS_DOWNGRADE_DETECTED). 

    Thank you very much.


    Thursday, September 15, 2016 10:29 AM

  • Good evening,
    
    The scenario is the following , I am making tests with the domain of contralador and workstation on the same network , just to avoid problems and port blocking by the firewall devio to even be in the same range of IP . From what I read in forums and documentation , this update KB3167679 and KB3177108 also encrypts the password are working and NT does not recognize this key more . I wonder if you have any Windows registry key that can be changed and solve the problem .
    
    I do not know if I was clear , but already thanks.


    Friday, September 16, 2016 1:08 AM
  • This issue occurs because of NTLM support for change password has been stopped after recent windows security update https://technet.microsoft.com/library/security/MS16-101

    You can use ldaps connection(port no : 636) for change password.

    Refer link for installing ssl certificate: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

    Tuesday, September 27, 2016 4:59 PM
  • Big surprise: changing password from Win7 with Ctrl-Alt-Del > Change Password is working again!

    I guess MS changed something in recent updates... (without letting us know once again)


    Tuesday, November 22, 2016 8:04 AM
  • Dear Community,

    I would like to affirm  the answer by bunkobugsy. We, rather late, installed updates on 32 and 64bit Win7 machines, which are member of an Samba 3.6 NT domain (3.6.25-SerNet-Debian) and were able to patch to a recent state without loosing the ability to change passwords against the PDC.

    I must admit, that I used an unofficial update pack (winfuture may 2017), so please take this into consideration.

    Thanks bunkobugsy !

    Regards,

    Martin

    Monday, May 22, 2017 6:46 PM