none
March 2017 Security Updates Breaks NTLM Authentication of SAMBA Shares Over NETBIOS

    Question

  • We had a production down weekend after installing Microsoft's security March 2017 rollup. This question is to help us understand what was included in the March rollup that broke production in order that we can properly document the workaround.

    Scenario:

    1. Windows 2008 R2 domain controllers.
    2. March 2017 security rollup applied.
    3. SAMBA shares hosted on AIX using NTLM authentication stopped working, giving access denied (client message)
       Error on AIX host is: "FAILED with error NT_STATUS_NO_LOGON_SERVERS"
       Error on AIX host is: "SPNEGO login failed: NT_STATUS_IO_TIMEOUT"
       Observed UDP 137 packets sent from AIX to DC, but no response from DC (packets ignored or blocked at DC).
    4. Domain controllers previously had installed KB3161949 which broke SAMBA using NETBIOS transport because of a tightened-up security posture due to the KB3161949 hotfix.
       When KB3161949 is installed, there is a HKLM registry setting which will allow NETBIOS (UDP 137) with NTLM authentication outside of the local subnet by setting the AllowNBToInternet DWORD value to 1.
    5. After installing March 2017 security rollup the AllowNBToInternet parameter no longer seems to work.

    After much effort attempting to back out Microsoft March 2017 security updates on domain controllers (this did not resolve the issue) we solved our problem by making an emergency change to all AIX SAMBA to use Kerberos authentication.

    It seems like the March rollup included a critical update to fix a denial of service vector in SMB. I am wondering if the SMB code fork deployed by Microsoft also contained code similar to that included in MS16-077 in a way that prevented the AllowNBToInternet option from working? 

    And please explain why, even after backing out the March rollup, the functionality of KB3161949 to AllowNBToInternet was no longer operational?

    Note background information related to the issues exposed by KB3161949 are here: "https://social.technet.microsoft.com/Forums/windows/en-US/5b32fb1c-bb5d-4be0-8a61-5adcb6ea4eb7/kb3161949-june-2016-update-causes-network-file-shares-to-become-unavailable?forum=w7itpronetworking" and here is a link to the KB: "https://support.microsoft.com/en-us/help/3161949/ms16-077-description-of-the-security-update-for-wpad-june-14,-2016"



    George Perkins

    Monday, March 27, 2017 2:07 PM

All replies

  • Hi,

    >>And please explain why, even after backing out the March rollup, the functionality of KB3161949 to AllowNBToInternet was no longer operational?

    According your description,it seems to be a underlying code question,please understand it is beyond what we can do in the forum,you could go to  the Windows Server User Voice site to give feedback,thank you.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, March 28, 2017 8:16 AM
    Moderator
  • Cartman, are you saying I should post Microsoft Updates quality problems in a different forum? (The 'user voice' site you recommend even suggests "This forum (General Feedback) is used for any broad feedback related to Windows Server. Feedback for specific areas like Storage, Networking, Virtualization, Nano Server, etc., should be provided in one of the forums available on the right.")


    George Perkins

    Tuesday, March 28, 2017 1:56 PM
  • Cartman, are you saying I should post Microsoft Updates quality problems in a different forum? (The 'user voice' site you recommend even suggests "This forum (General Feedback) is used for any broad feedback related to Windows Server. Feedback for specific areas like Storage, Networking, Virtualization, Nano Server, etc., should be provided in one of the forums available on the right.")


    George Perkins

    Hi,

    You could try WSUS forum,but I already have asked our windows update engineer,there is nothing we can do with underlying code questions on the forum.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 31, 2017 2:06 AM
    Moderator
  • Okay. I have posted in the WSUS forum instead.  https://social.technet.microsoft.com/Forums/windowsserver/en-US/a637600a-544c-4828-8a46-194f5d28b4e3/march-2017-security-updates-breaks-ntlm-authentication-of-samba-shares-over-netbios?forum=winserverwsus 


    George Perkins

    Monday, April 03, 2017 3:42 PM
  • UserVoice is not a place for bug filing, it's a place for design feedback and feature requests (see landing page). Please open an MS Support case to file a bug. 

    Ned Pyle [MSFT] | Principal Program Manager for Storage Replica, DFS Replication, Scale-out File Server, SMB, other goo | You will get fastest answers from me via Twitter @nerdpyle

    Monday, April 10, 2017 10:42 PM