Vista - kb952004 breaks samba sharing

I share folders between my vista, xp, and linux boxes. This update makes it impossible to see my linux boxes from vista. Anybody know how to fix this?

Hey Billydv,

Thats a problem for the Samba folk, they will need to update their packages to solve any problems caused by Patches because it only affects their software.

You should also contact the forum or mailing list of your linux distribution as they would be able to solve the issue much quicker

Steven

What dmex said.

Out of curiosity, I had a look at the KB article and it's a whole bunch of MSDTC binaries that are being updated:

MS09-012: Description of the security update for MSDTC Transaction Facility: April 2009

Are you actually sure it's the presence of that hotfix which changes the outcome?

absolutely. Twice installed and uninstalled to confirm.

I'm not sure that it is that simple -

Working with XP Pro systems it does not seem that this patch absolutely guarantees failure. I have one box that has the patch that fails and one that continues to work.

A packet sniffer showed the following:
On the XP system that fails a packet is received and interpreted as “NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED” - then the connection closes.

On the XP system that continues to work when the same packet is received it goes on to send the username. The system that fails never sends the username.

Now, in this case the server is running "security = server" so it really isn't part of the domain but from reports to me by other folks it has also munged samba servers with "security = ad"

M-

I think you've stumbled upon samba's inability to deal with NTLMv2. The challenge-response sequence is normal, as is the "more processing required", but the fact that the failing machine just aborts at that point suggests that the NTLM version is an issue. Perhaps KB952004 influences the version of NTLM used for authentication, but only on domain members - all pure speculation on my part.

If you look up LMCompatibilityLevel in the MS KB, there will be plenty of explanations of NTLM versus NTLMv2, and how to go about testing with a lower-security version of the challenge/response mechanism which samba understands.

Thanks for the quick reply -

I'd like to make one point though - if the assumption that this patch is the critical change that caused these problems - then Samba was working and dealing with NTLMv2 just fine until this patch was applied. Perhaps we are moving to NTMLv3 but then again who knows.

No doubt the samba developers will look at this and find a fix. I'm just trying to find a fix that doesn't require rebuilding samba on dozens of servers.

M-

I've got no idea, I'm just going by what you and the OP are saying

My understanding is that the presence of this patch is somehow significant in that access to samba no longer works, and that in your case there appears to be a link to domain membership.

There is no NTLMv3. Many versions of samba have for years had issues with NTLMv2 though. It's possible that the presence of KB952004 prevents fallback to NTLM(v1), thus preventing successful authentication because samba won't deal with NTLMv2.

I wouldn't bother rebuilding anything until you have a thorough understanding of the problem. As a suggestion, try experimenting with what happens if you lower the LMCompatibilityLevel value on the Windows PCs.

All I want is not to have problems sharing between my boxes. I run both Vista 64 and Gentoo 64 and all my documents get auto synced daily between the machines. When the machines can't see each other, syncs don't occur and it's problematic for me.

H2SO4 (sulfuric acid) said:

I totally agree - working with different LMCompatibilityLevel settings is the next thing to do - will report what I discover.

Thanks again,

Michael