Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 910306

Summary: net-fs/samba: Windows Updates from 13th July 2023 break domain trust (fix inside)
Product: Gentoo Linux Reporter: Felix Leimbach <felix.leimbach>
Component: Current packagesAssignee: Gentoo's SAMBA Team <samba>
Severity: critical CC: ole+gentoo, sam
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---
Bug Depends on: 910452    
Bug Blocks:    

Description Felix Leimbach 2023-07-13 18:57:59 UTC
A windows update issued for all windows server and desktop versions on July 13th breaks the secure channel connection and thus domain trust and thus logon via RDP, access to shares and other things.

The issue is diagnosed here and there is a patch:

This is quite urgent as it breaks domains with a samba PDC in all kind of ways.

Reproducible: Always

Steps to Reproduce:
1. Install latest windows updates in a domain with a samba PDC
2. Watch everything break
3. Can confirm breakage by seeing false in this powershell command on a windows client with the latest update: Test-ComputerSecureChannel -Verbose
Comment 1 Felix Leimbach 2023-07-13 19:28:40 UTC
I've applied the patch linked in the bug report to net-fs/samba-4.18.3 in my overlay and confirmed it fixes all issues.

I can log in via RDP again, access file shares and Test-ComputerSecureChannel returns True again.

From what I read people are applying the patch successfully to samba versions as old as 4.13.13, so we might want to issue updates for all our supported versions (i.e. 4.16+).
Comment 2 Felix Leimbach 2023-07-13 19:29:06 UTC
For reference this is the patch:
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-14 11:58:02 UTC
*** Bug 910335 has been marked as a duplicate of this bug. ***
Comment 4 Larry the Git Cow gentoo-dev 2023-07-16 10:32:31 UTC
The bug has been referenced in the following commit(s):

commit c580697941c0090848274bea073c0d3ef555032a
Author:     David Seifert <>
AuthorDate: 2023-07-16 10:32:23 +0000
Commit:     David Seifert <>
CommitDate: 2023-07-16 10:32:23 +0000

    net-fs/samba: add 4.18.4
    Signed-off-by: David Seifert <>

 net-fs/samba/Manifest                              |   1 +
 ...4-bug-15418-windows-update-secure-channel.patch |  56 +++
 net-fs/samba/files/samba-4.18.4-pam.patch          |  29 ++
 net-fs/samba/samba-4.18.4.ebuild                   | 384 +++++++++++++++++++++
 4 files changed, 470 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2023-08-03 15:34:04 UTC
The bug has been referenced in the following commit(s):

commit d32095b165e0f127a89bbf6af1d99b0c7386cfa2
Author:     David Seifert <>
AuthorDate: 2023-08-03 15:33:46 +0000
Commit:     David Seifert <>
CommitDate: 2023-08-03 15:33:46 +0000

    net-fs/samba: drop 4.16.8
    Signed-off-by: David Seifert <>

 net-fs/samba/Manifest                              |   1 -
 .../files/samba-4.15.12-configure-clang16.patch    | 117 -------
 .../files/samba-4.15.9-libunwind-automagic.patch   | 118 -------
 .../samba/files/samba-4.16.1-netdb-defines.patch   |  25 --
 .../samba-4.16.2-fix-musl-without-innetgr.patch    |  25 --
 net-fs/samba/files/samba-4.4.0-pam.patch           |  29 --
 net-fs/samba/samba-4.16.8.ebuild                   | 387 ---------------------
 7 files changed, 702 deletions(-)