Problems with March 2017 Security Rollup
The moderator from the server forum suggested I post here (please see https://social.technet.microsoft.com/Forums/windowsserver/en-US/a894761b-963e-4e4a-a309-d28999209448/march-2017-security-updates-breaks-ntlm-authentication-of-samba-shares-over-netbios?forum=winserversecurity).
We had a production down weekend after installing Microsoft's security March 2017 rollup. This question is to help us understand what was included in the March rollup that broke production in order that we can properly document the workaround.
1. Windows 2008 R2 domain controllers.
2. March 2017 security rollup applied.
3. SAMBA shares hosted on AIX using NTLM authentication stopped working, giving access denied (client message)
Error on AIX host is: "FAILED with error NT_STATUS_NO_LOGON_SERVERS"
Error on AIX host is: "SPNEGO login failed: NT_STATUS_IO_TIMEOUT"
Observed UDP 137 packets sent from AIX to DC, but no response from DC (packets ignored or blocked at DC).
4. Domain controllers previously had installed KB3161949 which broke SAMBA using NETBIOS transport because of a tightened-up security posture due to the KB3161949 hotfix.
When KB3161949 is installed, there is a HKLM registry setting which will allow NETBIOS (UDP 137) with NTLM authentication outside of the local subnet by setting the AllowNBToInternet DWORD value to 1.
5. After installing March 2017 security rollup the AllowNBToInternet parameter no longer seems to work.
After much effort attempting to back out Microsoft March 2017 security updates on domain controllers (this did not resolve the issue) we solved our problem by making an emergency change to all AIX SAMBA to use Kerberos authentication.
It seems like the March rollup included a critical update to fix a denial of service vector in SMB. I am wondering if the SMB code fork deployed by Microsoft also contained code similar to that included in MS16-077 in a way that prevented the AllowNBToInternet option from working?
And please explain why, even after backing out the March rollup, the functionality of KB3161949 to AllowNBToInternet was no longer operational?
Note background information related to the issues exposed by KB3161949 are here: "https://social.technet.microsoft.com/Forums/windows/en-US/5b32fb1c-bb5d-4be0-8a61-5adcb6ea4eb7/kb3161949-june-2016-update-causes-network-file-shares-to-become-unavailable?forum=w7itpronetworking" and here is a link to the KB: "https://support.microsoft.com/en-us/help/3161949/ms16-077-description-of-the-security-update-for-wpad-june-14,-2016"