Upstream Samba team announcement:
On 8th of July, Microsoft will release an important security update for
Active Directory Domain Controllers for Windows Server versions prior to
2025.
This update includes a change to the Microsoft RPC Netlogon protocol,
which improves security by tightening access checks for a set of RPC
requests. Samba running as domain members in these environments will be
impacted by this change if a specific configuration is used, see below
for which configuration is affected.
Windows Server version 2025 is already equipped with these specific
security hardenings, and Microsoft is now planning to deploy them to all
supported Windows Server versions down to Windows Server 2008.
Who is affected?
Samba installations acting as member servers in Windows AD domains will
be affected if they are configured to use the ‘ad’ idmapping backend.
Samba servers not using this configuration will not be affected by the
change – at least to our current knowledge and understanding of the
change – and no further action is required.
Current versions of Samba with the affected configuration will no longer
function correctly once the Microsoft update has been applied. Users
will not be able to connect to the SMB service provided by Samba for any
domain configured to use the ‘ad’ idmapping backend.
TrueNAS Impact:
NAS-136590
This affects TrueNAS servers joined to an Active Directory domain that are configured to use unix identity information that is stored in the Active Directory schema using services-for-unix or RFC2307 extensions through the “AD” idmap backend (idmap_ad) in a Windows Active Directory Domain.
This is a non-standard Active Directory configuration and a non-standard TrueNAS configuration that is most commonly used in legacy enterprise environments or universities.
There’s is no workaround for idmap_ad.
Impacted releases :
All existing releases in the field
Releases added to address this change:
[SCALE-24.10.2.3 (EletricEel)]
[13.0-U6.8]
Already scheduled for later this month : [SCALE-25.04.2 (Fangtooth)]