After applying Microsoft Windows security update 2025, Samba authentication stopped working on Red Hat Enterprise Linux
Red Hat Lightspeed can detect this issue
Environment
- Red Hat Enterprise Linux 10
- Red Hat Enterprise Linux 9
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 7
- Samba/Winbind (Red Hat Enterprise Linux configured as a Samba Domain Member with idmap_ad mapping)
- Microsoft Active Directory
Issue
- 2025 Microsoft Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName
- Microsoft Windows update 2025 enforces security checks even on schannel secured NETLOGON connections causing winbind's netlogon dc discovery calls to fail.
- Microsoft releasing security update to fix CVE-2025-49716 may cause SAMBA authentication to fail when idmap_ad backend is used in Samba/Winbind running on RHEL.
- After applying 2025 update on Microsoft AD, DsGetDCName calls will return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND and ID Mapping with idmap_ad will fail.
Resolution
Who is affected?
-
This will affect some Samba installations which are configured as a Active Directory Domain Member and have id-mapping set up with the
idmap_adplugin. Setups involving domain trusts may also be affected. -
Samba servers not using above configuration will NOT be affected by the change – as per the current update from Samba engineering team and no further action is required.
Status
Red Hat Samba Engineering Team has already released official FIX for following RHEL versions (Z-streams):
-
Current minor releases
RHEL Version Package version ERRATA Link RHEL-8.10.0.z 4.19.4-9.el8_10 RHBA-2025:10643 RHEL-9.6.0.z 4.21.3-7.el9_6 RHBA-2025:10634 RHEL-10.0.z 4.21.3-106.el10_0 RHBA-2025:10633 -
Extended Update Support (EUS)
RHEL Version Package version ERRATA Link RHEL-9.4.z 4.19.4-105.el9_4.3 RHBA-2025:10637 -
Update Services for SAP Solutions & Enhanced Extended Update Support
RHEL Version Package version ERRATA Link RHEL-8.6.0.z 4.15.5-16.el8_6 RHBA-2025:10685 RHEL-8.8.0.z 4.17.5-7.el8_8 RHBA-2025:10686 RHEL-9.0.0.z 4.15.5-112.el9_0 RHBA-2025:10649 RHEL-9.2.0.z 4.17.5-105.el9_2.4 RHBA-2025:10636 -
Extended Life-cycle Support (ELS)
RHEL Version Package version ERRATA Link RHEL-7.9.0.z 4.10.16-26.el7_9 RHBA-2025:14088
Once the FIX has been released for your platform, update the Samba packages.
[root]# dnf update samba samba-winbind
For information about other Z-streams, get in touch with Technical Support by opening a Support Case.
- Upstream Ticket: Bug 15876
Root Cause
-
On 08-Jul-2025, Microsoft released an important security update to address CVE-2025-49716 for Active Directory Domain Controllers for Windows Server versions prior to 2025.
-
This update includes a change to the Microsoft RPC Netlogon protocol, which improves security by tightening access checks for a set of RPC requests.
-
Samba running as domain members in these environments will be impacted by this change if a specific configuration is used, see below for more details.
-
Windows Server version 2025 is already equipped with these specific security hardening, and Microsoft is now planning to deploy them to all supported Windows Server versions down to Windows Server 2008.
Diagnostic Steps
-
Samba installations acting as domain members in Windows AD domains will be affected if they are configured to use the 'ad' id-mapping backend.
-
Check current samba configuration to validate if it is configured in security=ads mode & idmap ad is used:
# testparm -s /etc/samba/smb.conf | egrep -i 'security|idmap'
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments