Hi Kacper: How are you applying this group policy on a Samba DC? If you are doing it on a Windows DC, what is the UNC path that you are configuring in the group policy editor?
Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]> Sent: Thursday, December 11, 2025 4:59 PM To: Obaid Farooqi <[email protected]> Cc: Microsoft Support <[email protected]>; cifs-protocol <[email protected]> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Obaid, If session setup responses are always signed I would like to understand why the signature verification fails when Hardened UNC Paths are configured with RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1 (Computer Configuration → Administrative Templates → Network → Network Provider → Hardened UNC Paths) and why the signature verification succeeds 1) when Hardened UNC Paths are not configured (e.g. the gpo is left at its not configured setting) 2) after logon when manually refreshing group policies with gpupdate /force. Regards, Kacper On Thu, Dec 11, 2025, 20:34 Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: Looking at the traces, here is what’s happening: 1. Just before sending the create request for gpt.ini, client determines that it is a 3-part SPN and there fore it needs to reauthenticate. 2. Client sends a session setup request 3. Server (in this case Samba DC) responds with session set up response 4. Session set up response is always signed. Client tries to verify the signature and that fails. Please let me know if this does not answer your question. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Wednesday, December 10, 2025 4:30 AM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: Re: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Obaid, I have not been able to reproduce this problem against a Windows DC. I've uploaded the requested t.cmd traces to the secure file exchange. Regards, Kacper On Tue, 9 Dec 2025 at 21:13, Obaid Farooqi <[email protected]<mailto:[email protected]>> wrote: Hi Kacper: You’ll have to rename t.txt to t.cmd. Your email provider does not allow .cmd files. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Obaid Farooqi Sent: Tuesday, December 9, 2025 2:10 PM To: 'Kacper' <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; 'cifs-protocol' <[email protected]<mailto:[email protected]>> Subject: RE: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Kacper: I want to reproduce this for Windows to Windows. Please let me know the exact steps and set up. Alternatively, you can collect ETW traces for me on the Windows 11 client. The script I have attached to this email does not survive reboot. So, if you can reproduce the scenario without rebooting, here are the steps. 1. Unzip and copy the file t.cmd on your windows 11 client. 2. Login as administrator and in a cmd (elevated), execute the following command: >t.cmd clion 3. Reproduce the scenario, which I guess will require you to log off and login again (preferably as a different user) 4. Once you see the error in Event Viewer, repro is complete. 5. Open an elevated Cmd window and execute the following command: >t.cmd clioff 6. Upload the resulting t*.cab file to the link I provided you. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Obaid Farooqi Sent: Monday, December 8, 2025 10:38 AM To: 'Kacper' <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: RE: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hi Kacper: Thank you for the traces. I’ll look into them and get back to you as soon as I have anything conceret. Regards, Obaid Farooqi Sr. Escalation Engineer | Microsoft From: Kacper <[email protected]<mailto:[email protected]>> Sent: Monday, December 8, 2025 4:20 AM To: Obaid Farooqi <[email protected]<mailto:[email protected]>> Cc: Microsoft Support <[email protected]<mailto:[email protected]>>; cifs-protocol <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL] Re: Windows 11 does not appear to apply group policies on logon when Hardened UNC paths are configured - TrackingID#2512040040010550 Hello Obaid, Thank you for taking over this issue. The issue occurs between a Windows 11 client and a Samba DC. I’ve tested the same scenario against a Windows DC, and it works correctly there. My testing was done with Windows 11 (24H2, OS version 26100.7171) and Samba 4.21.10. I’ve uploaded the network trace, the event log entry, and the auth trace. Manually running gpupdate /force after the user logs on works without any issues. I would like to understand why Windows fails to apply GPOs during logon when Hardened UNC Paths are configured and the domain controller is Samba. Regards, Kacper
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
