Hi Obaid, I'm using the Group Policy Management Console (GPMC) snap-in. I'm configuring hardened UNC paths for \\*\NETLOGON and \\*\SYSVOL. I've uploaded a screenshot of the GPO setting to the secure file exchange.
Regards, Kacper On Fri, 12 Dec 2025 at 01:32, Obaid Farooqi <[email protected]> wrote: > Hi Kacper: > > How are you applying this group policy on a Samba DC? If you are doing it > on a Windows DC, what is the UNC path that you are configuring in the group > policy editor? > > > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Thursday, December 11, 2025 4:59 PM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Obaid, > > > > If session setup responses are always signed I would like to understand > why the signature verification fails when Hardened UNC Paths are configured > with RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1 > (Computer Configuration → Administrative Templates → Network → Network > Provider → Hardened UNC Paths) and why the signature verification succeeds > > 1) when Hardened UNC Paths are not configured (e.g. the gpo is left at its > not configured setting) > > 2) after logon when manually refreshing group policies with gpupdate > /force. > > > > Regards, > > Kacper > > > > On Thu, Dec 11, 2025, 20:34 Obaid Farooqi <[email protected]> wrote: > > Hi Kacper: > > Looking at the traces, here is what’s happening: > > 1. Just before sending the create request for gpt.ini, client > determines that it is a 3-part SPN and there fore it needs to > reauthenticate. > 2. Client sends a session setup request > 3. Server (in this case Samba DC) responds with session set up response > 4. Session set up response is always signed. Client tries to verify > the signature and that fails. > > > > Please let me know if this does not answer your question. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Wednesday, December 10, 2025 4:30 AM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Obaid, > > > > I have not been able to reproduce this problem against a Windows DC. I've > uploaded the requested t.cmd traces to the secure file exchange. > > > > Regards, > > Kacper > > > > On Tue, 9 Dec 2025 at 21:13, Obaid Farooqi <[email protected]> wrote: > > Hi Kacper: > > You’ll have to rename t.txt to t.cmd. Your email provider does not allow > .cmd files. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Obaid Farooqi > *Sent:* Tuesday, December 9, 2025 2:10 PM > *To:* 'Kacper' <[email protected]> > *Cc:* Microsoft Support <[email protected]>; 'cifs-protocol' < > [email protected]> > *Subject:* RE: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > > > Hi Kacper: > > I want to reproduce this for Windows to Windows. Please let me know the > exact steps and set up. > > > > Alternatively, you can collect ETW traces for me on the Windows 11 client. > The script I have attached to this email does not survive reboot. So, if > you can reproduce the scenario without rebooting, here are the steps. > > > > 1. Unzip and copy the file t.cmd on your windows 11 client. > 2. Login as administrator and in a cmd (elevated), execute the > following command: > >t.cmd clion > 3. Reproduce the scenario, which I guess will require you to log off > and login again (preferably as a different user) > 4. Once you see the error in Event Viewer, repro is complete. > 5. Open an elevated Cmd window and execute the following command: > >t.cmd clioff > 6. Upload the resulting t*.cab file to the link I provided you. > > > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Obaid Farooqi > *Sent:* Monday, December 8, 2025 10:38 AM > *To:* 'Kacper' <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* RE: [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hi Kacper: > > Thank you for the traces. I’ll look into them and get back to you as soon > as I have anything conceret. > > Regards, > > Obaid Farooqi > > Sr. Escalation Engineer | Microsoft > > > > *From:* Kacper <[email protected]> > *Sent:* Monday, December 8, 2025 4:20 AM > *To:* Obaid Farooqi <[email protected]> > *Cc:* Microsoft Support <[email protected]>; cifs-protocol < > [email protected]> > *Subject:* [EXTERNAL] Re: Windows 11 does not appear to apply group > policies on logon when Hardened UNC paths are configured - > TrackingID#2512040040010550 > > > > Hello Obaid, > > > > Thank you for taking over this issue. The issue occurs between a Windows > 11 client and a Samba DC. I’ve tested the same scenario against a Windows > DC, and it works correctly there. > My testing was done with Windows 11 (24H2, OS version 26100.7171) and > Samba 4.21.10. I’ve uploaded the network trace, the event log entry, and > the auth trace. > Manually running gpupdate /force after the user logs on works without any > issues. > > > I would like to understand why Windows fails to apply GPOs during logon when > Hardened UNC Paths are configured and the domain controller is Samba. > > > > Regards, > > Kacper > >
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
