Hi Obaid, I created a test environment to isolate the issue, but I was unable to reproduce the problem by configuring Hardened UNC Paths alone. After extensive testing, I determined that the issue consistently occurs when Computer Configuration → Administrative Templates → Network → Lanman Workstation → Require encryption is enabled ( https://learn.microsoft.com/en-us/windows-server/storage/file-server/configure-smb-client-require-encryption). I apologize for not having tested this more thoroughly in isolation earlier.
Perhaps there is a special code path taken when Require encryption is enabled, as setting RequirePrivacy=1 in Hardened UNC Paths does appear to enable SMB encryption without causing the failure. Regards, Kacper On Fri, 12 Dec 2025 at 20:28, Kacper <[email protected]> wrote: > Hi Obaid, > > 1) Open the Group Policy Management Console (which is part of Windows RSAT > tools) > 2) Create a group policy object, highlight the domain where you want the > object linked, then open the Action menu and select "Create a GPO in this > domain, and Link it here". > 3) Right-click to the newly-created GPO and select Edit to open the Group > Policy Management Editor > 4) Navigate to the User Configuration → Preferences → Windows Settings → > Drive Maps entry > 5) Right-click to the Drive Maps entry and select New → Mapped Drive > 6) Set the following: On the General tab, Action: Create, Location: > \\server.domain.tld\share\ (replace server.domain.tld with the domain fqdn > of the samba DC). Click OK > 7) Close the Group Policy Management Editor. The GPOs are automatically > saved on the Sysvol share on the Samba DC. Close the Group Policy > Management Console > > You will also have to configure a shared folder in Samba by: > 1) mkdir /srv/share > 2) chmod 755 /srv/share > 2) adding to smb.conf: > [share] > path = /srv/share > browseable = yes > 3) restarting the Samba DC > > Any other User Configuration GPO setting could probably be applied, but I > believe at least one needs to be configured in order for Windows to try to > apply user group policies. > > Let me know if you need any further assistance. > > Regards, > Kacper > > On Fri, 12 Dec 2025 at 19:49, Obaid Farooqi <[email protected]> wrote: > >> Hi Kacper: >> >> I don’t support products, which means I don’t help customer configure >> systems. As such, please elaborate on the following as I have never done >> this. >> >> 3) Create new GPO with user settings, say with a mapped drive >> >> >> >> As for mutual authentication, it is not related to integrity and privacy. >> >> Mutual authentication means that only Kerberos can be used for >> authentication (mutual authentication means that not only server will >> authenticate client, client will also authenticate server). NTLM cannot do >> mutual authentication. >> >> >> >> Session key is always established whether you do mutual authentication or >> not. >> >> >> >> >> >> Regards, >> >> Obaid Farooqi >> >> Sr. Escalation Engineer | Microsoft >> >> >> >> *From:* Kacper <[email protected]> >> *Sent:* Friday, December 12, 2025 12:34 PM >> *To:* Obaid Farooqi <[email protected]> >> *Cc:* Microsoft Support <[email protected]>; cifs-protocol < >> [email protected]> >> *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group >> policies on logon when Hardened UNC paths are configured - >> TrackingID#2512040040010550 >> >> >> >> Hi Obaid, >> >> >> >> I’ve done some additional testing. When I set >> RequireMutualAuthentication=0 while keeping RequireIntegrity=1 and >> RequirePrivacy=1, Windows does not fail the signature verification. My >> understanding is that mutual authentication is required to establish a >> session key, which is then used to enable integrity (signing) and privacy >> (encryption). >> If that’s the case, then integrity and privacy shouldn’t work when mutual >> authentication is disabled—correct? In other words, >> RequireMutualAuthentication would need to be enabled in order to use either >> integrity or privacy? >> >> Additionally, I tested this scenario on Windows 10 22H2, and the issue >> does not occur there. >> >> >> >> To reproduce the issue; >> >> 1) Provision a Samba DC and create a new domain >> >> 3) Join a Windows 11 client to the Samba domain >> >> 2) Create a GPO, preferably using RSAT, and configure the setting >> "Hardened UNC paths" with RequireMutualAuthentication=1, >> RequireIntegrity=1, RequirePrivacy=1 (Computer Configuration → >> Administrative Templates → Network → Network Provider → Hardened UNC Paths) >> >> 3) Create new GPO with user settings, say with a mapped drive >> >> 4) Create a new user, either using RSAT or samba-tool user create, and >> set a known password for the user >> >> 5) Logon with that user on the Windows 11 client >> >> 6) The mapped drive does not get mapped, no group policies have been >> applied during logon and the Windows event log will log an event with event >> id 1058, error code 2148073478 and the description invalid signature >> >> 7) running gpupdate /force manually will apply policies for both computer >> and user without errors >> >> >> >> Regards, >> >> Kacper >> >> >> >> On Fri, 12 Dec 2025 at 16:41, Kacper <[email protected]> wrote: >> >> Hi Obaid, >> >> >> >> I'm using the Group Policy Management Console (GPMC) snap-in. I'm >> configuring hardened UNC paths for \\*\NETLOGON and \\*\SYSVOL. I've >> uploaded a screenshot of the GPO setting to the secure file exchange. >> >> >> >> Regards, >> >> Kacper >> >> >> >> On Fri, 12 Dec 2025 at 01:32, Obaid Farooqi <[email protected]> wrote: >> >> Hi Kacper: >> >> How are you applying this group policy on a Samba DC? If you are doing it >> on a Windows DC, what is the UNC path that you are configuring in the group >> policy editor? >> >> >> >> >> >> Regards, >> >> Obaid Farooqi >> >> Sr. Escalation Engineer | Microsoft >> >> >> >> *From:* Kacper <[email protected]> >> *Sent:* Thursday, December 11, 2025 4:59 PM >> *To:* Obaid Farooqi <[email protected]> >> *Cc:* Microsoft Support <[email protected]>; cifs-protocol < >> [email protected]> >> *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group >> policies on logon when Hardened UNC paths are configured - >> TrackingID#2512040040010550 >> >> >> >> Hi Obaid, >> >> >> >> If session setup responses are always signed I would like to understand >> why the signature verification fails when Hardened UNC Paths are configured >> with RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1 >> (Computer Configuration → Administrative Templates → Network → Network >> Provider → Hardened UNC Paths) and why the signature verification succeeds >> >> 1) when Hardened UNC Paths are not configured (e.g. the gpo is left at >> its not configured setting) >> >> 2) after logon when manually refreshing group policies with gpupdate >> /force. >> >> >> >> Regards, >> >> Kacper >> >> >> >> On Thu, Dec 11, 2025, 20:34 Obaid Farooqi <[email protected]> wrote: >> >> Hi Kacper: >> >> Looking at the traces, here is what’s happening: >> >> 1. Just before sending the create request for gpt.ini, client >> determines that it is a 3-part SPN and there fore it needs to >> reauthenticate. >> 2. Client sends a session setup request >> 3. Server (in this case Samba DC) responds with session set up >> response >> 4. Session set up response is always signed. Client tries to verify >> the signature and that fails. >> >> >> >> Please let me know if this does not answer your question. >> >> >> >> Regards, >> >> Obaid Farooqi >> >> Sr. Escalation Engineer | Microsoft >> >> >> >> *From:* Kacper <[email protected]> >> *Sent:* Wednesday, December 10, 2025 4:30 AM >> *To:* Obaid Farooqi <[email protected]> >> *Cc:* Microsoft Support <[email protected]>; cifs-protocol < >> [email protected]> >> *Subject:* Re: [EXTERNAL] Re: Windows 11 does not appear to apply group >> policies on logon when Hardened UNC paths are configured - >> TrackingID#2512040040010550 >> >> >> >> Hi Obaid, >> >> >> >> I have not been able to reproduce this problem against a Windows DC. I've >> uploaded the requested t.cmd traces to the secure file exchange. >> >> >> >> Regards, >> >> Kacper >> >> >> >> On Tue, 9 Dec 2025 at 21:13, Obaid Farooqi <[email protected]> wrote: >> >> Hi Kacper: >> >> You’ll have to rename t.txt to t.cmd. Your email provider does not allow >> .cmd files. >> >> >> >> Regards, >> >> Obaid Farooqi >> >> Sr. Escalation Engineer | Microsoft >> >> >> >> *From:* Obaid Farooqi >> *Sent:* Tuesday, December 9, 2025 2:10 PM >> *To:* 'Kacper' <[email protected]> >> *Cc:* Microsoft Support <[email protected]>; 'cifs-protocol' < >> [email protected]> >> *Subject:* RE: [EXTERNAL] Re: Windows 11 does not appear to apply group >> policies on logon when Hardened UNC paths are configured - >> TrackingID#2512040040010550 >> >> >> >> >> >> Hi Kacper: >> >> I want to reproduce this for Windows to Windows. Please let me know the >> exact steps and set up. >> >> >> >> Alternatively, you can collect ETW traces for me on the Windows 11 >> client. The script I have attached to this email does not survive reboot. >> So, if you can reproduce the scenario without rebooting, here are the steps. >> >> >> >> 1. Unzip and copy the file t.cmd on your windows 11 client. >> 2. Login as administrator and in a cmd (elevated), execute the >> following command: >> >t.cmd clion >> 3. Reproduce the scenario, which I guess will require you to log off >> and login again (preferably as a different user) >> 4. Once you see the error in Event Viewer, repro is complete. >> 5. Open an elevated Cmd window and execute the following command: >> >t.cmd clioff >> 6. Upload the resulting t*.cab file to the link I provided you. >> >> >> >> Regards, >> >> Obaid Farooqi >> >> Sr. Escalation Engineer | Microsoft >> >> >> >> *From:* Obaid Farooqi >> *Sent:* Monday, December 8, 2025 10:38 AM >> *To:* 'Kacper' <[email protected]> >> *Cc:* Microsoft Support <[email protected]>; cifs-protocol < >> [email protected]> >> *Subject:* RE: [EXTERNAL] Re: Windows 11 does not appear to apply group >> policies on logon when Hardened UNC paths are configured - >> TrackingID#2512040040010550 >> >> >> >> Hi Kacper: >> >> Thank you for the traces. I’ll look into them and get back to you as soon >> as I have anything conceret. >> >> Regards, >> >> Obaid Farooqi >> >> Sr. Escalation Engineer | Microsoft >> >> >> >> *From:* Kacper <[email protected]> >> *Sent:* Monday, December 8, 2025 4:20 AM >> *To:* Obaid Farooqi <[email protected]> >> *Cc:* Microsoft Support <[email protected]>; cifs-protocol < >> [email protected]> >> *Subject:* [EXTERNAL] Re: Windows 11 does not appear to apply group >> policies on logon when Hardened UNC paths are configured - >> TrackingID#2512040040010550 >> >> >> >> Hello Obaid, >> >> >> >> Thank you for taking over this issue. The issue occurs between a Windows >> 11 client and a Samba DC. I’ve tested the same scenario against a Windows >> DC, and it works correctly there. >> My testing was done with Windows 11 (24H2, OS version 26100.7171) and >> Samba 4.21.10. I’ve uploaded the network trace, the event log entry, and >> the auth trace. >> Manually running gpupdate /force after the user logs on works without any >> issues. >> >> >> I would like to understand why Windows fails to apply GPOs during logon when >> Hardened UNC Paths are configured and the domain controller is Samba. >> >> >> >> Regards, >> >> Kacper >> >>
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
