On July 8, 2025, Microsoft released KB 5062572 (applicable to Windows Server 2008 R2 through 2022 domain controllers) to address CVE‑2025‑49716 and enhance access verification in Netlogon RPC.
Potentially affected environments: Samba servers joined to AD and using certain backends such as idmap_admay experience authentication or identity mapping failures after the update.
QNAP NAS status: QNAP NAS systems under default configurations are not affected by this change, and it is safe to apply the update.
Important Note: Users employing the non-default configuration (such as idmap=ad) are likely impacted and should review their Samba settings or consult with IT administrators before proceeding.
Indeed We are affected, or at least since last tuesday 17th users are not able to access any shares. We are using “ad” as idmap instead of RID.
The error visible in the log is:
RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host myDC.mysite.it
Our NAS is:
Model = TS-X32U
Internal Model = TS-X32U
Server comment =
Version = 5.2.5
Build Number = 20250623
Number = 3173
I’m sorry you’re experiencing issues with your NAS. Typically, QNAP NAS systems configured with the default idmap=rid setting for Active Directory integration are not affected by Microsoft’s KB 5062572 update (released July 8, 2025) addressing CVE-2025-49716. However, as your TS-X32U running QTS 5.2.5 (Build 20250623) uses the idmap=ad setting within a Samba configuration, it appears to be impacted, aligning with Microsoft’s advisory.
This update strengthens security by enforcing stricter access controls for specific Netlogon RPC requests, potentially triggering the “RPC fault code DCERPC_FAULT_ACCESS_DENIED” error and access problems you’ve encountered since July 17.
Given that this issue stems from Microsoft’s updated security policy, you might need to adjust your Samba configuration or consult with IT administrators familiar with AD integration to identify appropriate solutions.
Thanks again for bringing attention to the idmap=ad issue—it’s valuable information for others with similar configurations.
Tim, thank you for your kind replay. Actually I am managing also the AD infrastructure which serves all systems in our university and I cannot revert the MS patch to have the QNAP working again which,from the microsoft-side, is the only option.
My guess is that as soon as SMB’s guys deploy a working patch it should be released for your systems too. Btw, strangely another old QNAP with an older version of samba(4.4.16) seems not to be affected like this one (4.15.13)
We too are affected by the recent microsoft update - looking at the way that samba works / is installed on the QNAP - it would seem possible for the version of samba to be updated to a version that includes the fix.
I would hope that this might be even easier now that samba is provided as an app!
Dear TimL, would it be possible to have a new firmware or at least the patched version of winbind about this issue? two months have past and our users are still unable to access their files. I am available for any kind of testing if you needed.
Thanks
Hi, Since the impacted usage is beyond our designed scenario, we are evaluating the patch solution. Please allow us some time to evaluate a patch without side effects to the default scenario.