samba - Oct 2022 - Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Hi everyone,

we had a call last week from a client with a win11 workstation that 
upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 anymore.

There are a few related post on reddit [1] and it seems to be linked to 
this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
probably due to the integration of with Heimdal-8.0pre.

The issue is due to a timestamp in the TGS-REQ where it is set to max 
value in Microsoft kerberos client instead of the usual 2038 timestamp 
(till=99990913024805Z), and Microsoft says it is by the specs [3] and 
won't be changed.

I didn't found any Samba bugzilla entry for this bug, which is going to 
get widespread quite fast as Microsoft starts force-feeding this upgrade 
on unsuspicious end users. I can create a bugzilla entry if there is 
none yet.

There is only one supported version that is impacted (4.15), but it 
should at least be more communication to encourage people to upgrade 
before being bitten by this issue.

Cheers,

Denis

[1] 
https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
[2] https://github.com/heimdal/heimdal/issues/1011
[3] https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488

On 03/10/2022 10:15, Denis CARDON via samba wrote:
> Hi everyone,
> 
> we had a call last week from a client with a win11 workstation that 
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15
anymore.
> 
> There are a few related post on reddit [1] and it seems to be linked to 
> this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
> probably due to the integration of with Heimdal-8.0pre.
> 
> The issue is due to a timestamp in the TGS-REQ where it is set to max 
> value in Microsoft kerberos client instead of the usual 2038 timestamp 
> (till=99990913024805Z), and Microsoft says it is by the specs [3] and 
> won't be changed.
> 
> I didn't found any Samba bugzilla entry for this bug, which is going to
> get widespread quite fast as Microsoft starts force-feeding this upgrade 
> on unsuspicious end users. I can create a bugzilla entry if there is 
> none yet.
> 
> There is only one supported version that is impacted (4.15), but it 
> should at least be more communication to encourage people to upgrade 
> before being bitten by this issue.
> 
> Cheers,
> 
> Denis
> 
> [1] 
>
https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
> [2] https://github.com/heimdal/heimdal/issues/1011
> [3] https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
> 
> 
Hi Denis, the problem is that it isn't really a Samba bug, but if it is 
a bug, it has been fixed in 4.16.0 , so if you do open a bug report, it 
will probably get closed very quickly.

I would imagine that backporting Heimdal 8.0pre was considered but 
rejected because it isn't a maintenance or security problem and would 
probably require multiple other changes, but I am guessing here.

As for upgrading Samba, I keep saying that users should try to keep up 
with the latest samba, this is because Samba is rapidly evolving and 
using old versions of Samba in a domain is not advised.

Rowland

On Mon, 2022-10-03 at 11:15 +0200, Denis CARDON via samba
wrote:
> Hi everyone,
> 
> we had a call last week from a client with a win11 workstation that 
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15
> anymore.
> 
> There are a few related post on reddit [1] and it seems to be linked
> to 
> this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
> probably due to the integration of with Heimdal-8.0pre.
> 
> The issue is due to a timestamp in the TGS-REQ where it is set to
> max 
> value in Microsoft kerberos client instead of the usual 2038
> timestamp 
> (till=99990913024805Z), and Microsoft says it is by the specs [3]
> and 
> won't be changed.
Thanks so much for digging into this.  I'm sorry that while I did see
the early references, I didn't dig into it. 
> I didn't found any Samba bugzilla entry for this bug, which is going
> to 
> get widespread quite fast as Microsoft starts force-feeding this
> upgrade 
> on unsuspicious end users. I can create a bugzilla entry if there is 
> none yet.
Please do, with all the references etc.  

We may be able to kludge around that if it is as you describe, but
otherwise we need a place to coordinate efforts. 
> There is only one supported version that is impacted (4.15), but it 
> should at least be more communication to encourage people to upgrade 
> before being bitten by this issue.
Thanks,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Thank you a lot for reporting this in the mailing list.

I also found this horrible issue putting a new Win-11 laptop in the 
Samba domain and lost hours in anger trying to make it work.

Windows as usual reports silly/useless error messages. On Samba logs i 
found a suspicious line and googling that i was able to find a blog 
where the thing is discussed (and in Reddit)
*https://bitcoden.com/answers/samba-wont-join-computers-to-domain-anymore*

Then finally I see the message here, and I am more confident the info is 
reliable.

I may recommend to put a well visible link in Samba Web homepage when 
this kind of issues emerge.
Even if it is Microsoft who broke things and it is not a Samba bug, we 
proud Samba users/admins will suffer, so better to warn us before we 
bang our head against the wall for hours, if possible ;)


bye
Nicola








On 10/3/22 11:15, Denis CARDON via samba wrote:
> Hi everyone,
>
> we had a call last week from a client with a win11 workstation that 
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 
> anymore.
>
> There are a few related post on reddit [1] and it seems to be linked 
> to this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
> probably due to the integration of with Heimdal-8.0pre.
>
> The issue is due to a timestamp in the TGS-REQ where it is set to max 
> value in Microsoft kerberos client instead of the usual 2038 timestamp 
> (till=99990913024805Z), and Microsoft says it is by the specs [3] and 
> won't be changed.
>
> I didn't found any Samba bugzilla entry for this bug, which is going 
> to get widespread quite fast as Microsoft starts force-feeding this 
> upgrade on unsuspicious end users. I can create a bugzilla entry if 
> there is none yet.
>
> There is only one supported version that is impacted (4.15), but it 
> should at least be more communication to encourage people to upgrade 
> before being bitten by this issue.
>
> Cheers,
>
> Denis
>
> [1] 
>
https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
> [2] https://github.com/heimdal/heimdal/issues/1011
> [3] 
> https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
>
>