Oliver Freyd
2022-Oct-26 11:27 UTC
[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5
Hello, I'm running a network with 2 samba AD DCs that were on 4.12.15 on debian buster (debian 10, oldstable). Because of the Win11 22H2 bug I upgraded one of the DCs to samba 4.6.5 on debian bullseye, via the samba package from bullseye-backports. This DC has one problem though, when people connect to their Windows machines via RDP the connection fails when this DC is used (verified that by switching off the old DC and only using the new one), it seems the password authentication does not work correctly, RDP will should the username/password dialog repeatedly... This happens only when the RDP connection is made with the DNS-name of the client machine, the connection works if one connects with the IP of the client machine. Checking with wireshark I see a kerberos error: KRB5KDC_ERR_TGT_REVOKED Another weird thing is that yesterday I re-joined that new DC, and temporarily everything worked fine, only after a day or so it fails again. Any ideas on how I could debug this issue? best regards, Oliver Freyd -- Oliver Freyd Physicist Software Development IONTOF Technologies GmbH Heisenbergstr.15 48149 Muenster, GERMANY phone : +49 251 1622-231 fax : +49 251 1622-199 e-mail: oliver.freyd at iontof.com web : www.iontof.com Registergericht / Court of Registry: Amtsgericht M?nster, HRB 3077 Gesch?ftsf?hrung / Management Board: Dr. Ewald Niehuis Carsten Leimer Dr. Rudolf M?llers
Rowland Penny
2022-Oct-26 12:01 UTC
[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5
On 26/10/2022 12:27, Oliver Freyd via samba wrote:> Hello, > > I'm running a network with 2 samba AD DCs that were on 4.12.15 on debian > buster (debian 10, oldstable). > > Because of the Win11 22H2 bug I upgraded one of the DCs to samba 4.6.5 > on debian bullseye, via the samba package from bullseye-backports.Which DC did you upgrade and how ? Did it hold any of the FSMO roles and did you upgrade it in place, or add a new DC and demote the old one ?> > This DC has one problem though, when people connect to their Windows > machines via RDP the connection fails when this DC is used (verified > that by switching off the old DC and only using the new one), it seems > the password authentication does not work correctly, RDP will should the > username/password dialog repeatedly...Sounds like a dns problem. Can you post the contents (sanitised) of the following files: /etc/hostname /etc/hosts /etc/resolv.conf /etc/krb5.conf /etc/samba/smb.conf Rowland
Oliver Freyd
2022-Oct-27 10:02 UTC
[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5
Hello,>Which DC did you upgrade and how ? >Did it hold any of the FSMO roles and did you upgrade it in place, or >add a new DC and demote the old one ?I upgraded the "second" DC, called sambapdc2, it did not have any FSMO roles. In the first try I upgraded it in place, first doing a debian version upgrade, which worked fine, then upgrading samba to the version in bullseye-backports, which is 4.16.5. The authentication problems did not start right away, but after a few hours. Then I demoted that DC and renamed the /var/lib/samba directory, and joined it again to the domain. Again it seemed to work fine but after a few hours the RDP problems started again.>Sounds like a dns problem.I'm wondering if this is a Kerberos problem, whenever I try to connect to a windows machine via RDP I get such errors in the samba logs: Kerberos: Verify PAC failed for TERMSRV/oliver64.example.lan at IONTOF.LAN (oliver64$@EXAMPLE.LAN) from ipv4:192.168.100.54:50814 with TGT has been revoked>Can you post the contents (sanitised) of the following files: >/etc/hostname >/etc/hosts >/etc/resolv.conf >/etc/krb5.conf > >RowlandI've attached these files... -------------- next part -------------- sambapdc2 -------------- next part -------------- 127.0.0.1 localhost.localdomain localhost 192.168.0.251 sambapdc2.example.lan sambapdc2 ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts -------------- next part -------------- [libdefaults] default_realm = EXAMPLE.LAN dns_lookup_realm = false dns_lookup_kdc = true [realms] EXAMPLE.LAN = { default_domain = example.lan } [domain_realm] SAMBAPDC2 = EXAMPLE.LAN -------------- next part -------------- search example.lan nameserver 192.168.0.251 options timeout:1 #nameserver 192.168.0.12 -------------- next part -------------- # Global parameters [global] netbios name = SAMBAPDC2 realm = EXAMPLE.LAN server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EXAMPLE server role = active directory domain controller idmap_ldb:use rfc2307 = yes #added by Oliver Freyd, 05.07.2018 winbind enum users = yes winbind enum groups = yes tls enabled = yes tls keyfile = /etc/samba/tls/CASignedSambaPdc2Key.pem tls certfile = /etc/samba/tls/CASignedSambaPdc2Cert.pem tls cafile = /etc/samba/tls/ExampleCA2.pem #'tls verify peer' has a default of as_strictly_as_possible which #complains of missing crlfile. ca_and_name is the strictest option #below that. tls verify peer = ca_and_name log file = /var/log/samba/machines/log.%m max log size = 3000 syslog = 1 log level = 3 [netlogon] path = /var/lib/samba/sysvol/example.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [inout] include = /etc/samba/global-share-settings.conf comment = Testshare fuer Migration path = /data/inout #[extra] # include = /etc/samba/global-share-settings.conf # path = /data/extra
Matthew Schumacher
2022-Oct-27 23:36 UTC
[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5
On 10/26/22 4:27 AM, Oliver Freyd via samba wrote:> Hello, > > I'm running a network with 2 samba AD DCs that were on 4.12.15 on > debian buster (debian 10, oldstable). > > Because of the Win11 22H2 bug I upgraded one of the DCs to samba 4.6.5 > on debian bullseye, via the samba package from bullseye-backports. > > This DC has one problem though, when people connect to their Windows > machines via RDP the connection fails when this DC is used (verified > that by switching off the old DC and only using the new one), it seems > the password authentication does not work correctly, RDP will should > the username/password dialog repeatedly... > > This happens only when the RDP connection is made with the DNS-name of > the client machine, the connection works if one connects with the IP > of the client machine. > > Checking with wireshark I see a kerberos error: KRB5KDC_ERR_TGT_REVOKED > > Another weird thing is that yesterday I re-joined that new DC, and > temporarily everything worked fine, only after a day or so it fails > again. > Any ideas on how I could debug this issue? > > best regards, > > Oliver Freyd >I'm also having problems with RDP sessions not authenticating against samba heimdal kdc.? What is odd is that the initial RDP connection (network level connection) works fine and authenticates me, but when I get to the desktop, I get access denied and that my password is wrong as if I used a wrong password at the console.? If I put in the wrong password into the initial rdp session for network level connection, it immediately rejects me without letting me see the desktop. Looking at wireshark under the covers, I suspect it's a kerberos issue, however all of my hosts have dns settings of samba domain controllers and my samba servers do appear to get AD updates. I was running 4.16.4 but now I'm on 4.17.2 with no change. I wonder if something changed on the windows side.?? I see Jakob posted about a 22H2 update breaking this.? Anyone know the specific fix and how to roll it back? Thanks Matt