samba - Jan 2023 - samba 4.13.17 ubuntu 20.04

Hi everyone,

I'm posting here because I'm facing a kerberos authentication problem
after
the 2:4.13.17~dfsg-0ubuntu1.20.04.4 samba upgrade.
The clients, win10, win11, win2016 cannot login to AD anymore.
On server logs the authentication succeeded but in the Event Viewer on the
client I have this error:

Security-Kerberos
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
cor-win10$. The target name used was COR-WIN10$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can
occur when the target server principal name (SPN) is registered on an
account other than the account the target service is using. Ensure that the
target SPN is only registered on the account used by the server. This error
can also happen if the target service account password is different than
what is configured on the Kerberos Key Distribution Center for that target
service. Ensure that the service on the server and the KDC are both
configured to use the same password. If the server name is not fully
qualified, and the target domain (ACME.LAN) is different from the client
domain (ACME.LAN), check if there are identically named server accounts in
these two domains, or use the fully-qualified name to identify the server.

This is my smb.conf:
# Global parameters
[global]
netbios name = AD5
realm = ACME.LAN
server role = active directory domain controller
workgroup = ACME
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8

log file = /var/log/samba/log.ad5
max log size = 100000
log level = 3 passdb:5 auth:5

time server = yes
#load printers = yes

#printing = CUPS
#rpc_server:spoolss = external
#rpc_daemon:spoolssd = fork
#spoolss: architecture = Windows x64

host msdfs = yes
#vfs object = dfs_samba4

disable netbios = yes
smb ports = 445


[sysvol]
comment = SYSVOL share
        path = /var/lib/samba/sysvol
        read only = no
        browseable = no

[gpo]
        comment = GPO files share
        path = /var/lib/samba/sysvol/acme.lan/gpo
        read only = no
        browseable = no

I also tried with samba 4.15 on ubuntu 22.04 ... same problem.

I don't know what's the problem and how to handle it, maybe some related
to
the latest samba security update together with some configuration in my
environment.
Can anyone help me in some way?

Thanks.

On 26/01/2023 07:20, Marco Querci via samba wrote:
> Hi everyone,
> 
> I'm posting here because I'm facing a kerberos authentication
problem after
> the 2:4.13.17~dfsg-0ubuntu1.20.04.4 samba upgrade.
> The clients, win10, win11, win2016 cannot login to AD anymore.
> On server logs the authentication succeeded but in the Event Viewer on the
> client I have this error:
> 
> Security-Kerberos
> The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> cor-win10$. The target name used was COR-WIN10$. 

I think this might be a dns problem. From your smb.conf, the DC's 
hostname is 'AD5' yet the error message is referring to a
'server'
called 'COR-WIN10'
>This indicates that the
> target server failed to decrypt the ticket provided by the client. This can
> occur when the target server principal name (SPN) is registered on an
> account other than the account the target service is using. Ensure that the
> target SPN is only registered on the account used by the server. This error
> can also happen if the target service account password is different than
> what is configured on the Kerberos Key Distribution Center for that target
> service. Ensure that the service on the server and the KDC are both
> configured to use the same password. If the server name is not fully
> qualified, and the target domain (ACME.LAN) is different from the client
> domain (ACME.LAN), check if there are identically named server accounts in
> these two domains, or use the fully-qualified name to identify the server.
> 
> This is my smb.conf:
> # Global parameters
> [global]
> netbios name = AD5
> realm = ACME.LAN
> server role = active directory domain controller
> workgroup = ACME
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 8.8.8.8
> 
> log file = /var/log/samba/log.ad5
> max log size = 100000
> log level = 3 passdb:5 auth:5
> 
> time server = yes
> #load printers = yes
> 
> #printing = CUPS
> #rpc_server:spoolss = external
> #rpc_daemon:spoolssd = fork
> #spoolss: architecture = Windows x64
> 
> host msdfs = yes
> #vfs object = dfs_samba4
> 
> disable netbios = yes
> smb ports = 445
> 
> 
> [sysvol]
> comment = SYSVOL share
>          path = /var/lib/samba/sysvol
>          read only = no
>          browseable = no
> 
> [gpo]
>          comment = GPO files share
>          path = /var/lib/samba/sysvol/acme.lan/gpo
>          read only = no
>          browseable = no
Where did '[netlogon]' go and why do you have a share for GPO's ?
> 
> I also tried with samba 4.15 on ubuntu 22.04 ... same problem.
> 
> I don't know what's the problem and how to handle it, maybe some
related to
> the latest samba security update together with some configuration in my
> environment.
> Can anyone help me in some way?
> 
> Thanks.
Samba upgraded Heimdal (the kdc) at 4.16.0, which was lucky, later 
versions of win10 upwards need it.

You can find later versions of Samba here:

http://www.corpit.ru/mjt/packages/samba/

Rowland