samba - Jan 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

On Wed, 22 Jan 2025 11:38:24 +0200
Virgo P?rna via samba <samba at lists.samba.org> wrote:
> On 22.01.2025 10:29, Georg Weickelt via samba wrote:
> > this has also happened to us recently. However, the login of this
> > user then worked on another computer and often also after a restart
> > of the client.
> 
> 	I did have problem with Windows 10 computers for last few
> weeks, that domain user could not log via remote desktop. But could
> log in directly from console. And that was fixed by restart.
> 	But did you also have NETLOGON errors on Event log?
> 
> > I suspect it is related to changes in Windows. Apparently, older
> > RC4 tickets are no longer supported. We have the same Samba version
> > and I am sure that the newer Kerberos encryption types AES 128 or
> > AES 256 are supported. Maybe you can check the following:
> > In the user manager under ?Account?: ?This account supports
> > Kerberos AES 128-bit encryption? and ?This account supports
> > Kerberos AES 256-bit encryption? - are they ticked?
> 
> 	Nothing is checked there for user account.
> 
> > Have the passwords perhaps not been changed for a long time?
> 
> 	After this started happening, I did try setting same password
> again for user with smbpasswd in linux.
Try using samba-tool to set a new password for the user.
> 
> 	But that NETLOGON message in event log makes it look, like
> more generic problem.
> 	I thought of checking name resolution, but Windows nslookup
> seems to be unable to resolve SRV records. But they seem to be ok.
> Windows nslookup requiring ending name with dot caused some initial
> confusion.
If Windows cannot resolve SRV records, then it looks like you have DNS
problems, are the clients using a DC as their first nameserver ?

Rowland

On 22.01.2025 12:25, Rowland Penny via samba wrote:
>>
>> 	After this started happening, I did try setting same password
>> again for user with smbpasswd in linux.
> 
> Try using samba-tool to set a new password for the user.
	I'l try it.
	Although righ now I'm considering removing computer from domain and 
adding again... Because isse seems to be with all domain users at that 
computer.
> 
>>
>> 	But that NETLOGON message in event log makes it look, like
>> more generic problem.
>> 	I thought of checking name resolution, but Windows nslookup
>> seems to be unable to resolve SRV records. But they seem to be ok.
>> Windows nslookup requiring ending name with dot caused some initial
>> confusion.
> 
> If Windows cannot resolve SRV records, then it looks like you have DNS
> problems, are the clients using a DC as their first nameserver ?
> 
	Issue was, that with linux nslookup name "_ldap._tcp.ad.domain"
works.
But I did not know, that I need to do use name "_ldap._tcp.ad.domain."
with Windows nslookup (dot at the end). After that all SRV records resolve.


-- 
Virgo P?rna
virgo.parna at mail.ee