Virgo Pärna
2025-Jan-24 10:15 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
On 24.01.2025 11:54, Rowland Penny via samba wrote:> > Which is why I said stop using the old tools, that conversion from 'AD' > to 'MSK' isn't coming from AD, it is coming from the tools you are > using. >It is in samba log file.> If I were you, I would try resetting the users password, it could be > something as simple as the PC is using kerberos that is different from > what the DC expects. >I have tried reseting user password. I also had Windows 11 test-virtual machine, that was not part of domain. I added it to domain. And I also added brand new domain account with samba-tool. That account works for accesing Windows 10 computers and Samba server. But when trying log into Windows 11 Windows says "The username or password is incorrect". So it is not about specific domain user. And that computer is also Windows 24H2.. I'll need to get myself 23H2 install media, to test it with that. Yet, when logged in with local account, test-computersecurechannel shows, that secure channel between local computer and domain is ok... But Windows NETLOGON service complains, that it could not set up secure session with DC... -- Virgo P?rna virgo.parna at mail.ee
Virgo Pärna
2025-Jan-25 18:44 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
Domain itself is really old (and dc has been same install for long time). Originally was installed as NT domain, that was upgraded to AD, when Windows dropped NT domain support. I now discovered, that there are lot of schema upgrades not done... I was able to upgrade schema to 2012 version. But after that samba-tool domain schemaupgrade --schema=2016 -v fails with Applying Sch78.ldf updates... Exception: (21, "objectclass_attrs: attribute 'systemFlags' on entry 'CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=*****' contains at least one invalid value!") Encountered while trying to apply the following LDIF ---------------------------------------------------- dn: CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***** changetype: modify replace: systemFlags systemFlags: 2348810240 - Exception: (21, "objectclass_attrs: attribute 'systemFlags' on entry 'CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=*****' contains at least one invalid value!") Error encountered, aborting schema upgrade ERROR: Failed to upgrade schema -- Virgo P?rna virgo.parna at mail.ee