samba - Jan 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

On Thu, 30 Jan 2025 11:35:56 +0200
Virgo P?rna via samba <samba at lists.samba.org> wrote:
> On 29.01.2025 17:07, Rowland Penny via samba wrote:
> > On Wed, 29 Jan 2025 12:27:31 +0200
> > Virgo P?rna via samba <samba at lists.samba.org> wrote:
> > 
> >> # FLAG_ALLOW_RENAME 0x400000
> >> systemFlags: 1073741824
> >>
> >> Although 1073741824 is 0x4000 0000, not 0x40 0000
> > 
> > Setting systemFlags to 1073741824 does allow the object to be
> > renamed, so that is correct.
> > 
> 
> 	Yeah, seems to be an error in Microsoft Schema-Updates.md 
> documentation. In which Samba Schema-Updates.md is based. 
> FLAG_CONFIG_ALLOW_RENAME is actually 0x4000 0000.
> 
> > That is where it appears to go wrong, but 2348810240 is computed
> > from:
> > 
> > FLAG_DISALLOW_DELETE 2147483648
> > FLAG_DOMAIN_DISALLOW_RENAME 134217728
> > FLAG_DOMAIN_DISALLOW_MOVE 67108864
> > 
> > and if you add up all the numbers, you get 2348810240, so that
> > should be correct. Have you checked the ldif for abnormalities ?
> > Spaces etc.
> > 
> 
> 	And "Expiring Group Membership Feature" originally had same 
> systemFlags. It is actually added in same transaction (when upgrading 
> schema from 2012 to 2016).
> 	I have not changed that Schema-Updates.md by myself (it was
> part of samba package). And I cannot see any differences.
> 
> > Management Feature,CN=Optional .......' DN, I found that the
> > systemFlags attribute is set to '-1946157056', which, as far
as I
> > can see, is 'no changes allowed', I have no idea how it was
set to
> > that.
> > 
> 
> 	Strange. There do not seem to be any additional patches by
> Samba to it either.
> 
> > Have you tried adding '-d10' to the 'samba-tool domain
join'
> > command to see if any further error messages are printed ?
> > 
> 
> 	Joining to domain is not and issue. At least I was able to
> join Windows 11 24H2 test-vm and 22H2 test-vm to domain. But I cannot
> log in with domain account to either of those... So the actual
> problem is not tied to Windows 11 24H2. Something about my DC must be
> wrong. I did do one thing in wrong order. I used
> samba-tool domain level
> to raise domain level before schema upgrades. In original 4.17.12 to 
> 2008_R2 (that was before some time before the logging in issue 
> appeared). And then all the way to 2016 after I already had login 
> problem. I only now discovered that there are separate schema
> upgrades.
> 
> 	Since the problem appears to be tied with specific domain,
> that discrepancy could be an issue, unfortunately I am unable to
> upgrade schema to same level.
> 
> 	Otherwise Windows  test-computersecurechannel and " 
> test-computersecurechannel -repair" both work.
> 	And "dcdiag /s:dc.domain" fails on some tests, but from
> google results they appear to be common failures for Samba DC.
> 
> * SysVolCheck - SysVol is not ready... But that mentions FRS which is 
> sysvol replication, which Samba does not support. And googling about 
> seemed to imply  taht it is expected
> * ObjectsReplicated is passed, but complains that replication access
> was denied
> * Replications is failed with same error.
> * Services fails, because Samba does not have Windows services, that
> it expects. And samba NETLOGON is WIN32_OWN_PROCESS, not
> WIN32_SHARE_PROCESS
> * VerifyReferences fails, because there are no sysvol replication 
> attribute. That is expected.
> * ForestDnsZones CheckSDRefDom test fails because of missing 
> msDS-SD-Reference-Domain attribute. Same with DomainDnsZones 
> CheckSDRefDom test.
> 
> 
A post on reddit on a similar subject lead to this:

https://learn.microsoft.com/en-us/answers/questions/2086759/insufficient-system-resources-exist-to-complete-th

Perhaps it will help.

Rowland

On 30.01.2025 21:44, Rowland Penny via samba wrote:
> 
> A post on reddit on a similar subject lead to this:
> 
>
https://learn.microsoft.com/en-us/answers/questions/2086759/insufficient-system-resources-exist-to-complete-th
> 
> Perhaps it will help.
	Interesting. Different error (I'm getting invalid username/password), 
but is worth checking. PC does not have Bitlocker fortunately. And all 
the VM-s I have tested are running in same Win 11 PC. I'll try clearing 
TMP on next office day (currently working remotely).
	Credential guard is not available, because it is not Windows 11 
Enterprise (it is Pro). And re-enabling Core Protection did change 
anything (had this disabled, because Smart Card reader drived does not 
work with 24H2 otherwise).
	And just changing algorithms allowed for Kerberos  had no effect.

	Strange thing was, that when I tested it Windows 11 22H2 test machine 
(that I today upgraded to 23H2) and enabled debug log on Windows 
NETLOGON service, then in that log it complained:
01/30 15:28:23 [ERROR] [1320] NlpStoreKeyInDS: Unable to get computer DN: 5
01/30 15:28:23 [ERROR] [1320] NlProvisionMachineAuthKey: Unable to store 
auth key in DS: 5
01/30 15:28:23 [ERROR] [7044] NetpLdapBind: ldap_bind failed on 
dc.domain: 49: Invalid Credentials

	But using Wireshark to capture ldap traffic I did not see anything, 
that would look like authentication failure for me.


-- 
Virgo P?rna
virgo.parna at mail.ee