samba - Feb 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

On Tue, 4 Feb 2025 13:22:46 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 4 Feb 2025 15:07:30 +0200
> Virgo P?rna via samba <samba at lists.samba.org> wrote:
> 
> > And there has been some developement...
> > 
> > test-computersecurechannel
> > still reports True.
> > But now
> > test-computersecurechannel -repair
> > now fails with
> > "Test-ComputerSecureChannel: Cannot reset the secure channel
> > password for the computer account in the domain. Operation failed
> > with the following exception: The user name or password is
> > incorrect."
> > 
> > test-computersecurechannel -repair -Credential DOMAIN\Administrator 
> > -Server dc.domain
> > also fails with same message.
> > 
> > But
> > test-computersecurechannel -repair -Credential DOMAIN\Administrator 
> > -Server ip_of_dc
> > succeeds...
> > 
> 
> that may point a way to the problem, using a fqdn will probably use
> kerberos and using the IP will probably use rpc. If that is the case,
> then there is probably a kerberos problem and doing a search on that,
> turned up this;
> 
>
https://nuangel.net/2025/01/windows-11-24h2-insufficient-system-resources-trying-to-login/
> 
> Check that, it may be your problem.
> 
> Rowland
> 
> 
> 
After a bit more investigation, that might be the same 'fix' I pointed
to earlier, but from a different direction.

So I dug deeper and found this:

https://answers.microsoft.com/en-us/windowsclient/forum/all/after-update-to-latest-win-11-24h2-rdp-kerberos/d0f95e77-eb25-4604-bfd7-526d14a585a1?page=3

Which appears to be a lot closer to what the problem the OP is getting.
If it is, then it appears to be a Windows bug that they are not
accepting.

Rowland

On 04.02.2025 15:43, Rowland Penny via samba wrote:
> 
> After a bit more investigation, that might be the same 'fix' I
pointed
> to earlier, but from a different direction.
> 
> So I dug deeper and found this:
> 
>
https://answers.microsoft.com/en-us/windowsclient/forum/all/after-update-to-latest-win-11-24h2-rdp-kerberos/d0f95e77-eb25-4604-bfd7-526d14a585a1?page=3
> 
> Which appears to be a lot closer to what the problem the OP is getting.
> If it is, then it appears to be a Windows bug that they are not
> accepting.
> 
	I'll check this also. Changing allowed kerberos algorihms had no effect.
	Although for me fully updated 23H2 is also not working. That is why I 
started suspecting, that Windows expects something of Samba side, that 
is not working anymore.  The whole schema update part.
	
	I did disable deprecated settings in Samba side.

-- 
Virgo P?rna
virgo.parna at mail.ee