samba - Feb 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

I just want to add, that this week I introduced first windows 11 24h2 to 
AD - everything up to 23h2 is working fine - but windows 11 24h2 has 
some strange kerberos-related issues.

I added pc to domain successfully and can log in, but I can't access 
sysvol and netlogon and gpupdate fails. Automatic DNS update from the 
workstation fails with insufficient rights (running bind on samba ad dc) 
and one of my applications that uses kerberos to access ms sql database 
also fails, so everything points to some kerberos feature/change.

I'm running still older samba 4.13 on Debian, but reading how there are 
issues in 4.21.3, It doesn't seem specifically samba version related, 
maybe the schema changes.

W dniu 05.02.2025 o?13:13, Virgo P?rna via samba pisze:
> On 05.02.2025 10:49, Rowland Penny via samba wrote:
>>
>> If it is a Samba problem, I would have expected to have seen multiple
>> reports of it, but I haven't seen them. What I have seen (after
doing
>> an internet search) is lots of reports of similar problems with Windows
>> 24H2 and the real fix appears to be, do not use 24H2.
>>
>
> ????I thought, that it might be something about my specific 
> configuration/dc history (some kind of configuration issue). That is, 
> why I started checking changes and then I discovered that schema 
> update part.
>
> ????Whatever it is, it seems to affect other Windows 11 versions also 
> (23H2 test vm has same problem). And even Windows 10 computers are 
> having some issues (that started with January update and before Samba 
> upgrade). Although, with win10 issues are only with rdp and ssh login 
> and restart has fixed them (at least until now).
>
>
>
-- 
Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie
antywirusowe Avast.
www.avast.com

El 13/2/25 a les 19:43, Kacper Wirski via samba ha escrit:
> I just want to add, that this week I introduced first windows 11 24h2 to 
> AD - everything up to 23h2 is working fine - but windows 11 24h2 has 
> some strange kerberos-related issues.
> 
> I added pc to domain successfully and can log in, but I can't access 
> sysvol and netlogon and gpupdate fails. Automatic DNS update from the 
> workstation fails with insufficient rights (running bind on samba ad dc) 
> and one of my applications that uses kerberos to access ms sql database 
> also fails, so everything points to some kerberos feature/change.

The problem could be the certificate of the samba dc, if it's 
self-signed or signed by a local certificate authority.
If you have in smb.conf

   tls enabled = yes
   tls keyfile = /path/to/your.dc.key
   tls certfile = /path/to/your.dc.crt
   tls cafile = /path/to/your.ca.crt


try installing the ca certificate in your windows client.
Alternatively you could get your dc certificate from letsencrypt but I 
didn't test that yet.

Bye

-- 
Luca Olivetti
Tel. +34 935883004 Ext. 3010
https://wetron.es
https://wecobots.com