Kacper Wirski
2025-Feb-13 18:43 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
I just want to add, that this week I introduced first windows 11 24h2 to AD - everything up to 23h2 is working fine - but windows 11 24h2 has some strange kerberos-related issues. I added pc to domain successfully and can log in, but I can't access sysvol and netlogon and gpupdate fails. Automatic DNS update from the workstation fails with insufficient rights (running bind on samba ad dc) and one of my applications that uses kerberos to access ms sql database also fails, so everything points to some kerberos feature/change. I'm running still older samba 4.13 on Debian, but reading how there are issues in 4.21.3, It doesn't seem specifically samba version related, maybe the schema changes. W dniu 05.02.2025 o?13:13, Virgo P?rna via samba pisze:> On 05.02.2025 10:49, Rowland Penny via samba wrote: >> >> If it is a Samba problem, I would have expected to have seen multiple >> reports of it, but I haven't seen them. What I have seen (after doing >> an internet search) is lots of reports of similar problems with Windows >> 24H2 and the real fix appears to be, do not use 24H2. >> > > ????I thought, that it might be something about my specific > configuration/dc history (some kind of configuration issue). That is, > why I started checking changes and then I discovered that schema > update part. > > ????Whatever it is, it seems to affect other Windows 11 versions also > (23H2 test vm has same problem). And even Windows 10 computers are > having some issues (that started with January update and before Samba > upgrade). Although, with win10 issues are only with rdp and ssh login > and restart has fixed them (at least until now). > > >-- Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie antywirusowe Avast. www.avast.com
Luca Olivetti
2025-Feb-13 21:19 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
El 13/2/25 a les 19:43, Kacper Wirski via samba ha escrit:> I just want to add, that this week I introduced first windows 11 24h2 to > AD - everything up to 23h2 is working fine - but windows 11 24h2 has > some strange kerberos-related issues. > > I added pc to domain successfully and can log in, but I can't access > sysvol and netlogon and gpupdate fails. Automatic DNS update from the > workstation fails with insufficient rights (running bind on samba ad dc) > and one of my applications that uses kerberos to access ms sql database > also fails, so everything points to some kerberos feature/change.The problem could be the certificate of the samba dc, if it's self-signed or signed by a local certificate authority. If you have in smb.conf tls enabled = yes tls keyfile = /path/to/your.dc.key tls certfile = /path/to/your.dc.crt tls cafile = /path/to/your.ca.crt try installing the ca certificate in your windows client. Alternatively you could get your dc certificate from letsencrypt but I didn't test that yet. Bye -- Luca Olivetti Tel. +34 935883004 Ext. 3010 https://wetron.es https://wecobots.com
Possibly Parallel Threads
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- procedure to change DC password
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in