Luca Olivetti
2025-Feb-13 21:19 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
El 13/2/25 a les 19:43, Kacper Wirski via samba ha escrit:> I just want to add, that this week I introduced first windows 11 24h2 to > AD - everything up to 23h2 is working fine - but windows 11 24h2 has > some strange kerberos-related issues. > > I added pc to domain successfully and can log in, but I can't access > sysvol and netlogon and gpupdate fails. Automatic DNS update from the > workstation fails with insufficient rights (running bind on samba ad dc) > and one of my applications that uses kerberos to access ms sql database > also fails, so everything points to some kerberos feature/change.The problem could be the certificate of the samba dc, if it's self-signed or signed by a local certificate authority. If you have in smb.conf tls enabled = yes tls keyfile = /path/to/your.dc.key tls certfile = /path/to/your.dc.crt tls cafile = /path/to/your.ca.crt try installing the ca certificate in your windows client. Alternatively you could get your dc certificate from letsencrypt but I didn't test that yet. Bye -- Luca Olivetti Tel. +34 935883004 Ext. 3010 https://wetron.es https://wecobots.com
Kacper Wirski
2025-Feb-13 21:53 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
It's definately not that, i'm running local pki and CA is distributed to all station, new win 11 24h2 has the root CA is the proper store (one of the things I double checked), and samba ad dc servers use certificates issued by this CA. Do You have windows 11 24h2 in samba ad with no issues? Which samba version You're running? Regards, Kacper W dniu 13.02.2025 o?22:19, Luca Olivetti via samba pisze:> El 13/2/25 a les 19:43, Kacper Wirski via samba ha escrit: > >> I just want to add, that this week I introduced first windows 11 24h2 >> to AD - everything up to 23h2 is working fine - but windows 11 24h2 >> has some strange kerberos-related issues. >> >> I added pc to domain successfully and can log in, but I can't access >> sysvol and netlogon and gpupdate fails. Automatic DNS update from the >> workstation fails with insufficient rights (running bind on samba ad >> dc) and one of my applications that uses kerberos to access ms sql >> database also fails, so everything points to some kerberos >> feature/change. > > > The problem could be the certificate of the samba dc, if it's > self-signed or signed by a local certificate authority. > If you have in smb.conf > > ? tls enabled = yes > ? tls keyfile = /path/to/your.dc.key > ? tls certfile = /path/to/your.dc.crt > ? tls cafile = /path/to/your.ca.crt > > > try installing the ca certificate in your windows client. > Alternatively you could get your dc certificate from letsencrypt but I > didn't test that yet. > > Bye >-- Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie antywirusowe Avast. www.avast.com