samba - Feb 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

It's definately not that, i'm running local pki and CA is distributed to
all station, new win 11 24h2 has the root CA is the proper store (one of 
the things I double checked), and samba ad dc servers use certificates 
issued by this CA.

Do You have windows 11 24h2 in samba ad with no issues? Which samba 
version You're running?

Regards,

Kacper

W dniu 13.02.2025 o?22:19, Luca Olivetti via samba
pisze:
> El 13/2/25 a les 19:43, Kacper Wirski via samba ha escrit:
>
>> I just want to add, that this week I introduced first windows 11 24h2 
>> to AD - everything up to 23h2 is working fine - but windows 11 24h2 
>> has some strange kerberos-related issues.
>>
>> I added pc to domain successfully and can log in, but I can't
access
>> sysvol and netlogon and gpupdate fails. Automatic DNS update from the 
>> workstation fails with insufficient rights (running bind on samba ad 
>> dc) and one of my applications that uses kerberos to access ms sql 
>> database also fails, so everything points to some kerberos 
>> feature/change.
>
>
> The problem could be the certificate of the samba dc, if it's 
> self-signed or signed by a local certificate authority.
> If you have in smb.conf
>
> ? tls enabled = yes
> ? tls keyfile = /path/to/your.dc.key
> ? tls certfile = /path/to/your.dc.crt
> ? tls cafile = /path/to/your.ca.crt
>
>
> try installing the ca certificate in your windows client.
> Alternatively you could get your dc certificate from letsencrypt but I 
> didn't test that yet.
>
> Bye
>
-- 
Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie
antywirusowe Avast.
www.avast.com

El 13/2/25 a les 22:53, Kacper Wirski via samba ha
escrit:
> It's definately not that, i'm running local pki and CA is
distributed to
> all station, new win 11 24h2 has the root CA is the proper store (one of 
> the things I double checked), and samba ad dc servers use certificates 
> issued by this CA.
> 
> Do You have windows 11 24h2 in samba ad with no issues? Which samba 
> version You're running?
We had the same issues you reported (no access to sysvol, GPOs not 
applied) and installing the ca certificate on a test client seemed to 
solve it, however I'm not sure it was just a fluke or it really solved 
the problem (somebody else is dealing with it).

Bye
-- 
Luca Olivetti
Tel. +34 935883004 Ext. 3010
https://wetron.es
https://wecobots.com