Rick Hollinbeck
2025-Mar-11 01:16 UTC
[Samba] Connection is now "unauthorized" to Samba from Windows 11 client
I've been trying to fix this problem connecting from a Windows 11 client
to Samba 4.11.13
I'm hoping for troubleshooting advice
or maybe this is a known problem with recent Windows updates?
The problem:
On w11 client, most services work just fine...
I can log into my AD account, access the network shares and the
internet, etc.
However, now, despite this, the Ethernet connection in Windows shows as
"(unauthorized)" and this prevents
Remote Desktop from working to this machine, for example.
Oddly, this client used to connect just fine to the same Samba server
and I could use Remote Desktop, for example, to access it.
The connection did not show as unauthorized.
But lately, as Windows updates occurred, the problem got worse,
but I was able to sometimes repeatedly disable and re-enable the network
interface to fix it.
I finally put another Ethernet network card in the machine to see if it
was a hardware problem.
But the connection using this new network card also showed
"unauthorized" and had the same problem,
so I reverted the network cable back to the original card.
Now, the connection ALWAYS shows "unauthorized".
I tried Resetting the Computer account in ADUC (from a Win10 client that
works), but it didn't help.
It seems to be related to PREAUTH failing in Samba.
Here is what I see in the log.samba file:
? Kerberos: Probing for AS-REQ
? Kerberos: Not a FAST request
? Kerberos: AS-REQ win11client$@REALM.DOMAIN.COM from
ipv4:192.168.0.166:55446 for krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM
? Kerberos: Client sent patypes: 128
? Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=128
? Kerberos: Looking for PK-INIT(ietf) pa-data --
win11client$@REALM.DOMAIN.COM
? Kerberos: Looking for PK-INIT(win2k) pa-data --
win11client$@REALM.DOMAIN.COM
? Kerberos: Looking for ENC-TS pa-data -- win11client$@REALM.DOMAIN.COM
? Kerberos: Looking for GSS pa-data -- win11client$@REALM.DOMAIN.COM
? Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
? Kerberos: as-req: sending error: -1765328359 to client
? Kerberos: Making non-FAST KRB-ERROR
? Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.016224
? Kerberos: heim_audit_vaddkv(): kv pair[0]
e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
? Kerberos: AS-REQ ERR_PREAUTH_REQUIRED ipv4:192.168.0.166:55446
win11client$@REALM.DOMAIN.COM krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM
client-pa=128 e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
elapsed=0.016224
? stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
? Kerberos: Probing for AS-REQ
? Kerberos: Not a FAST request
? Kerberos: AS-REQ win11client$@REALM.DOMAIN.COM from
ipv4:192.168.0.166:55447 for krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM
? Kerberos: Client sent patypes: ENC-TS, 128
? Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=ENC-TS,128
? Kerberos: Looking for PK-INIT(ietf) pa-data --
win11client$@REALM.DOMAIN.COM
? Kerberos: Looking for PK-INIT(win2k) pa-data --
win11client$@REALM.DOMAIN.COM
? Kerberos: Looking for ENC-TS pa-data -- win11client$@REALM.DOMAIN.COM
? Kerberos: heim_audit_vaddkv(): kv pair[0] pa=ENC-TS
? Kerberos: Failed to decrypt PA-DATA -- win11client$@REALM.DOMAIN.COM
(enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed
for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
? Kerberos: heim_audit_setkv_number(): setting kv pair pa-etype=18
? Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=5
? descriptor_prepare_commit: changes: num_registrations=0
? descriptor_prepare_commit: changes: num_registered=0
? descriptor_prepare_commit: changes: num_toplevel=0
? descriptor_prepare_commit: changes: num_processed=0
? descriptor_prepare_commit: objects: num_processed=0
? descriptor_prepare_commit: objects: num_skipped=0
? Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[win11client$@REALM.DOMAIN.COM] at [Mon, 10 Mar 2025
16:03:32.592824 MDT] with [aes256-cts-hmac-sha1-96] status
[NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host
[ipv4:192.168.0.166:55447] mapped to [REALM]\[win11client$]. local host
[NULL]
? {"timestamp": "2025-03-10T16:03:32.593039-0600",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4625, "logonId":
"87fe363f495ddfd9", "logonType": 3,
"status": "NT_STATUS_WRONG_PASSWORD",
"localAddress": null,
"remoteAddress": "ipv4:192.168.0.166:55447",
"serviceDescription":
"Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication",
"clientDomain": null, "clientAccount":
"win11client$@REALM.DOMAIN.COM",
"workstation": null, "becameAccount":
"win11client$", "becameDomain":
"REALM", "becameSid":
"S-1-5-21-3876585788-2465688680-3807591480-24615",
"mappedAccount": "win11client$", "mappedDomain":
"REALM",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"aes256-cts-hmac-sha1-96", "duration": 23540}}
? Kerberos: as-req: sending error: -1765328360 to client
? Kerberos: Making non-FAST KRB-ERROR
? Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.024250
? Kerberos: AS-REQ ERR_PREAUTH_FAILED ipv4:192.168.0.166:55447
win11client$@REALM.DOMAIN.COM krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM
pa=ENC-TS pa-etype=18 client-pa=ENC-TS,128 elapsed=0.024250
? stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
Is there a known issue with recent Windows updates that might have
broken PREAUTH with Samba 4.11.13?
Thanks.
Rowland Penny
2025-Mar-11 09:05 UTC
[Samba] Connection is now "unauthorized" to Samba from Windows 11 client
On Mon, 10 Mar 2025 19:16:03 -0600 Rick Hollinbeck via samba <samba at lists.samba.org> wrote:> I've been trying to fix this problem connecting from a Windows 11 > client to Samba 4.11.13 > > I'm hoping for troubleshooting advice > or maybe this is a known problem with recent Windows updates? > > The problem: > > On w11 client, most services work just fine... > I can log into my AD account, access the network shares and the > internet, etc. > > However, now, despite this, the Ethernet connection in Windows shows > as "(unauthorized)" and this prevents > Remote Desktop from working to this machine, for example. > > Oddly, this client used to connect just fine to the same Samba server > and I could use Remote Desktop, for example, to access it. > The connection did not show as unauthorized. > > But lately, as Windows updates occurred, the problem got worse, > but I was able to sometimes repeatedly disable and re-enable the > network interface to fix it. > > I finally put another Ethernet network card in the machine to see if > it was a hardware problem. > > But the connection using this new network card also showed > "unauthorized" and had the same problem, > so I reverted the network cable back to the original card. > > Now, the connection ALWAYS shows "unauthorized". > > I tried Resetting the Computer account in ADUC (from a Win10 client > that works), but it didn't help. > > It seems to be related to PREAUTH failing in Samba. > > Here is what I see in the log.samba file: > > ? Kerberos: Probing for AS-REQ > ? Kerberos: Not a FAST request > ? Kerberos: AS-REQ win11client$@REALM.DOMAIN.COM from > ipv4:192.168.0.166:55446 for krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM > ? Kerberos: Client sent patypes: 128 > ? Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=128 > ? Kerberos: Looking for PK-INIT(ietf) pa-data -- > win11client$@REALM.DOMAIN.COM > ? Kerberos: Looking for PK-INIT(win2k) pa-data -- > win11client$@REALM.DOMAIN.COM > ? Kerberos: Looking for ENC-TS pa-data -- > win11client$@REALM.DOMAIN.COM Kerberos: Looking for GSS pa-data -- > win11client$@REALM.DOMAIN.COM Kerberos: Need to use > PA-ENC-TIMESTAMP/PA-PK-AS-REQ Kerberos: as-req: sending error: > -1765328359 to client Kerberos: Making non-FAST KRB-ERROR > ? Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.016224 > ? Kerberos: heim_audit_vaddkv(): kv pair[0] > e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ > ? Kerberos: AS-REQ ERR_PREAUTH_REQUIRED ipv4:192.168.0.166:55446 > win11client$@REALM.DOMAIN.COM > krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM client-pa=128 > e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.016224 > ? stream_terminate_connection: Terminating connection - > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_DISCONNECTED' > ? Kerberos: Probing for AS-REQ > ? Kerberos: Not a FAST request > ? Kerberos: AS-REQ win11client$@REALM.DOMAIN.COM from > ipv4:192.168.0.166:55447 for krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM > ? Kerberos: Client sent patypes: ENC-TS, 128 > ? Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=ENC-TS,128 > ? Kerberos: Looking for PK-INIT(ietf) pa-data -- > win11client$@REALM.DOMAIN.COM > ? Kerberos: Looking for PK-INIT(win2k) pa-data -- > win11client$@REALM.DOMAIN.COM > ? Kerberos: Looking for ENC-TS pa-data -- > win11client$@REALM.DOMAIN.COM Kerberos: heim_audit_vaddkv(): kv > pair[0] pa=ENC-TS Kerberos: Failed to decrypt PA-DATA -- > win11client$@REALM.DOMAIN.COM (enctype aes256-cts-hmac-sha1-96) error > Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, > key type aes256-cts-hmac-sha1-96 Kerberos: heim_audit_setkv_number(): > setting kv pair pa-etype=18 Kerberos: heim_audit_setkv_number(): > setting kv pair #auth_event=5 descriptor_prepare_commit: changes: > num_registrations=0 descriptor_prepare_commit: changes: > num_registered=0 descriptor_prepare_commit: changes: num_toplevel=0 > ? descriptor_prepare_commit: changes: num_processed=0 > ? descriptor_prepare_commit: objects: num_processed=0 > ? descriptor_prepare_commit: objects: num_skipped=0 > ? Auth: [Kerberos KDC,ENC-TS Pre-authentication] user > [(null)]\[win11client$@REALM.DOMAIN.COM] at [Mon, 10 Mar 2025 > 16:03:32.592824 MDT] with [aes256-cts-hmac-sha1-96] status > [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host > [ipv4:192.168.0.166:55447] mapped to [REALM]\[win11client$]. local > host [NULL] > ? {"timestamp": "2025-03-10T16:03:32.593039-0600", "type": > "Authentication", "Authentication": {"version": {"major": 1, "minor": > 2}, "eventId": 4625, "logonId": "87fe363f495ddfd9", "logonType": 3, > "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": null, > "remoteAddress": "ipv4:192.168.0.166:55447", "serviceDescription": > "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", > "clientDomain": null, "clientAccount": > "win11client$@REALM.DOMAIN.COM", "workstation": null, > "becameAccount": "win11client$", "becameDomain": "REALM", > "becameSid": "S-1-5-21-3876585788-2465688680-3807591480-24615", > "mappedAccount": "win11client$", "mappedDomain": "REALM", > "netlogonComputer": null, "netlogonTrustAccount": null, > "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": > 0, "netlogonTrustAccountSid": null, "passwordType": > "aes256-cts-hmac-sha1-96", "duration": 23540}} Kerberos: as-req: > sending error: -1765328360 to client Kerberos: Making non-FAST > KRB-ERROR Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.024250 > ? Kerberos: AS-REQ ERR_PREAUTH_FAILED ipv4:192.168.0.166:55447 > win11client$@REALM.DOMAIN.COM > krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM pa=ENC-TS pa-etype=18 > client-pa=ENC-TS,128 elapsed=0.024250 stream_terminate_connection: > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > > Is there a known issue with recent Windows updates that might have > broken PREAUTH with Samba 4.11.13?There have been quite a few Windows updates that have caused problems with Samba, most, if not all, have been fixed, just not in your very old version, it went EOL 4 years ago. I suggest you upgrade to a much more recent version of Samba, the newer the better. Rowland