Am 25.10.21 um 13:47 schrieb Achim Gottinger via samba:> > > Am 25.10.2021 um 11:14 schrieb L.P.H. van Belle via samba: >>> Hello Christian and Louis, >>> >>> I assume both of you use domain accounts for testing. >> Yes, that is correct. >> >>> Does printing and connecting new printers also work with local non >>> domain accounts? >> I dont have any "none domain" accounts here. >> >>> Here this (local account printing) works >>> with Windows 11 but not with Windows 10 LTSC ( I assume >>> windows server 2019 will be affected as well). I did not >>> release the Oktober Update on our WSUS servers here, but last >>> Friday an work colleague called because he could no longer >>> print to the office from his home office pc (Windows 10 Pro, >>> local account). Afterwards I started testing and posted >>> results here a few days ago for comparison. >> I do have 2 windows 11 pc's currenlty these also work as far i know. >> I'll let that user print some for me. >> All windows 10 versions i have running are 2004 or up. >> > Thank you for the reply. > For sake of completeness I tried it with Windows Server 2019 Version 1809 Update 2021-10 installed. > Again no issues with domain accounts but with an local administrator if i try to connect an printer an credential window pops up and after entering domain credentials again an dialog pops up saying > the account is not allowed to install/access this printer. > So only Windows 11 seems to work with local accounts. The collegue first having the problem here uses? Windows 10 21H2. > > This is the log (level 2) with when I connect to a printer (debian stretch samba 4.10) from server 2019 logged in with an domain account. Seems to be all kerberos here. > > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.715406,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) > Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.715385 UTC] Remote host [ipv4:192....:50475] > local host [ipv4:192....:445] > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.814763,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) > Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.814742 UTC] Remote host [ipv4:192....:50475] > local host [ipv4:192....:445] > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.914702,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) > Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.914680 UTC] Remote host [ipv4:192....:50475] > local host [ipv4:192....:445] > Okt 25 11:39:58 ad-test smbd[57830]: [2021/10/25 11:39:58.020295,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) > Okt 25 11:39:58 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:58.020273 UTC] Remote host [ipv4:192....:50475] > local host [ipv4:192....:445] > > Same test environment local account not working printer connect attempt: > > Okt 25 11:43:16 ad-test smbd[57852]: [2021/10/25 11:43:16.553308,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) > Okt 25 11:43:16 ad-test smbd[57852]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.553281 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation > [S2019-TEST] remote host [ipv4:192....:59221] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445] > Okt 25 11:43:16 ad-test smbd[57853]: [2021/10/25 11:43:16.648050,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) > Okt 25 11:43:16 ad-test smbd[57853]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.648022 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation > [S2019-TEST] remote host [ipv4:192....:59222] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445] > Okt 25 11:43:16 ad-test smbd[57854]: [2021/10/25 11:43:16.683346,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) > Okt 25 11:43:16 ad-test smbd[57854]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.683315 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation > [S2019-TEST] remote host [ipv4:192....:59223] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445]Which points to the fact that Rowland mentioned. The computers try to use NTLM which fails for non Domain computers?! Or am I wrong here? Here a Link I have found which talks about the NTLM Problem. https://borncity.com/win/2021/10/19/microsoft-besttigt-windows-netzwerkdruckproblem-nach-oktober-2021-updates/ -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Am 25.10.2021 um 13:51 schrieb cn--- via samba:> Am 25.10.21 um 13:47 schrieb Achim Gottinger via samba: >> >> >> Am 25.10.2021 um 11:14 schrieb L.P.H. van Belle via samba: >>>> Hello Christian and Louis, >>>> >>>> I assume both of you use domain accounts for testing. >>> Yes, that is correct. >>> >>>> Does? printing and connecting new printers also work with local non >>>> domain accounts? >>> I dont have any "none domain" accounts here. >>> >>>> Here this (local account printing) works >>>> with Windows 11 but not with Windows 10 LTSC ( I assume >>>> windows server 2019 will be affected as well). I did not >>>> release the Oktober Update on our WSUS servers here, but last >>>> Friday an work colleague called because he could no longer >>>> print to the office from his home office pc (Windows 10 Pro, >>>> local account). Afterwards I started testing and posted >>>> results here a few days ago for comparison. >>> I do have 2 windows 11 pc's currenlty these also work as far i know. >>> I'll let that user print some for me. >>> All windows 10 versions i have running are 2004 or up. >>> >> Thank you for the reply. >> For sake of completeness I tried it with Windows Server 2019 Version 1809 Update 2021-10 installed. >> Again no issues with domain accounts but with an local administrator if i try to connect an printer an credential window pops up and after entering domain credentials again an dialog pops up saying >> the account is not allowed to install/access this printer. >> So only Windows 11 seems to work with local accounts. The collegue first having the problem here uses? Windows 10 21H2. >> >> This is the log (level 2) with when I connect to a printer (debian stretch samba 4.10) from server 2019 logged in with an domain account. Seems to be all kerberos here. >> >> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.715406,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) >> Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.715385 UTC] Remote host [ipv4:192....:50475] >> local host [ipv4:192....:445] >> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.814763,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) >> Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.814742 UTC] Remote host [ipv4:192....:50475] >> local host [ipv4:192....:445] >> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.914702,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) >> Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.914680 UTC] Remote host [ipv4:192....:50475] >> local host [ipv4:192....:445] >> Okt 25 11:39:58 ad-test smbd[57830]: [2021/10/25 11:39:58.020295,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) >> Okt 25 11:39:58 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:58.020273 UTC] Remote host [ipv4:192....:50475] >> local host [ipv4:192....:445] >> >> Same test environment local account not working printer connect attempt: >> >> Okt 25 11:43:16 ad-test smbd[57852]: [2021/10/25 11:43:16.553308,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) >> Okt 25 11:43:16 ad-test smbd[57852]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.553281 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation >> [S2019-TEST] remote host [ipv4:192....:59221] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445] >> Okt 25 11:43:16 ad-test smbd[57853]: [2021/10/25 11:43:16.648050,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) >> Okt 25 11:43:16 ad-test smbd[57853]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.648022 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation >> [S2019-TEST] remote host [ipv4:192....:59222] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445] >> Okt 25 11:43:16 ad-test smbd[57854]: [2021/10/25 11:43:16.683346,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) >> Okt 25 11:43:16 ad-test smbd[57854]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.683315 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation >> [S2019-TEST] remote host [ipv4:192....:59223] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445] > > Which points to the fact that Rowland mentioned. The computers try to use NTLM which fails for non Domain computers?! Or am I wrong here? > > Here a Link I have found which talks about the NTLM Problem. > > https://borncity.com/win/2021/10/19/microsoft-besttigt-windows-netzwerkdruckproblem-nach-oktober-2021-updates/ >Indeed, which raises the quetion can kerberos be used with local account? Quick web search showed there is an kinit Utility coming with Sun/Oracle Java JDK. I can kinit successfull klists shows a valid ticket but if I connect to the samba server I'm asked for credentials again. Log shows failed NTLMv2 password. Same with heimdal kerberos client and secure endpoints network identity manager.