Am 25.10.2021 um 13:51 schrieb cn--- via samba:> Am 25.10.21 um 13:47 schrieb Achim Gottinger via samba: >> >> >> Am 25.10.2021 um 11:14 schrieb L.P.H. van Belle via samba: >>>> Hello Christian and Louis, >>>> >>>> I assume both of you use domain accounts for testing. >>> Yes, that is correct. >>> >>>> Does? printing and connecting new printers also work with local non >>>> domain accounts? >>> I dont have any "none domain" accounts here. >>> >>>> Here this (local account printing) works >>>> with Windows 11 but not with Windows 10 LTSC ( I assume >>>> windows server 2019 will be affected as well). I did not >>>> release the Oktober Update on our WSUS servers here, but last >>>> Friday an work colleague called because he could no longer >>>> print to the office from his home office pc (Windows 10 Pro, >>>> local account). Afterwards I started testing and posted >>>> results here a few days ago for comparison. >>> I do have 2 windows 11 pc's currenlty these also work as far i know. >>> I'll let that user print some for me. >>> All windows 10 versions i have running are 2004 or up. >>> >> Thank you for the reply. >> For sake of completeness I tried it with Windows Server 2019 Version 1809 Update 2021-10 installed. >> Again no issues with domain accounts but with an local administrator if i try to connect an printer an credential window pops up and after entering domain credentials again an dialog pops up saying >> the account is not allowed to install/access this printer. >> So only Windows 11 seems to work with local accounts. The collegue first having the problem here uses? Windows 10 21H2. >> >> This is the log (level 2) with when I connect to a printer (debian stretch samba 4.10) from server 2019 logged in with an domain account. Seems to be all kerberos here. >> >> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.715406,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) >> Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.715385 UTC] Remote host [ipv4:192....:50475] >> local host [ipv4:192....:445] >> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.814763,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) >> Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.814742 UTC] Remote host [ipv4:192....:50475] >> local host [ipv4:192....:445] >> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.914702,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) >> Okt 25 11:39:57 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.914680 UTC] Remote host [ipv4:192....:50475] >> local host [ipv4:192....:445] >> Okt 25 11:39:58 ad-test smbd[57830]: [2021/10/25 11:39:58.020295,? 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) >> Okt 25 11:39:58 ad-test smbd[57830]:?? Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:58.020273 UTC] Remote host [ipv4:192....:50475] >> local host [ipv4:192....:445] >> >> Same test environment local account not working printer connect attempt: >> >> Okt 25 11:43:16 ad-test smbd[57852]: [2021/10/25 11:43:16.553308,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) >> Okt 25 11:43:16 ad-test smbd[57852]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.553281 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation >> [S2019-TEST] remote host [ipv4:192....:59221] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445] >> Okt 25 11:43:16 ad-test smbd[57853]: [2021/10/25 11:43:16.648050,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) >> Okt 25 11:43:16 ad-test smbd[57853]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.648022 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation >> [S2019-TEST] remote host [ipv4:192....:59222] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445] >> Okt 25 11:43:16 ad-test smbd[57854]: [2021/10/25 11:43:16.683346,? 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) >> Okt 25 11:43:16 ad-test smbd[57854]:?? Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.683315 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation >> [S2019-TEST] remote host [ipv4:192....:59223] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445] > > Which points to the fact that Rowland mentioned. The computers try to use NTLM which fails for non Domain computers?! Or am I wrong here? > > Here a Link I have found which talks about the NTLM Problem. > > https://borncity.com/win/2021/10/19/microsoft-besttigt-windows-netzwerkdruckproblem-nach-oktober-2021-updates/ >Indeed, which raises the quetion can kerberos be used with local account? Quick web search showed there is an kinit Utility coming with Sun/Oracle Java JDK. I can kinit successfull klists shows a valid ticket but if I connect to the samba server I'm asked for credentials again. Log shows failed NTLMv2 password. Same with heimdal kerberos client and secure endpoints network identity manager.
Am 25.10.21 um 16:03 schrieb Achim Gottinger via samba:> Indeed, which raises the quetion can kerberos be used with local account? > Quick web search showed there is an kinit Utility coming with Sun/Oracle Java JDK. > I can kinit successfull klists shows a valid ticket but if I connect to the samba server I'm asked for credentials again. Log shows failed NTLMv2 password. > Same with heimdal kerberos client and secure endpoints network identity manager.As far as I understood it. Non Domain joined clients can connect to resources on the Domain if you connect using domainuser credentials. However, NTLM not Kerberos is used then. If you block NTLM then non Domain joined clients will stop to work. This all seems related... As for Kerberos. I use non domain joined client (Linux though) where I just configured the krb5.conf and I can then "kinit" and use my domain credentials to connect to server using krb auth with ssh. I haven't tried with windows. Regards Christian -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
On Mon, 2021-10-25 at 16:03 +0200, Achim Gottinger via samba wrote:> > Am 25.10.2021 um 13:51 schrieb cn--- via samba: > > Am 25.10.21 um 13:47 schrieb Achim Gottinger via samba: > > > > > > Am 25.10.2021 um 11:14 schrieb L.P.H. van Belle via samba: > > > > > Hello Christian and Louis, > > > > > > > > > > I assume both of you use domain accounts for testing. > > > > Yes, that is correct. > > > > > > > > > Does printing and connecting new printers also work with > > > > > local non > > > > > domain accounts? > > > > I dont have any "none domain" accounts here. > > > > > > > > > Here this (local account printing) works > > > > > with Windows 11 but not with Windows 10 LTSC ( I assume > > > > > windows server 2019 will be affected as well). I did not > > > > > release the Oktober Update on our WSUS servers here, but last > > > > > Friday an work colleague called because he could no longer > > > > > print to the office from his home office pc (Windows 10 Pro, > > > > > local account). Afterwards I started testing and posted > > > > > results here a few days ago for comparison. > > > > I do have 2 windows 11 pc's currenlty these also work as far i > > > > know. > > > > I'll let that user print some for me. > > > > All windows 10 versions i have running are 2004 or up. > > > > > > > Thank you for the reply. > > > For sake of completeness I tried it with Windows Server 2019 > > > Version 1809 Update 2021-10 installed. > > > Again no issues with domain accounts but with an local > > > administrator if i try to connect an printer an credential window > > > pops up and after entering domain credentials again an dialog > > > pops up saying > > > the account is not allowed to install/access this printer. > > > So only Windows 11 seems to work with local accounts. The > > > collegue first having the problem here uses Windows 10 21H2. > > > > > > This is the log (level 2) with when I connect to a printer > > > (debian stretch samba 4.10) from server 2019 logged in with an > > > domain account. Seems to be all kerberos here. > > > > > > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 > > > 11:39:57.715406, 4] > > > ../../auth/auth_log.c:751(log_successful_authz_event_human_readab > > > le) > > > Okt 25 11:39:57 ad-test smbd[57830]: Successful AuthZ: > > > [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] > > > at [Mo, 25 Okt 2021 11:39:57.715385 UTC] Remote host > > > [ipv4:192....:50475] > > > local host [ipv4:192....:445] > > > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 > > > 11:39:57.814763, 4] > > > ../../auth/auth_log.c:751(log_successful_authz_event_human_readab > > > le) > > > Okt 25 11:39:57 ad-test smbd[57830]: Successful AuthZ: > > > [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] > > > at [Mo, 25 Okt 2021 11:39:57.814742 UTC] Remote host > > > [ipv4:192....:50475] > > > local host [ipv4:192....:445] > > > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 > > > 11:39:57.914702, 4] > > > ../../auth/auth_log.c:751(log_successful_authz_event_human_readab > > > le) > > > Okt 25 11:39:57 ad-test smbd[57830]: Successful AuthZ: > > > [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] > > > at [Mo, 25 Okt 2021 11:39:57.914680 UTC] Remote host > > > [ipv4:192....:50475] > > > local host [ipv4:192....:445] > > > Okt 25 11:39:58 ad-test smbd[57830]: [2021/10/25 > > > 11:39:58.020295, 4] > > > ../../auth/auth_log.c:751(log_successful_authz_event_human_readab > > > le) > > > Okt 25 11:39:58 ad-test smbd[57830]: Successful AuthZ: > > > [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] > > > at [Mo, 25 Okt 2021 11:39:58.020273 UTC] Remote host > > > [ipv4:192....:50475] > > > local host [ipv4:192....:445] > > > > > > Same test environment local account not working printer connect > > > attempt: > > > > > > Okt 25 11:43:16 ad-test smbd[57852]: [2021/10/25 > > > 11:43:16.553308, 2] > > > ../../auth/auth_log.c:647(log_authentication_event_human_readable > > > ) > > > Okt 25 11:43:16 ad-test smbd[57852]: Auth: [SMB2,NTLMSSP] user > > > [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.553281 > > > UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation > > > [S2019-TEST] remote host [ipv4:192....:59221] mapped to [S2019- > > > TEST]\[Administrator]. local host [ipv4:192....:445] > > > Okt 25 11:43:16 ad-test smbd[57853]: [2021/10/25 > > > 11:43:16.648050, 2] > > > ../../auth/auth_log.c:647(log_authentication_event_human_readable > > > ) > > > Okt 25 11:43:16 ad-test smbd[57853]: Auth: [SMB2,NTLMSSP] user > > > [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.648022 > > > UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation > > > [S2019-TEST] remote host [ipv4:192....:59222] mapped to [S2019- > > > TEST]\[Administrator]. local host [ipv4:192....:445] > > > Okt 25 11:43:16 ad-test smbd[57854]: [2021/10/25 > > > 11:43:16.683346, 2] > > > ../../auth/auth_log.c:647(log_authentication_event_human_readable > > > ) > > > Okt 25 11:43:16 ad-test smbd[57854]: Auth: [SMB2,NTLMSSP] user > > > [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.683315 > > > UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation > > > [S2019-TEST] remote host [ipv4:192....:59223] mapped to [S2019- > > > TEST]\[Administrator]. local host [ipv4:192....:445] > > > > Which points to the fact that Rowland mentioned. The computers try > > to use NTLM which fails for non Domain computers?! Or am I wrong > > here? > > > > Here a Link I have found which talks about the NTLM Problem. > > > > https://borncity.com/win/2021/10/19/microsoft-besttigt-windows-netzwerkdruckproblem-nach-oktober-2021-updates/ > > > > Indeed, which raises the quetion can kerberos be used with local > account?This all depends what you mean by 'local account' if you mean an account that is in /etc/passwd, then, no it will not work, because the user would be unknown to AD and hence, kerberos. Rowland