On Mon, 2021-10-25 at 16:03 +0200, Achim Gottinger via samba
wrote:>
> Am 25.10.2021 um 13:51 schrieb cn--- via samba:
> > Am 25.10.21 um 13:47 schrieb Achim Gottinger via samba:
> > >
> > > Am 25.10.2021 um 11:14 schrieb L.P.H. van Belle via samba:
> > > > > Hello Christian and Louis,
> > > > >
> > > > > I assume both of you use domain accounts for testing.
> > > > Yes, that is correct.
> > > >
> > > > > Does printing and connecting new printers also work
with
> > > > > local non
> > > > > domain accounts?
> > > > I dont have any "none domain" accounts here.
> > > >
> > > > > Here this (local account printing) works
> > > > > with Windows 11 but not with Windows 10 LTSC ( I assume
> > > > > windows server 2019 will be affected as well). I did
not
> > > > > release the Oktober Update on our WSUS servers here,
but last
> > > > > Friday an work colleague called because he could no
longer
> > > > > print to the office from his home office pc (Windows 10
Pro,
> > > > > local account). Afterwards I started testing and posted
> > > > > results here a few days ago for comparison.
> > > > I do have 2 windows 11 pc's currenlty these also work as
far i
> > > > know.
> > > > I'll let that user print some for me.
> > > > All windows 10 versions i have running are 2004 or up.
> > > >
> > > Thank you for the reply.
> > > For sake of completeness I tried it with Windows Server 2019
> > > Version 1809 Update 2021-10 installed.
> > > Again no issues with domain accounts but with an local
> > > administrator if i try to connect an printer an credential window
> > > pops up and after entering domain credentials again an dialog
> > > pops up saying
> > > the account is not allowed to install/access this printer.
> > > So only Windows 11 seems to work with local accounts. The
> > > collegue first having the problem here uses Windows 10 21H2.
> > >
> > > This is the log (level 2) with when I connect to a printer
> > > (debian stretch samba 4.10) from server 2019 logged in with an
> > > domain account. Seems to be all kerberos here.
> > >
> > > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25
> > > 11:39:57.715406, 4]
> > > ../../auth/auth_log.c:751(log_successful_authz_event_human_readab
> > > le)
> > > Okt 25 11:39:57 ad-test smbd[57830]: Successful AuthZ:
> > > [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500]
> > > at [Mo, 25 Okt 2021 11:39:57.715385 UTC] Remote host
> > > [ipv4:192....:50475]
> > > local host [ipv4:192....:445]
> > > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25
> > > 11:39:57.814763, 4]
> > > ../../auth/auth_log.c:751(log_successful_authz_event_human_readab
> > > le)
> > > Okt 25 11:39:57 ad-test smbd[57830]: Successful AuthZ:
> > > [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500]
> > > at [Mo, 25 Okt 2021 11:39:57.814742 UTC] Remote host
> > > [ipv4:192....:50475]
> > > local host [ipv4:192....:445]
> > > Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25
> > > 11:39:57.914702, 4]
> > > ../../auth/auth_log.c:751(log_successful_authz_event_human_readab
> > > le)
> > > Okt 25 11:39:57 ad-test smbd[57830]: Successful AuthZ:
> > > [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500]
> > > at [Mo, 25 Okt 2021 11:39:57.914680 UTC] Remote host
> > > [ipv4:192....:50475]
> > > local host [ipv4:192....:445]
> > > Okt 25 11:39:58 ad-test smbd[57830]: [2021/10/25
> > > 11:39:58.020295, 4]
> > > ../../auth/auth_log.c:751(log_successful_authz_event_human_readab
> > > le)
> > > Okt 25 11:39:58 ad-test smbd[57830]: Successful AuthZ:
> > > [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500]
> > > at [Mo, 25 Okt 2021 11:39:58.020273 UTC] Remote host
> > > [ipv4:192....:50475]
> > > local host [ipv4:192....:445]
> > >
> > > Same test environment local account not working printer connect
> > > attempt:
> > >
> > > Okt 25 11:43:16 ad-test smbd[57852]: [2021/10/25
> > > 11:43:16.553308, 2]
> > > ../../auth/auth_log.c:647(log_authentication_event_human_readable
> > > )
> > > Okt 25 11:43:16 ad-test smbd[57852]: Auth: [SMB2,NTLMSSP] user
> > > [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.553281
> > > UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation
> > > [S2019-TEST] remote host [ipv4:192....:59221] mapped to [S2019-
> > > TEST]\[Administrator]. local host [ipv4:192....:445]
> > > Okt 25 11:43:16 ad-test smbd[57853]: [2021/10/25
> > > 11:43:16.648050, 2]
> > > ../../auth/auth_log.c:647(log_authentication_event_human_readable
> > > )
> > > Okt 25 11:43:16 ad-test smbd[57853]: Auth: [SMB2,NTLMSSP] user
> > > [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.648022
> > > UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation
> > > [S2019-TEST] remote host [ipv4:192....:59222] mapped to [S2019-
> > > TEST]\[Administrator]. local host [ipv4:192....:445]
> > > Okt 25 11:43:16 ad-test smbd[57854]: [2021/10/25
> > > 11:43:16.683346, 2]
> > > ../../auth/auth_log.c:647(log_authentication_event_human_readable
> > > )
> > > Okt 25 11:43:16 ad-test smbd[57854]: Auth: [SMB2,NTLMSSP] user
> > > [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.683315
> > > UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation
> > > [S2019-TEST] remote host [ipv4:192....:59223] mapped to [S2019-
> > > TEST]\[Administrator]. local host [ipv4:192....:445]
> >
> > Which points to the fact that Rowland mentioned. The computers try
> > to use NTLM which fails for non Domain computers?! Or am I wrong
> > here?
> >
> > Here a Link I have found which talks about the NTLM Problem.
> >
> >
https://borncity.com/win/2021/10/19/microsoft-besttigt-windows-netzwerkdruckproblem-nach-oktober-2021-updates/
> >
>
> Indeed, which raises the quetion can kerberos be used with local
> account?
This all depends what you mean by 'local account' if you mean an
account that is in /etc/passwd, then, no it will not work, because the
user would be unknown to AD and hence, kerberos.
Rowland