I have a pristine Samba AD DC installed (Samba 4.15 in Rocky Linux 8.5). I have joined a Windows 10 client without any problems. After restarting, I try to login with a test user (the only user aside from the administrator), and it keeps saying "Username or password is incorrect" (maybe this is not the exact translation, as the language is Spanish). Moreover, I am almost sure that the password is the right one, as I have tested it with kinit in the Samba AD DC server. I have also tested with the administrator user with the same results. It seems to me that Windows doesn't even try to contact Samba AD DC, as the message is displayed very fast (and no useful information is logged in Samba AD DC). So, before entering in more technical details, is there a way to debug the problem from the Windows client?. I don't really know where to look for related logs. JFTR: in previous tests, with another Samba AD DC server but installed in the same way and with the same versions, I had the same issue with a Windows 7 client, and a Windows 10 client. The strange thing is that, the very first time that I joined the Windows 7 client it works, but only for that day. Any help is appreciated. Thanks very much.
On Wed, 2021-11-24 at 12:20 -0300, tizo via samba wrote:> I have a pristine Samba AD DC installed (Samba 4.15 in Rocky Linux > 8.5).Where did you get the Samba packages from ? Out of the box the OS Samba packages cannot provision an AD domain. How did you provision the domain ? Does the DC use itself as nameserver (and not 127.0.0.1) ? What is in /etc/krb5.conf ? What is in your smb.conf ? Rowland
Which version of 4.15 are you using? The original release (4.15.0) has issues with logging in from W10. If that's what you have, simply ugrade to 4.15.1 or greater and you should be good to go. On 11/24/21 09:20, tizo via samba wrote:> I have a pristine Samba AD DC installed (Samba 4.15 in Rocky Linux 8.5). I > have joined a Windows 10 client without any problems. After restarting, I > try to login with a test user (the only user aside from the administrator), > and it keeps saying "Username or password is incorrect" (maybe this is not > the exact translation, as the language is Spanish). Moreover, I am almost > sure that the password is the right one, as I have tested it with kinit in > the Samba AD DC server. I have also tested with the administrator user with > the same results. It seems to me that Windows doesn't even try to contact > Samba AD DC, as the message is displayed very fast (and no useful > information is logged in Samba AD DC). > > So, before entering in more technical details, is there a way to debug the > problem from the Windows client?. I don't really know where to look for > related logs. > > JFTR: in previous tests, with another Samba AD DC server but installed in > the same way and with the same versions, I had the same issue with a > Windows 7 client, and a Windows 10 client. The strange thing is that, the > very first time that I joined the Windows 7 client it works, but only for > that day. > > Any help is appreciated. Thanks very much. >
On Wed, 2021-11-24 at 12:20 -0300, tizo via samba wrote:> I have a pristine Samba AD DC installed (Samba 4.15 in Rocky Linux > 8.5). I > have joined a Windows 10 client without any problems. After > restarting, I > try to login with a test user (the only user aside from the > administrator), > and it keeps saying "Username or password is incorrect" (maybe this > is not > the exact translation, as the language is Spanish). Moreover, I am > almost > sure that the password is the right one, as I have tested it with > kinit in > the Samba AD DC server. I have also tested with the administrator > user with > the same results. It seems to me that Windows doesn't even try to > contact > Samba AD DC, as the message is displayed very fast (and no useful > information is logged in Samba AD DC).Very likely fixed by this commit in 4.15.1: commit be8fb0218af1a1529cd7a349a57a11dbfaeb7368 Author: Joseph Sutton <josephsutton at catalyst.net.nz> Date: Fri Oct 8 15:53:47 2021 +1300 heimdal:kdc: Only check for default salt for des-cbc-crc enctype Previously, this algorithm was preferring RC4 over AES for machine accounts in the preauth case. This is because AES keys for machine accounts in Active Directory use a non-default salt, while RC4 keys do not use a salt. To avoid this behaviour, only prefer keys with default salt for the des-cbc-crc enctype. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864 Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet at samba.org> (cherry picked from commit 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53) Autobuild-User(v4-15-test): Jule Anger <janger at samba.org> Autobuild-Date(v4-15-test): Fri Oct 22 08:39:30 UTC 2021 on sn- devel-184 Sorry for the regression, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions