samba - Dec 2021 - RDP user can login as user@samdom.com but not as SAMDOM\user

Hi!
I set up a Ubuntu 18.04.6 Samba 4 server on my home network to practice
with Samba / AD management, and I noticed an odd behaviour when trying to
RDP into a domain joined Win10 Pro computer.
The user is in the computer's Remote Desktop Users group.
If I login as:
User:  samuser
Domain: SAMDOM
or
User: SAMDOM\samuser

I get an invalid password error.

If I login as samuser at samdom.com, same password, then it works.

I am not sure if this is just a Windows behaviour I've never noticed
before, or maybe an issue in my Samba or Kerberos config files. The issue
is only when logging on via RDP. Locally, I can just login as
"samuser", I
don't need to put samuser at samdom.com in the username field.
I've included a copy of my config files and relevant event viewer error.

Any tips would be appreciated!

Peter

------- smb.conf
[global]
        netbios name = SRV01
        realm = SAMDOM.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        disable netbios = yes

[netlogon]
        path = /var/lib/samba/sysvol/samdom.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

------ krb5.conf

[libdefaults]
        default_realm = SAMDOM.COM
        dns_lookup_kdc = true
        dns_lookup_realm = false

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        ticket_lifetime = 24h
        proxiable = true
        fcc-mit-ticketflags = true

[logging]
        default = FILE:/var/log/krb5/krb.log
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/kadmind.log

[realms]
        SAMDOM.COM = {
                admin_server = srv01.samdom.com
                default_domain = samdom.com
                master_kdc = srv01.samdom.com
                kdc = srv01.samdom.com
        }

----- Windows Event Viewer - Security entry for failed RDP

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: samuser
Account Domain: SAMDOM

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: DESKTOP-00000
Source Network Address: 192.168.1.5
Source Port: 0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

On Thu, Dec 2, 2021, 18:59 Alex via samba <samba at lists.samba.org>
wrote:
> Hi!
> I set up a Ubuntu 18.04.6 Samba 4 server on my home network to practice
> with Samba / AD management, and I noticed an odd behaviour when trying to
> RDP into a domain joined Win10 Pro computer.
> The user is in the computer's Remote Desktop Users group.
> If I login as:
> User:  samuser
> Domain: SAMDOM
> or
> User: SAMDOM\samuser
>
> I get an invalid password error.
>
> If I login as samuser at samdom.com, same password, then it works.
>
> I am not sure if this is just a Windows behaviour I've never noticed
> before, or maybe an issue in my Samba or Kerberos config files. The issue
> is only when logging on via RDP. Locally, I can just login as
"samuser", I
> don't need to put samuser at samdom.com in the username field.
> I've included a copy of my config files and relevant event viewer
error.
>
> Any tips would be appreciated!
>
> Peter
>
> ------- smb.conf
> [global]
>         netbios name = SRV01
>         realm = SAMDOM.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         disable netbios = yes
>
Maybe 'disable netbios' is to blame?


[netlogon]
>         path = /var/lib/samba/sysvol/samdom.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> ------ krb5.conf
>
> [libdefaults]
>         default_realm = SAMDOM.COM
>         dns_lookup_kdc = true
>         dns_lookup_realm = false
>
> # The following krb5.conf variables are only for MIT Kerberos.
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         ticket_lifetime = 24h
>         proxiable = true
>         fcc-mit-ticketflags = true
>
> [logging]
>         default = FILE:/var/log/krb5/krb.log
>         kdc = FILE:/var/log/krb5/kdc.log
>         admin_server = FILE:/var/log/kadmind.log
>
> [realms]
>         SAMDOM.COM = {
>                 admin_server = srv01.samdom.com
>                 default_domain = samdom.com
>                 master_kdc = srv01.samdom.com
>                 kdc = srv01.samdom.com
>         }
>
> ----- Windows Event Viewer - Security entry for failed RDP
>
> An account failed to log on.
>
> Subject:
> Security ID: NULL SID
> Account Name: -
> Account Domain: -
> Logon ID: 0x0
>
> Logon Type: 3
>
> Account For Which Logon Failed:
> Security ID: NULL SID
> Account Name: samuser
> Account Domain: SAMDOM
>
> Failure Information:
> Failure Reason: Unknown user name or bad password.
> Status: 0xC000006D
> Sub Status: 0xC000006A
>
> Process Information:
> Caller Process ID: 0x0
> Caller Process Name: -
>
> Network Information:
> Workstation Name: DESKTOP-00000
> Source Network Address: 192.168.1.5
> Source Port: 0
>
> Detailed Authentication Information:
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Transited Services: -
> Package Name (NTLM only): -
> Key Length: 0
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I seen this also, and yeah, username at REAM as username fixes it. 
Can be windows but can be samba also or the combination.. 

I do suggest, upgrade ubuntu to 20.04. 
And.. It does help is you tell which samba version you are using. 


Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> via samba
> Verzonden: vrijdag 3 december 2021 0:58
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] RDP user can login as user at samdom.com but 
> not as SAMDOM\user
> 
> Hi!
> I set up a Ubuntu 18.04.6 Samba 4 server on my home network 
> to practice
> with Samba / AD management, and I noticed an odd behaviour 
> when trying to
> RDP into a domain joined Win10 Pro computer.
> The user is in the computer's Remote Desktop Users group.
> If I login as:
> User:  samuser
> Domain: SAMDOM
> or
> User: SAMDOM\samuser
> 
> I get an invalid password error.
> 
> If I login as samuser at samdom.com, same password, then it works.
> 
> I am not sure if this is just a Windows behaviour I've never noticed
> before, or maybe an issue in my Samba or Kerberos config 
> files. The issue
> is only when logging on via RDP. Locally, I can just login as 
> "samuser", I
> don't need to put samuser at samdom.com in the username field.
> I've included a copy of my config files and relevant event 
> viewer error.
> 
> Any tips would be appreciated!
> 
> Peter
> 
> ------- smb.conf
> [global]
>         netbios name = SRV01
>         realm = SAMDOM.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         disable netbios = yes
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/samdom.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> ------ krb5.conf
> 
> [libdefaults]
>         default_realm = SAMDOM.COM
>         dns_lookup_kdc = true
>         dns_lookup_realm = false
> 
> # The following krb5.conf variables are only for MIT Kerberos.
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         ticket_lifetime = 24h
>         proxiable = true
>         fcc-mit-ticketflags = true
> 
> [logging]
>         default = FILE:/var/log/krb5/krb.log
>         kdc = FILE:/var/log/krb5/kdc.log
>         admin_server = FILE:/var/log/kadmind.log
> 
> [realms]
>         SAMDOM.COM = {
>                 admin_server = srv01.samdom.com
>                 default_domain = samdom.com
>                 master_kdc = srv01.samdom.com
>                 kdc = srv01.samdom.com
>         }
> 
> ----- Windows Event Viewer - Security entry for failed RDP
> 
> An account failed to log on.
> 
> Subject:
> Security ID: NULL SID
> Account Name: -
> Account Domain: -
> Logon ID: 0x0
> 
> Logon Type: 3
> 
> Account For Which Logon Failed:
> Security ID: NULL SID
> Account Name: samuser
> Account Domain: SAMDOM
> 
> Failure Information:
> Failure Reason: Unknown user name or bad password.
> Status: 0xC000006D
> Sub Status: 0xC000006A
> 
> Process Information:
> Caller Process ID: 0x0
> Caller Process Name: -
> 
> Network Information:
> Workstation Name: DESKTOP-00000
> Source Network Address: 192.168.1.5
> Source Port: 0
> 
> Detailed Authentication Information:
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Transited Services: -
> Package Name (NTLM only): -
> Key Length: 0
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>