Luke Barone
2022-Apr-08 17:14 UTC
[Samba] Windows 11 22h1 Beta (Build 22581) client refuses to auth with Samba DC
This is happening to me on Build 22593 as well. I created a new Win11 VM, ran all the Windows Updates, and cannot join it to a domain setup with only Samba Domain Controllers. I tried a standard user account, my account (member of the Domain Admins group), and the Domain Administrator account, all saying "Incorrect username and password". If someone can show me how to turn the logging for join events on the domain controller, I'd get those errors. In the Windows Event Log, it's failing with error 1326. I got it joined just now by using "*username at ad.domain.com <username at ad.domain.com>*" instead of just *username* or *AD\username*. However, I cannot sign in (using anything at all). On Sun, Apr 3, 2022 at 7:07 PM Andrew Bartlett via samba < samba at lists.samba.org> wrote:> On Fri, 2022-04-01 at 15:18 -0500, Daniel Givens via samba wrote: > > I wanted to be sure you all were aware of an issue that's come up in > > recent Insider builds of Windows 11. I upgraded my local Windows 11 > > to the most recent beta build 22581 and had to roll back because I > > was unable to login to the system. The logs on my Samba domain > > controller indicate the authentication is successful, but Windows > > says I entered an incorrect password. > > > > According to the u/BFeely1, in a Reddit post[1], they've submitted > > feedback about it, but I don't have much hope Microsoft is going to > > make it a high priority to resolve. I wasn't able to find any reports > > to this mailing list or in any Samba related bug tracking for the > > project or any distribution trackers mentioning the issue. > > > > I would like to help if I can, but I would need some direction on > > what info would be useful. > > Thanks. Given your description, it is going to be difficult to fix > this - far easier if Samba is rejecting the request. > > If a Samba developer was to raise this with Microsoft, I think they > first thing MS would want would be a paired network (wireshark PCAP or > PCAPng) and TTD trace. > > > https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-record > > A comparative trace with a windows DC joined to the same domain, > alongside a full keytab (samba-tool domain exportkeytab) for that > (TEST!) domain would also be very useful. > > Sadly I've not had any customers ask about this yet, so I've not been > able to put any time into this myself. > > Sorry, > > Andrew Bartlett > > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba > > Samba Development and Support, Catalyst IT - Expert Open Source > Solutions > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Luke Barone
2022-Apr-08 17:23 UTC
[Samba] Windows 11 22h1 Beta (Build 22581) client refuses to auth with Samba DC
My smb.conf file on the DC (working with regular Win 11 and all the Win 10 machines): # testparm -s rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC # Global parameters [global] bind interfaces only = Yes disable netbios = Yes interfaces = lo enp1s0 ntlm auth = ntlmv1-permitted passdb backend = samba_dsdb realm = AD.DOMAIN.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate winbind separator = / workgroup = EDGE rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb map archive = No vfs objects = dfs_samba4 acl_xattr [netlogon] path = /var/lib/samba/sysvol/ad.domain.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No (The ntlm auth line is for an external service we rely on) On Fri, Apr 8, 2022 at 10:14 AM Luke Barone <lukebarone at gmail.com> wrote:> This is happening to me on Build 22593 as well. I created a new Win11 VM, > ran all the Windows Updates, and cannot join it to a domain setup with only > Samba Domain Controllers. I tried a standard user account, my account > (member of the Domain Admins group), and the Domain Administrator account, > all saying "Incorrect username and password". > > If someone can show me how to turn the logging for join events on the > domain controller, I'd get those errors. In the Windows Event Log, it's > failing with error 1326. > > I got it joined just now by using "*username at ad.domain.com > <username at ad.domain.com>*" instead of just *username* or *AD\username*. > However, I cannot sign in (using anything at all). > > On Sun, Apr 3, 2022 at 7:07 PM Andrew Bartlett via samba < > samba at lists.samba.org> wrote: > >> On Fri, 2022-04-01 at 15:18 -0500, Daniel Givens via samba wrote: >> > I wanted to be sure you all were aware of an issue that's come up in >> > recent Insider builds of Windows 11. I upgraded my local Windows 11 >> > to the most recent beta build 22581 and had to roll back because I >> > was unable to login to the system. The logs on my Samba domain >> > controller indicate the authentication is successful, but Windows >> > says I entered an incorrect password. >> > >> > According to the u/BFeely1, in a Reddit post[1], they've submitted >> > feedback about it, but I don't have much hope Microsoft is going to >> > make it a high priority to resolve. I wasn't able to find any reports >> > to this mailing list or in any Samba related bug tracking for the >> > project or any distribution trackers mentioning the issue. >> > >> > I would like to help if I can, but I would need some direction on >> > what info would be useful. >> >> Thanks. Given your description, it is going to be difficult to fix >> this - far easier if Samba is rejecting the request. >> >> If a Samba developer was to raise this with Microsoft, I think they >> first thing MS would want would be a paired network (wireshark PCAP or >> PCAPng) and TTD trace. >> >> >> https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-record >> >> A comparative trace with a windows DC joined to the same domain, >> alongside a full keytab (samba-tool domain exportkeytab) for that >> (TEST!) domain would also be very useful. >> >> Sadly I've not had any customers ask about this yet, so I've not been >> able to put any time into this myself. >> >> Sorry, >> >> Andrew Bartlett >> >> >> -- >> Andrew Bartlett (he/him) https://samba.org/~abartlet/ >> Samba Team Member (since 2001) https://samba.org >> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba >> >> Samba Development and Support, Catalyst IT - Expert Open Source >> Solutions >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >