Luke Barone
2022-Apr-08 17:23 UTC
[Samba] Windows 11 22h1 Beta (Build 22581) client refuses to auth with Samba DC
My smb.conf file on the DC (working with regular Win 11 and all the Win 10
machines):
# testparm -s
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
bind interfaces only = Yes
disable netbios = Yes
interfaces = lo enp1s0
ntlm auth = ntlmv1-permitted
passdb backend = samba_dsdb
realm = AD.DOMAIN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
winbind separator = /
workgroup = EDGE
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/ad.domain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
(The ntlm auth line is for an external service we rely on)
On Fri, Apr 8, 2022 at 10:14 AM Luke Barone <lukebarone at gmail.com>
wrote:
> This is happening to me on Build 22593 as well. I created a new Win11 VM,
> ran all the Windows Updates, and cannot join it to a domain setup with only
> Samba Domain Controllers. I tried a standard user account, my account
> (member of the Domain Admins group), and the Domain Administrator account,
> all saying "Incorrect username and password".
>
> If someone can show me how to turn the logging for join events on the
> domain controller, I'd get those errors. In the Windows Event Log,
it's
> failing with error 1326.
>
> I got it joined just now by using "*username at ad.domain.com
> <username at ad.domain.com>*" instead of just *username* or
*AD\username*.
> However, I cannot sign in (using anything at all).
>
> On Sun, Apr 3, 2022 at 7:07 PM Andrew Bartlett via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 2022-04-01 at 15:18 -0500, Daniel Givens via samba wrote:
>> > I wanted to be sure you all were aware of an issue that's come
up in
>> > recent Insider builds of Windows 11. I upgraded my local Windows
11
>> > to the most recent beta build 22581 and had to roll back because I
>> > was unable to login to the system. The logs on my Samba domain
>> > controller indicate the authentication is successful, but Windows
>> > says I entered an incorrect password.
>> >
>> > According to the u/BFeely1, in a Reddit post[1], they've
submitted
>> > feedback about it, but I don't have much hope Microsoft is
going to
>> > make it a high priority to resolve. I wasn't able to find any
reports
>> > to this mailing list or in any Samba related bug tracking for the
>> > project or any distribution trackers mentioning the issue.
>> >
>> > I would like to help if I can, but I would need some direction on
>> > what info would be useful.
>>
>> Thanks. Given your description, it is going to be difficult to fix
>> this - far easier if Samba is rejecting the request.
>>
>> If a Samba developer was to raise this with Microsoft, I think they
>> first thing MS would want would be a paired network (wireshark PCAP or
>> PCAPng) and TTD trace.
>>
>>
>>
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-record
>>
>> A comparative trace with a windows DC joined to the same domain,
>> alongside a full keytab (samba-tool domain exportkeytab) for that
>> (TEST!) domain would also be very useful.
>>
>> Sadly I've not had any customers ask about this yet, so I've
not been
>> able to put any time into this myself.
>>
>> Sorry,
>>
>> Andrew Bartlett
>>
>>
>> --
>> Andrew Bartlett (he/him) https://samba.org/~abartlet/
>> Samba Team Member (since 2001) https://samba.org
>> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>>
>> Samba Development and Support, Catalyst IT - Expert Open Source
>> Solutions
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
Luke Barone
2022-Apr-26 18:14 UTC
[Samba] Windows 11 22h1 Beta (Build 22581) client refuses to auth with Samba DC
Still happening on Windows 11 build 22598.200. Found a workaround on the Feedback Hub (https://aka.ms/AAfikdn, Windows only) to set the Encryption Types allowed for Kerberos: Local Security Policy > Local Policies > Security Options > Network security: Configure encryption types allowed for Kerberos Check only DES_CBC_CRC and DES_CBC_MD5 I'd like to give credit, but the Feedback Hub does not let me copy the username, and it's not in my alphabet. On Fri, Apr 8, 2022 at 10:23 AM Luke Barone <lukebarone at gmail.com> wrote:> My smb.conf file on the DC (working with regular Win 11 and all the Win 10 > machines): > > # testparm -s > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[netlogon]" > Processing section "[sysvol]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > > # Global parameters > [global] > bind interfaces only = Yes > disable netbios = Yes > interfaces = lo enp1s0 > ntlm auth = ntlmv1-permitted > passdb backend = samba_dsdb > realm = AD.DOMAIN.COM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > winbind separator = / > workgroup = EDGE > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > map archive = No > vfs objects = dfs_samba4 acl_xattr > > > [netlogon] > path = /var/lib/samba/sysvol/ad.domain.com/scripts > read only = No > > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > (The ntlm auth line is for an external service we rely on) > > On Fri, Apr 8, 2022 at 10:14 AM Luke Barone <lukebarone at gmail.com> wrote: > >> This is happening to me on Build 22593 as well. I created a new Win11 VM, >> ran all the Windows Updates, and cannot join it to a domain setup with only >> Samba Domain Controllers. I tried a standard user account, my account >> (member of the Domain Admins group), and the Domain Administrator account, >> all saying "Incorrect username and password". >> >> If someone can show me how to turn the logging for join events on the >> domain controller, I'd get those errors. In the Windows Event Log, it's >> failing with error 1326. >> >> I got it joined just now by using "*username at ad.domain.com >> <username at ad.domain.com>*" instead of just *username* or *AD\username*. >> However, I cannot sign in (using anything at all). >> >> On Sun, Apr 3, 2022 at 7:07 PM Andrew Bartlett via samba < >> samba at lists.samba.org> wrote: >> >>> On Fri, 2022-04-01 at 15:18 -0500, Daniel Givens via samba wrote: >>> > I wanted to be sure you all were aware of an issue that's come up in >>> > recent Insider builds of Windows 11. I upgraded my local Windows 11 >>> > to the most recent beta build 22581 and had to roll back because I >>> > was unable to login to the system. The logs on my Samba domain >>> > controller indicate the authentication is successful, but Windows >>> > says I entered an incorrect password. >>> > >>> > According to the u/BFeely1, in a Reddit post[1], they've submitted >>> > feedback about it, but I don't have much hope Microsoft is going to >>> > make it a high priority to resolve. I wasn't able to find any reports >>> > to this mailing list or in any Samba related bug tracking for the >>> > project or any distribution trackers mentioning the issue. >>> > >>> > I would like to help if I can, but I would need some direction on >>> > what info would be useful. >>> >>> Thanks. Given your description, it is going to be difficult to fix >>> this - far easier if Samba is rejecting the request. >>> >>> If a Samba developer was to raise this with Microsoft, I think they >>> first thing MS would want would be a paired network (wireshark PCAP or >>> PCAPng) and TTD trace. >>> >>> >>> https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-record >>> >>> A comparative trace with a windows DC joined to the same domain, >>> alongside a full keytab (samba-tool domain exportkeytab) for that >>> (TEST!) domain would also be very useful. >>> >>> Sadly I've not had any customers ask about this yet, so I've not been >>> able to put any time into this myself. >>> >>> Sorry, >>> >>> Andrew Bartlett >>> >>> >>> -- >>> Andrew Bartlett (he/him) https://samba.org/~abartlet/ >>> Samba Team Member (since 2001) https://samba.org >>> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba >>> >>> Samba Development and Support, Catalyst IT - Expert Open Source >>> Solutions >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>