samba - Oct 2022 - Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Thank you a lot for reporting this in the mailing list.

I also found this horrible issue putting a new Win-11 laptop in the 
Samba domain and lost hours in anger trying to make it work.

Windows as usual reports silly/useless error messages. On Samba logs i 
found a suspicious line and googling that i was able to find a blog 
where the thing is discussed (and in Reddit)
*https://bitcoden.com/answers/samba-wont-join-computers-to-domain-anymore*

Then finally I see the message here, and I am more confident the info is 
reliable.

I may recommend to put a well visible link in Samba Web homepage when 
this kind of issues emerge.
Even if it is Microsoft who broke things and it is not a Samba bug, we 
proud Samba users/admins will suffer, so better to warn us before we 
bang our head against the wall for hours, if possible ;)


bye
Nicola








On 10/3/22 11:15, Denis CARDON via samba wrote:
> Hi everyone,
>
> we had a call last week from a client with a win11 workstation that 
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 
> anymore.
>
> There are a few related post on reddit [1] and it seems to be linked 
> to this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
> probably due to the integration of with Heimdal-8.0pre.
>
> The issue is due to a timestamp in the TGS-REQ where it is set to max 
> value in Microsoft kerberos client instead of the usual 2038 timestamp 
> (till=99990913024805Z), and Microsoft says it is by the specs [3] and 
> won't be changed.
>
> I didn't found any Samba bugzilla entry for this bug, which is going 
> to get widespread quite fast as Microsoft starts force-feeding this 
> upgrade on unsuspicious end users. I can create a bugzilla entry if 
> there is none yet.
>
> There is only one supported version that is impacted (4.15), but it 
> should at least be more communication to encourage people to upgrade 
> before being bitten by this issue.
>
> Cheers,
>
> Denis
>
> [1] 
>
https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
> [2] https://github.com/heimdal/heimdal/issues/1011
> [3] 
> https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
>
>

I'd like to add a few more details and symptoms, in the hope that it might
help others who are running into this issue, but may not know it yet.

At this time, in order to prevent further disruption, we have prevented all
our PCs from upgrading to either Win11 22H2 or Win10 22H2.  We're still
applying security patches of course, just not these feature packs.

Symptoms
----------------
- It's not possible to join a Win11 22H2 PC to a Samba domain that is
running 4.15.x or older
- If you implement the "fix" which has shown up on Reddit and
elsewhere,
you will essentially break kerberos auth, which will also prevent you from
doing the following.  You will however succeed in allowing your Win11 22H2
PCs to access file servers using NTLM authentication.
    - GPOs will not be applied
    - A regular user will not be able to enter domain credentials into a
UAC prompt in order to elevate their privileges


Indications you are experiencing this problem
-------------------------------------------------------------
If you're looking for signs of the problem in your Samba AD DC logs,
they'll show up in log.samba.  With basic auth logging enabled (log level 1
auth_audit:3 auth_json_audit:3), you should see multiple entries showing
successful kerberos pre-auth, like this

[2022/10/12 13:21:25.502451,  3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[<admin_acct>@<domain>] at [Wed, 12 Oct 2022
13:21:25.502446 PDT]
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:<Client_IP>:49868] became
[<NT_DOMAIN>]\[<admin_acct>]
[<admin SID>]. local host [NULL]
[2022/10/12 13:21:25.502485,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp":
"2022-10-12T13:21:25.502467-0700",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_OK",
"localAddress": "NULL",
"remoteAddress": "ipv4:<Client_IP>:49868",
"serviceDescription": "Kerberos
KDC", "authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
"clientAccount": "<admin_acct>@<domain>",
"workstation": null,
"becameAccount": " <admin_acct>  ",
"becameDomain": "<NT_DOMAIN>",
"becameSid": "<admin SID>", "mappedAccount":
" <admin_acct>  ",
"mappedDomain": "<NT_DOMAIN>",
"netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
"(NULL SID)",
"passwordType": "aes256-cts-hmac-sha1-96"}}
[2022/10/12 13:21:25.546607,  3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[<admin_acct>@<DOMAIN>] at [Wed, 12 Oct 2022
13:21:25.546603 PDT]
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:<Client_IP>:49872] became [<NT_DOMAIN>]\[
<admin_acct>  ]
[<admin SID>]. local host [NULL]
[2022/10/12 13:21:25.546642,  3] ../auth/auth_log.c:220(log_json)


The root of the issue is more obvious with debug logs enabled.  Warning, a
single attempt to join a domain will generate over 100,000 log entries.

Change your log level
 #log level = 1 auth_audit:3 auth_json_audit:3
 log level = 10
 debug pid = true
 max log size = 0

You'll see entries like this - https://pastebin.com/5nEvJbQ4


How to resolve the issue
------------------------------------
At this time, I'm not aware that any of the common Linux distro LTS
versions are supplying a version of Samba, in which this issue has been
resolved (unless you consider rolling distros like Arch)**.  As Rowland has
pointed out, it's possible to get 4.16.5 for Debian Bullseye from
Backports.  Of course there are third party commercial packages available.

-- 

Mason


** https://pkgs.org/search/?q=samba