Mason Schmitt
2022-Oct-17 23:09 UTC
[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
I'd like to add a few more details and symptoms, in the hope that it might
help others who are running into this issue, but may not know it yet.
At this time, in order to prevent further disruption, we have prevented all
our PCs from upgrading to either Win11 22H2 or Win10 22H2. We're still
applying security patches of course, just not these feature packs.
Symptoms
----------------
- It's not possible to join a Win11 22H2 PC to a Samba domain that is
running 4.15.x or older
- If you implement the "fix" which has shown up on Reddit and
elsewhere,
you will essentially break kerberos auth, which will also prevent you from
doing the following. You will however succeed in allowing your Win11 22H2
PCs to access file servers using NTLM authentication.
- GPOs will not be applied
- A regular user will not be able to enter domain credentials into a
UAC prompt in order to elevate their privileges
Indications you are experiencing this problem
-------------------------------------------------------------
If you're looking for signs of the problem in your Samba AD DC logs,
they'll show up in log.samba. With basic auth logging enabled (log level 1
auth_audit:3 auth_json_audit:3), you should see multiple entries showing
successful kerberos pre-auth, like this
[2022/10/12 13:21:25.502451, 3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[<admin_acct>@<domain>] at [Wed, 12 Oct 2022
13:21:25.502446 PDT]
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:<Client_IP>:49868] became
[<NT_DOMAIN>]\[<admin_acct>]
[<admin SID>]. local host [NULL]
[2022/10/12 13:21:25.502485, 3] ../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp":
"2022-10-12T13:21:25.502467-0700",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_OK",
"localAddress": "NULL",
"remoteAddress": "ipv4:<Client_IP>:49868",
"serviceDescription": "Kerberos
KDC", "authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
"clientAccount": "<admin_acct>@<domain>",
"workstation": null,
"becameAccount": " <admin_acct> ",
"becameDomain": "<NT_DOMAIN>",
"becameSid": "<admin SID>", "mappedAccount":
" <admin_acct> ",
"mappedDomain": "<NT_DOMAIN>",
"netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
"(NULL SID)",
"passwordType": "aes256-cts-hmac-sha1-96"}}
[2022/10/12 13:21:25.546607, 3]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[<admin_acct>@<DOMAIN>] at [Wed, 12 Oct 2022
13:21:25.546603 PDT]
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:<Client_IP>:49872] became [<NT_DOMAIN>]\[
<admin_acct> ]
[<admin SID>]. local host [NULL]
[2022/10/12 13:21:25.546642, 3] ../auth/auth_log.c:220(log_json)
The root of the issue is more obvious with debug logs enabled. Warning, a
single attempt to join a domain will generate over 100,000 log entries.
Change your log level
#log level = 1 auth_audit:3 auth_json_audit:3
log level = 10
debug pid = true
max log size = 0
You'll see entries like this - https://pastebin.com/5nEvJbQ4
How to resolve the issue
------------------------------------
At this time, I'm not aware that any of the common Linux distro LTS
versions are supplying a version of Samba, in which this issue has been
resolved (unless you consider rolling distros like Arch)**. As Rowland has
pointed out, it's possible to get 4.16.5 for Debian Bullseye from
Backports. Of course there are third party commercial packages available.
--
Mason
** https://pkgs.org/search/?q=samba
Andrew Bartlett
2022-Oct-20 07:17 UTC
[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
Regarding the below: On Mon, 2022-10-17 at 16:09 -0700, Mason Schmitt via samba wrote:> I'd like to add a few more details and symptoms, in the hope that it > mighthelp others who are running into this issue, but may not know it > yet. > At this time, in order to prevent further disruption, we have > prevented allour PCs from upgrading to either Win11 22H2 or Win10 > 22H2. We're stillapplying security patches of course, just not these > feature packs. > > How to resolve the issue------------------------------------At this > time, I'm not aware that any of the common Linux distro LTSversions > are supplying a version of Samba, in which this issue has > beenresolved (unless you consider rolling distros like Arch)**. As > Rowland haspointed out, it's possible to get 4.16.5 for Debian > Bullseye fromBackports. Of course there are third party commercial > packages available.I've uploaded tested patches to the bug at https://bugzilla.samba.org/show_bug.cgi?id=15197 id="-x-evo-selection-start-marker"> Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open SourceSolutions