samba - Jul 2023 - Samba rejecting authentication from Windows machines

What version of Samba are the DCs running and on what OS ?
        --> They're still running on 4.13.17 and Debian 10 since
that's the pre-packed version we started with and didn't dare to upgrade
so far.
Was anything updated on any of the machines ? If so, what ?
        --> No. We had our monthly maintenance window but there were no
upgrades to the Samba DCs
This could be more fall out from Microsoft's last update
        --> What do you mean with this? I haven't read anything in this
direction while searching for the issue.

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Thursday, 20 July 2023 15:42
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: **[EXTERNAL]**Re: [Samba] Samba rejecting authentication from Windows
machines



On 20/07/2023 14:28, Kothe Patrik via samba wrote:
> Hi everybody.
>
> First a short overview of our setup:
>
> We have 2 Samba DCs in Domain 1
> We use a Windows 10 Pro VM for the RSAT Tools which we access via RDP
> We have 1 Windows Server 2012 DC for Domain 2 Between Domain 1 and 2
> is a Trust for cross-domain file share access
>
> Since the last reboot of our samba DCs they suddenly started to block login
attempts on the RSAT-VM and also the Trust to the other domain is broken.
>
> When trying to log in to the RSAT-VM the primary DC logs this:
>
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting
> transaction on zone Domain1.tld Jul 20 14:32:10 C-103-dc01
> named[2076966]: client @0x7fc5000c40d0 172.16.2.105#61179: update
> 'Domain1.tld/IN' denied Jul 20 14:32:10 C-103-dc01 named[2076966]:
> samba_dlz: cancelling transaction on zone Domain1.tld Jul 20 14:32:10
> C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone
> Domain1.tld Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz:
> disallowing update of signer=RSAT-VM\$\@DOMAIN1.TLD
> name=RSAT-VM.Domain1.tld type=AAAA error=insufficient access rights
> Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0
> 172.16.2.105#62717/key RSAT-VM\$\@DOMAIN1.TLD: updating zone
> 'Domain1.tld/NONE': update failed: rejected by secure update
(REFUSED)
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling
> transaction on zone Domain1.tld
>
>
> Also, if I run the Trust-test on the Windows DC of Domain 2, I get the
following error:
> ?The secure channel (SC) verification on Active Directory Domain Controller
\\dc01.domain1.tld of domain1.tld to domain domain2.tld failed with error:
Access is denied.?
>
> Does anybody have an idea, what we can do about this?
Sorry, but I doubt it, not from the information provided.
What version of Samba are the DCs running and on what OS ?
Was anything updated on any of the machines ? If so, what ?

This could be more fall out from Microsoft's last update.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 20/07/2023 15:02, Kothe Patrik via samba wrote:
> What version of Samba are the DCs running and on what OS ?
>          --> They're still running on 4.13.17 and Debian 10 since
that's the pre-packed version we started with and didn't dare to upgrade
so far.
> Was anything updated on any of the machines ? If so, what ?
>          --> No. We had our monthly maintenance window but there were no
upgrades to the Samba DCs
> This could be more fall out from Microsoft's last update
>          --> What do you mean with this? I haven't read anything in
this direction while searching for the issue.
> 
On the 7th July, Microsoft released a large update, KB5028166 (this also 
seems to have different identities on different Windows versions), after 
the update there were numerous Samba problems, mostly to do with trusts 
and authentication. an interim patch was quickly produced and this seems 
to have mitigated the problem.

I would suggest that upgrading Samba is probably your next step, but you 
will probably have to upgrade to bullseye or bookworm.

Rowland