samba - Nov 2023 - Perplexing problem

On 31.10.2023 21:45, Ray Klassen via samba wrote:
> 4 DC's Samba version 4.19.2 compiled from tarball on Debian 12.2 (have 
> run this way always up to date tarballs for maybe 15 years. 
> Wkstations: Windows 10 up dated to latest security patches About a 
> week and half ago, workstations started fail on login with "Incorrect 
> Password" until restarted, sometimes several times after which no 
> problem for maybe a few days. (not sure about this, just don't seem to 
> get calls right the next day on the same PC.) Remote Desktop also 
> behaves peculiarly when workstation is in this state -- a successful 
> connection may actually get the user to a log in screen they can't get 
> past. Normally Remote Desktop will drop the connection if the password 
> fails. This looks like the connection to the machine is successful, 
> but the windows session connection fails. If network cable is 
> unplugged the PC logs in fine, using the locally cached password hash. 
> Log level 255 for an affected PC doesn't look that promising. The only 
> thing that looks suspicious are exchanges wh
> ere there's some sort of authentication and the workstation presents 
> its IP address as its name. Wireshark traffic of the failing login 
> (decoded by use of a DC keytab) reveals a bunch of successful requests 
> and responses. No glaring errors. Investigation reveals that dynamic 
> DNS updates are not working. I reset allow dns update to
'nonsecure'
> -- no difference. Could this be the cause? Recent changes to the 
> system: Upgrade to samba 4.19.2 from 4.19.1 raise domain/forest 
> funtional level from 2003 to 2008_r2 (in preparation for Entra Cloud 
> software. Better than AD Connect?) Windows service packs? Any 
> ideas/pointers appreciated...
Hi Ray,

Clock synchronization? If you have got ntpsec on the DCs, that wont 
work. Must use Chrony.

Best regards,

Peter

Sorry. Forgot to mention that. Chrony now installed and configured on all
DC's per the samba wiki. appears to be working. On Nov. 1, 2023, at 12:07
a.m., Peter Milesson via samba <samba at lists.samba.org> wrote: On
31.10.2023 21:45, Ray Klassen via samba wrote: 4 DC's Samba version 4.19.2
compiled from tarball on Debian 12.2 (have run this way always up to date
tarballs for maybe 15 years. Wkstations: Windows 10 up dated to latest security
patches About a week and half ago, workstations started fail on login with
"Incorrect Password" until restarted, sometimes several times after
which no problem for maybe a few days. (not sure about this, just don't seem
to get calls right the next day on the same PC.) Remote Desktop also behaves
peculiarly when workstation is in this state -- a successful connection may
actually get the user to a log in screen they can't get past. Normally
Remote Desktop will drop the connection if the password fails. This looks like
the connection to the machine is successful, but the windows session connection
fails. If network cable is unplugged the PC logs in fine, using the locally
cached password hash. Log level 255 for an affected PC doesn't look that
promising. The only thing that looks suspicious are exchanges wh ere there's
some sort of authentication and the workstation presents its IP address as its
name. Wireshark traffic of the failing login (decoded by use of a DC keytab)
reveals a bunch of successful requests and responses. No glaring errors.
Investigation reveals that dynamic DNS updates are not working. I reset allow
dns update to 'nonsecure' -- no difference. Could this be the cause?
Recent changes to the system: Upgrade to samba 4.19.2 from 4.19.1 raise
domain/forest funtional level from 2003 to 2008_r2 (in preparation for Entra
Cloud software. Better than AD Connect?) Windows service packs? Any
ideas/pointers appreciated... Hi Ray, Clock synchronization? If you have got
ntpsec on the DCs, that wont work. Must use Chrony. Best regards, Peter -- To
unsubscribe from this list go to the following URL and read the instructions:
https://lists.samba.org/mailman/options/samba