samba - Nov 2023 - windows workstations needing reboot to validate passwords. --ADDENDUM

> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray
Klassen via
> samba
> Sent: Monday, November 20, 2023 1:09 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] windows workstations needing reboot to validate
> passwords. --ADDENDUM
> 
> Audit logging has been a bust. The failed attempt by the workstation to
> validate the password does not show up in the logs.
> 
> 
> On Thu, 2023-11-16 at 10:38 -0800, Ray Klassen via samba wrote:
> > Thank you for the suggestion. Audit logging enabled.
> >
> > On Thu, 2023-11-16 at 13:27 -0500, James Atwell via samba wrote:
> > > Have you setup Samba audit logging? This may aid in your efforts
to
> > > see the reasons for not authenticating from the servers
perspective.
> > >
> > > https://wiki.samba.org/index.php/Setting_up_Audit_Logging
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: samba <samba-bounces at lists.samba.org> On Behalf Of
Ray Klassen
> > > via samba
> > > Sent: Thursday, November 16, 2023 1:11 PM
> > > To: samba at lists.samba.org
> > > Subject: [Samba] windows workstations needing reboot to validate
> > > passwords. --ADDENDUM
> > >
> > > I am (earlier reported under the subject "Peculiar
Problem") having
> > > an issue that started several weeks ago, where windows (10 pro,
> > > server
> > > 2019) computers randomly get into a state where they refuse to
> > > validate passwords. Rebooting (sometimes several times) makes the
> > > problem go away. You can also log in if you disconnect the PC
from
> > > the network and then reconnect.
> > >
> > > List of changes around the time it started.
> > >
> > > Samba upgrade to 4.19.2
> > > Samba schema upgrade to 2012_R2 functional level Samba upgrade to
> > > 2008 functional level
> > >
> > > List of measures taken (hoping that if best practises are not
being
> > > observed, implementing them will fix things!!)
> > >
> > > Moved DNS from SAMBA_INTERNAL to BIND_DLZ Moved ntp from ntpsec
> to
> > > chrony
> > >
> > > Diagnostic steps
> > >
> > > Packet dumps (decoded with keytab) and loglevel 255 show no
glaring
> > > issues or errors.
> > >
> > > Going to try restarting all of the DC's next time it happens
to
> > > determine if the miscommunication originates with windows or
samba.
> > >
> > > Windows Eventviewer lists failure as Event ID 4625 Status
0xC000006D
> > > Sub Status 0x0 Failure reason %%2304
> > >
> > >
> > > Any other suggestions welcome!!
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
You mentioned restarting all your DC's. I assume you have more than 1 DC and
enabled audit logging on all your DC's. I also assume you verified on all
DC's the logs do not exist if enabled on all?

On Mon, 2023-11-20 at 13:43 -0500, James Atwell via samba
wrote:
> 
> 
> > -----Original Message-----
> > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray
> > Klassen via
> > samba
> > Sent: Monday, November 20, 2023 1:09 PM
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] windows workstations needing reboot to
> > validate
> > passwords. --ADDENDUM
> > 
> > Audit logging has been a bust. The failed attempt by the
> > workstation to
> > validate the password does not show up in the logs.
> > 
> > 
> > On Thu, 2023-11-16 at 10:38 -0800, Ray Klassen via samba wrote:
> > > Thank you for the suggestion. Audit logging enabled.
> > > 
> > > On Thu, 2023-11-16 at 13:27 -0500, James Atwell via samba wrote:
> > > > Have you setup Samba audit logging? This may aid in your
> > > > efforts to
> > > > see the reasons for not authenticating from the servers
> > > > perspective.
> > > > 
> > > > https://wiki.samba.org/index.php/Setting_up_Audit_Logging
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: samba <samba-bounces at lists.samba.org> On
Behalf Of Ray
> > > > Klassen
> > > > via samba
> > > > Sent: Thursday, November 16, 2023 1:11 PM
> > > > To: samba at lists.samba.org
> > > > Subject: [Samba] windows workstations needing reboot to
> > > > validate
> > > > passwords. --ADDENDUM
> > > > 
> > > > I am (earlier reported under the subject "Peculiar
Problem")
> > > > having
> > > > an issue that started several weeks ago, where windows (10
pro,
> > > > server
> > > > 2019) computers randomly get into a state where they refuse
to
> > > > validate passwords. Rebooting (sometimes several times)
makes
> > > > the
> > > > problem go away. You can also log in if you disconnect the
PC
> > > > from
> > > > the network and then reconnect.
> > > > 
> > > > List of changes around the time it started.
> > > > 
> > > > Samba upgrade to 4.19.2
> > > > Samba schema upgrade to 2012_R2 functional level Samba
upgrade
> > > > to
> > > > 2008 functional level
> > > > 
> > > > List of measures taken (hoping that if best practises are
not
> > > > being
> > > > observed, implementing them will fix things!!)
> > > > 
> > > > Moved DNS from SAMBA_INTERNAL to BIND_DLZ Moved ntp from
ntpsec
> > to
> > > > chrony
> > > > 
> > > > Diagnostic steps
> > > > 
> > > > Packet dumps (decoded with keytab) and loglevel 255 show no
> > > > glaring
> > > > issues or errors.
> > > > 
> > > > Going to try restarting all of the DC's next time it
happens to
> > > > determine if the miscommunication originates with windows or
> > > > samba.
> > > > 
> > > > Windows Eventviewer lists failure as Event ID 4625 Status
> > > > 0xC000006D
> > > > Sub Status 0x0 Failure reason %%2304
> > > > 
> > > > 
> > > > Any other suggestions welcome!!
> > > > 
> > > > 
> > > > 
> > > > --
> > > > To unsubscribe from this list go to the following URL and
read
> > > > the
> > > > instructions:? https://lists.samba.org/mailman/options/samba
> > > > 
> > > > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:? https://lists.samba.org/mailman/options/samba
> 
> You mentioned restarting all your DC's. I assume you have more than 1
> DC and enabled audit logging on all your DC's. I also assume you
> verified on all DC's the logs do not exist if enabled on all?
> 
> 
> I have 4 DC's. I've got auditing enabled on all of them. And seeing
> audit entries on all of them regarding other traffic. The wkstation
> that misbehaved this morning shows entries on some of them over the
> weekend 'NT_STATUS_OK'and earlier. It looks like it doing a machine
> password update.
> 
> 
> 
>