samba - Jan 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

I'ma having a strange issue with Samba 4.21.3 (from debian bookworm 
backports) and Windows 11 24H2 Pro, where domain user can no longer log 
in. 	

	Error is "The username or password is incorrect". Used to work with 
4.17.12 from bookworm, but I upgraded, because ever since 24H2 upgrade 
there were issues with passwordless authentication between domain 
computers, when using RDP since 24H2 upgrade.

	When logged in as local user "test-computersecurechannel" reports
True.
Same with "test-computersecurechannel -repair".

	Strange thing is, that if I'm accessing folder shared that computer 
from computer that is not in domain, then supplying same username and 
password works... I can access the share. I can also access shares from 
other domain Windows computers (running Windows 10) without problems. 
But I cannot log in locally, via remote desktop or via ssh server 
(OpenSSH).

	Initially I noticed in event log schannel message about ldap server 
certificate, but even giving ldap server certificate, that is issued by 
internal ca (root certificate is installed on that computer) did not fix 
login issue.
	There was also time syncing issue, that i fixed.

	On reboot or when restarting NETLOGON service I get:
------------------------------------------------------------------------
This computer was not able to set up a secure session with a domain
controller in domain MYDOMAIN due to the following:
An internal error occurred.
This may lead to authentication problems. Make sure that this computer
is connected to the network. If the problem persists, please contact
your domain administrator.
  
                                                        ADDITIONAL INFO 
  
                                       If this computer is a domain 
controller for the specified domain, it 
                          sets up the secure session to the primary 
domain controller emulator in 
             the specified domain. Otherwise, this computer sets up the 
secure 
session to any domain controller in the specified domain.
------------------------------------------------------------------------

gpupdate fails to update machine policy.
----------------------------------------------------------------------
Updating policy...

Computer policy could not be updated successfully. The following errors
were encountered:

The processing of Group Policy failed because of lack of network
connectivity to a domain controller. This may be a transient condition.
A success message would be generated once the machine gets connected to
the domain controller and Group Policy has successfully processed. If
you do not see a success message for several hours, then contact your
administrator.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from the command line to access information about Group
Policy results.
----------------------------------------------------------------------

-- 
Virgo P?rna
virgo.parna at mail.ee

Hello,

this has also happened to us recently. However, the login of this user 
then worked on another computer and often also after a restart of the 
client.
I suspect it is related to changes in Windows. Apparently, older RC4 
tickets are no longer supported. We have the same Samba version and I am 
sure that the newer Kerberos encryption types AES 128 or AES 256 are 
supported. Maybe you can check the following:
In the user manager under ?Account?: ?This account supports Kerberos AES 
128-bit encryption? and ?This account supports Kerberos AES 256-bit 
encryption? - are they ticked?
Have the passwords perhaps not been changed for a long time?
Unfortunately, I have not yet solved the problem.

Best regards

Georg

Am 22.01.2025 um 06:16 schrieb Virgo P?rna via samba:
> ????I'ma having a strange issue with Samba 4.21.3 (from debian 
> bookworm backports) and Windows 11 24H2 Pro, where domain user can no 
> longer log in.
>
> ????Error is "The username or password is incorrect". Used to
work
> with 4.17.12 from bookworm, but I upgraded, because ever since 24H2 
> upgrade there were issues with passwordless authentication between 
> domain computers, when using RDP since 24H2 upgrade.
>
> ????When logged in as local user "test-computersecurechannel"
reports
> True. Same with "test-computersecurechannel -repair".
>
> ????Strange thing is, that if I'm accessing folder shared that 
> computer from computer that is not in domain, then supplying same 
> username and password works... I can access the share. I can also 
> access shares from other domain Windows computers (running Windows 10) 
> without problems. But I cannot log in locally, via remote desktop or 
> via ssh server (OpenSSH).
>
> ????Initially I noticed in event log schannel message about ldap 
> server certificate, but even giving ldap server certificate, that is 
> issued by internal ca (root certificate is installed on that computer) 
> did not fix login issue.
> ????There was also time syncing issue, that i fixed.
>
> ????On reboot or when restarting NETLOGON service I get:
> ------------------------------------------------------------------------
> This computer was not able to set up a secure session with a domain
> controller in domain MYDOMAIN due to the following:
> An internal error occurred.
> This may lead to authentication problems. Make sure that this computer
> is connected to the network. If the problem persists, please contact
> your domain administrator.
>
> ?????????????????????????????????????????????????????? ADDITIONAL INFO
> ????????????????????????????????????? If this computer is a domain 
> controller for the specified domain, it sets up the secure session to 
> the primary domain controller emulator in ??????????? the specified 
> domain. Otherwise, this computer sets up the secure session to any 
> domain controller in the specified domain.
> ------------------------------------------------------------------------
>
> gpupdate fails to update machine policy.
> ----------------------------------------------------------------------
> Updating policy...
>
> Computer policy could not be updated successfully. The following errors
> were encountered:
>
> The processing of Group Policy failed because of lack of network
> connectivity to a domain controller. This may be a transient condition.
> A success message would be generated once the machine gets connected to
> the domain controller and Group Policy has successfully processed. If
> you do not see a success message for several hours, then contact your
> administrator.
> User Policy update has completed successfully.
>
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html from the command line to access information about Group
> Policy results.
> ----------------------------------------------------------------------
>