Virgo Pärna
2025-Jan-22 05:16 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
I'ma having a strange issue with Samba 4.21.3 (from debian bookworm backports) and Windows 11 24H2 Pro, where domain user can no longer log in. Error is "The username or password is incorrect". Used to work with 4.17.12 from bookworm, but I upgraded, because ever since 24H2 upgrade there were issues with passwordless authentication between domain computers, when using RDP since 24H2 upgrade. When logged in as local user "test-computersecurechannel" reports True. Same with "test-computersecurechannel -repair". Strange thing is, that if I'm accessing folder shared that computer from computer that is not in domain, then supplying same username and password works... I can access the share. I can also access shares from other domain Windows computers (running Windows 10) without problems. But I cannot log in locally, via remote desktop or via ssh server (OpenSSH). Initially I noticed in event log schannel message about ldap server certificate, but even giving ldap server certificate, that is issued by internal ca (root certificate is installed on that computer) did not fix login issue. There was also time syncing issue, that i fixed. On reboot or when restarting NETLOGON service I get: ------------------------------------------------------------------------ This computer was not able to set up a secure session with a domain controller in domain MYDOMAIN due to the following: An internal error occurred. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. ------------------------------------------------------------------------ gpupdate fails to update machine policy. ---------------------------------------------------------------------- Updating policy... Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator. User Policy update has completed successfully. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results. ---------------------------------------------------------------------- -- Virgo P?rna virgo.parna at mail.ee
Georg Weickelt
2025-Jan-22 08:29 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
Hello, this has also happened to us recently. However, the login of this user then worked on another computer and often also after a restart of the client. I suspect it is related to changes in Windows. Apparently, older RC4 tickets are no longer supported. We have the same Samba version and I am sure that the newer Kerberos encryption types AES 128 or AES 256 are supported. Maybe you can check the following: In the user manager under ?Account?: ?This account supports Kerberos AES 128-bit encryption? and ?This account supports Kerberos AES 256-bit encryption? - are they ticked? Have the passwords perhaps not been changed for a long time? Unfortunately, I have not yet solved the problem. Best regards Georg Am 22.01.2025 um 06:16 schrieb Virgo P?rna via samba:> ????I'ma having a strange issue with Samba 4.21.3 (from debian > bookworm backports) and Windows 11 24H2 Pro, where domain user can no > longer log in. > > ????Error is "The username or password is incorrect". Used to work > with 4.17.12 from bookworm, but I upgraded, because ever since 24H2 > upgrade there were issues with passwordless authentication between > domain computers, when using RDP since 24H2 upgrade. > > ????When logged in as local user "test-computersecurechannel" reports > True. Same with "test-computersecurechannel -repair". > > ????Strange thing is, that if I'm accessing folder shared that > computer from computer that is not in domain, then supplying same > username and password works... I can access the share. I can also > access shares from other domain Windows computers (running Windows 10) > without problems. But I cannot log in locally, via remote desktop or > via ssh server (OpenSSH). > > ????Initially I noticed in event log schannel message about ldap > server certificate, but even giving ldap server certificate, that is > issued by internal ca (root certificate is installed on that computer) > did not fix login issue. > ????There was also time syncing issue, that i fixed. > > ????On reboot or when restarting NETLOGON service I get: > ------------------------------------------------------------------------ > This computer was not able to set up a secure session with a domain > controller in domain MYDOMAIN due to the following: > An internal error occurred. > This may lead to authentication problems. Make sure that this computer > is connected to the network. If the problem persists, please contact > your domain administrator. > > ?????????????????????????????????????????????????????? ADDITIONAL INFO > ????????????????????????????????????? If this computer is a domain > controller for the specified domain, it sets up the secure session to > the primary domain controller emulator in ??????????? the specified > domain. Otherwise, this computer sets up the secure session to any > domain controller in the specified domain. > ------------------------------------------------------------------------ > > gpupdate fails to update machine policy. > ---------------------------------------------------------------------- > Updating policy... > > Computer policy could not be updated successfully. The following errors > were encountered: > > The processing of Group Policy failed because of lack of network > connectivity to a domain controller. This may be a transient condition. > A success message would be generated once the machine gets connected to > the domain controller and Group Policy has successfully processed. If > you do not see a success message for several hours, then contact your > administrator. > User Policy update has completed successfully. > > To diagnose the failure, review the event log or run GPRESULT /H > GPReport.html from the command line to access information about Group > Policy results. > ---------------------------------------------------------------------- >
Seemingly Similar Threads
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in