samba - Jan 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

Hello,

this has also happened to us recently. However, the login of this user 
then worked on another computer and often also after a restart of the 
client.
I suspect it is related to changes in Windows. Apparently, older RC4 
tickets are no longer supported. We have the same Samba version and I am 
sure that the newer Kerberos encryption types AES 128 or AES 256 are 
supported. Maybe you can check the following:
In the user manager under ?Account?: ?This account supports Kerberos AES 
128-bit encryption? and ?This account supports Kerberos AES 256-bit 
encryption? - are they ticked?
Have the passwords perhaps not been changed for a long time?
Unfortunately, I have not yet solved the problem.

Best regards

Georg

Am 22.01.2025 um 06:16 schrieb Virgo P?rna via samba:
> ????I'ma having a strange issue with Samba 4.21.3 (from debian 
> bookworm backports) and Windows 11 24H2 Pro, where domain user can no 
> longer log in.
>
> ????Error is "The username or password is incorrect". Used to
work
> with 4.17.12 from bookworm, but I upgraded, because ever since 24H2 
> upgrade there were issues with passwordless authentication between 
> domain computers, when using RDP since 24H2 upgrade.
>
> ????When logged in as local user "test-computersecurechannel"
reports
> True. Same with "test-computersecurechannel -repair".
>
> ????Strange thing is, that if I'm accessing folder shared that 
> computer from computer that is not in domain, then supplying same 
> username and password works... I can access the share. I can also 
> access shares from other domain Windows computers (running Windows 10) 
> without problems. But I cannot log in locally, via remote desktop or 
> via ssh server (OpenSSH).
>
> ????Initially I noticed in event log schannel message about ldap 
> server certificate, but even giving ldap server certificate, that is 
> issued by internal ca (root certificate is installed on that computer) 
> did not fix login issue.
> ????There was also time syncing issue, that i fixed.
>
> ????On reboot or when restarting NETLOGON service I get:
> ------------------------------------------------------------------------
> This computer was not able to set up a secure session with a domain
> controller in domain MYDOMAIN due to the following:
> An internal error occurred.
> This may lead to authentication problems. Make sure that this computer
> is connected to the network. If the problem persists, please contact
> your domain administrator.
>
> ?????????????????????????????????????????????????????? ADDITIONAL INFO
> ????????????????????????????????????? If this computer is a domain 
> controller for the specified domain, it sets up the secure session to 
> the primary domain controller emulator in ??????????? the specified 
> domain. Otherwise, this computer sets up the secure session to any 
> domain controller in the specified domain.
> ------------------------------------------------------------------------
>
> gpupdate fails to update machine policy.
> ----------------------------------------------------------------------
> Updating policy...
>
> Computer policy could not be updated successfully. The following errors
> were encountered:
>
> The processing of Group Policy failed because of lack of network
> connectivity to a domain controller. This may be a transient condition.
> A success message would be generated once the machine gets connected to
> the domain controller and Group Policy has successfully processed. If
> you do not see a success message for several hours, then contact your
> administrator.
> User Policy update has completed successfully.
>
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html from the command line to access information about Group
> Policy results.
> ----------------------------------------------------------------------
>

On 22.01.2025 10:29, Georg Weickelt via samba wrote:
> this has also happened to us recently. However, the login of this user 
> then worked on another computer and often also after a restart of the 
> client.
	I did have problem with Windows 10 computers for last few weeks, that 
domain user could not log via remote desktop. But could log in directly 
from console. And that was fixed by restart.
	But did you also have NETLOGON errors on Event log?
> I suspect it is related to changes in Windows. Apparently, older RC4 
> tickets are no longer supported. We have the same Samba version and I am 
> sure that the newer Kerberos encryption types AES 128 or AES 256 are 
> supported. Maybe you can check the following:
> In the user manager under ?Account?: ?This account supports Kerberos AES 
> 128-bit encryption? and ?This account supports Kerberos AES 256-bit 
> encryption? - are they ticked?
	Nothing is checked there for user account.
> Have the passwords perhaps not been changed for a long time?
	After this started happening, I did try setting same password again for 
user with smbpasswd in linux.

	But that NETLOGON message in event log makes it look, like more generic 
problem.
	I thought of checking name resolution, but Windows nslookup seems to be 
unable to resolve SRV records. But they seem to be ok. Windows nslookup 
requiring ending name with dot caused some initial confusion.


-- 
Virgo P?rna
virgo.parna at mail.ee