samba - Jan 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

On 22.01.2025 10:29, Georg Weickelt via samba wrote:
> this has also happened to us recently. However, the login of this user 
> then worked on another computer and often also after a restart of the 
> client.
	I did have problem with Windows 10 computers for last few weeks, that 
domain user could not log via remote desktop. But could log in directly 
from console. And that was fixed by restart.
	But did you also have NETLOGON errors on Event log?
> I suspect it is related to changes in Windows. Apparently, older RC4 
> tickets are no longer supported. We have the same Samba version and I am 
> sure that the newer Kerberos encryption types AES 128 or AES 256 are 
> supported. Maybe you can check the following:
> In the user manager under ?Account?: ?This account supports Kerberos AES 
> 128-bit encryption? and ?This account supports Kerberos AES 256-bit 
> encryption? - are they ticked?
	Nothing is checked there for user account.
> Have the passwords perhaps not been changed for a long time?
	After this started happening, I did try setting same password again for 
user with smbpasswd in linux.

	But that NETLOGON message in event log makes it look, like more generic 
problem.
	I thought of checking name resolution, but Windows nslookup seems to be 
unable to resolve SRV records. But they seem to be ok. Windows nslookup 
requiring ending name with dot caused some initial confusion.


-- 
Virgo P?rna
virgo.parna at mail.ee

Am 22.01.2025 um 10:38 schrieb Virgo P?rna via samba:
> ??? I did have problem with Windows 10 computers for last few weeks, 
> that domain user could not log via remote desktop. But could log in 
> directly from console. And that was fixed by restart.
> ????But did you also have NETLOGON errors on Event log?
>
Yes, I also find these messages, but the user is logged on to Windows.
Georg

On Wed, 22 Jan 2025 11:38:24 +0200
Virgo P?rna via samba <samba at lists.samba.org> wrote:
> On 22.01.2025 10:29, Georg Weickelt via samba wrote:
> > this has also happened to us recently. However, the login of this
> > user then worked on another computer and often also after a restart
> > of the client.
> 
> 	I did have problem with Windows 10 computers for last few
> weeks, that domain user could not log via remote desktop. But could
> log in directly from console. And that was fixed by restart.
> 	But did you also have NETLOGON errors on Event log?
> 
> > I suspect it is related to changes in Windows. Apparently, older
> > RC4 tickets are no longer supported. We have the same Samba version
> > and I am sure that the newer Kerberos encryption types AES 128 or
> > AES 256 are supported. Maybe you can check the following:
> > In the user manager under ?Account?: ?This account supports
> > Kerberos AES 128-bit encryption? and ?This account supports
> > Kerberos AES 256-bit encryption? - are they ticked?
> 
> 	Nothing is checked there for user account.
> 
> > Have the passwords perhaps not been changed for a long time?
> 
> 	After this started happening, I did try setting same password
> again for user with smbpasswd in linux.
Try using samba-tool to set a new password for the user.
> 
> 	But that NETLOGON message in event log makes it look, like
> more generic problem.
> 	I thought of checking name resolution, but Windows nslookup
> seems to be unable to resolve SRV records. But they seem to be ok.
> Windows nslookup requiring ending name with dot caused some initial
> confusion.
If Windows cannot resolve SRV records, then it looks like you have DNS
problems, are the clients using a DC as their first nameserver ?

Rowland