samba - Jan 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

One more detail... I'm working currently remotely, so I'm accessing 
that Windows 11 computer over remote desktop. If I actually supply 
incorrect password, then that error shows up on password promt dialog 
(The logon attempt failed). If I supply correct password, then 
connection is establised. I'll get Windows console view with "The 
username or password is incorrect. Try again." And then I'm seeing 
Windows login screen inside remote desktop window, where even shutdown 
is available. So I'm successfully authenticated parially and connected 
to console...

	Strange thing is, that in that screen it shows on username in 
"samba_realm\username" format (realm in uppercase), not 
"samba_WORKGROUP\username" format, that I actually supplied (realm is,
how it is called in smb.conf - ad.company_name.blaah while workgoup is 
COMPANY_NAME).
	


-- 
Virgo P?rna
virgo.parna at mail.ee

After enabling auth_audit logging at samba, there are lot of messages 
with status NT_STATUS_TIME_DIFFERENCE_AT_DC
But clock is synced and same in workstation and in server...

-- 
Virgo P?rna
virgo.parna at mail.ee

On 22.01.2025 13:00, Virgo P?rna via samba wrote:
> ????One more detail... I'm working currently remotely, so I'm 
> accessing that Windows 11 computer over remote desktop. If I actually 
> supply incorrect password, then that error shows up on password promt 
> dialog (The logon attempt failed). If I supply correct password, then 
> connection is establised. I'll get Windows console view with "The 
> username or password is incorrect. Try again." And then I'm seeing
> Windows login screen inside remote desktop window, where even shutdown 
> is available. So I'm successfully authenticated parially and connected 
> to console...
>
> ????Strange thing is, that in that screen it shows on username in 
> "samba_realm\username" format (realm in uppercase), not 
> "samba_WORKGROUP\username" format, that I actually supplied
(realm is,
> how it is called in smb.conf - ad.company_name.blaah while workgoup is 
> COMPANY_NAME).
>
>
>
Hi Virgo,

I assume you use freerdp ver. 3 for connecting to the Windows 11 24H2 
desktop remotely. It is very particular about how you enter domain and 
user name. There seems to be only two accepted ways

Either /d:<domain.name.net> /u:<user name>

or /u:'<NETBIOS DOMAIN NAME>\<user name>'

You also need the switch /sec:nla

freerdp3 pretends to use kerberos, but that's not the case, unfortunately.

All other login variations are bound to fail.

Best regards,

Peter