samba - Jan 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

On Fri, 24 Jan 2025 11:37:43 +0200
Virgo P?rna via samba <samba at lists.samba.org> wrote:
> On 24.01.2025 11:30, Virgo P?rna via samba wrote:
> > On 24.01.2025 11:23, Rowland Penny via samba wrote:
> >>
> >> Yes, I did look at the MSK years, but ignored them because
> >> everything should be using EET and the time isn't stored like
that
> >> in AD.
> >>
> > 
> >  ????I suspect, that internally everything is in UTC and when
> > logging into file it is converted to string by server location
> > locale and timezone... Europe/Tallinn.
> >  ????Just really strange value for what must be null value...
> > Yesterday it happened to be exactly same day on weekday, just 50
> > years ago...
> > 
> 
> Googling 1975-01-22 22:55:33 first result  seems to explain it. Again 
> another red herring...
> 
> "The value 7FFFFFFFFFFFFFFF or 0 will mean that the account never
> expires"
> 
> Probably logging code does not handle this value logistically.
> Another red herring.
Which is why I said stop using the old tools, that conversion from 'AD'
to 'MSK' isn't coming from AD, it is coming from the tools you are
using.

If I were you, I would try resetting the users password, it could be
something as simple as the PC is using kerberos that is different from
what the DC expects.

Rowland

On 24.01.2025 11:54, Rowland Penny via samba wrote:
> 
> Which is why I said stop using the old tools, that conversion from
'AD'
> to 'MSK' isn't coming from AD, it is coming from the tools you
are
> using.
> 
	It is in samba log file.
> If I were you, I would try resetting the users password, it could be
> something as simple as the PC is using kerberos that is different from
> what the DC expects.
> 
	I have tried reseting user password.
	I also had Windows 11 test-virtual machine, that was not part of 
domain. I added it to domain. And I also added brand new domain account 
with samba-tool. That account works for accesing Windows 10 computers 
and Samba server. But when trying log into Windows 11 Windows says "The 
username or password is incorrect".  So it is not about specific domain 
user.
	And that computer is also Windows 24H2.. I'll need to get myself 23H2 
install media, to test it with that.
	Yet, when logged in with local account,
test-computersecurechannel
shows, that secure channel between local computer and domain is ok... 
But Windows NETLOGON service complains, that it could not set up secure 
session with DC...

-- 
Virgo P?rna
virgo.parna at mail.ee