Kacper Wirski
2025-Feb-19 08:18 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
I can cautiously say, that upgrading samba DC's to 4.17 (debian backports) solved my issue, windows 11 24h2 clients behave as they should, all GPO are applying as they should, users can log in, I can reach sysvol/netlogon, and windows machine sess itself as part of of a domain. W dniu 14.02.2025 o?13:51, Virgo P?rna via samba pisze:> ????I have been busy with other things lately and have not been able > to investigate issue more. But there were some issues before it got > really bad. > ????But strange thing is, that clean install of 22H2 had same issue > after successfully joining domain. And issue remained after upgrading > to 23H2. And 22H2 did not even have latest security updates available. > ????For me strangest part is, that after using "Nltest > /DBFlag:2080FFFF" to set netlogon service to provide debug logs (after > that restarting service), that debug complains about being unable to > log into ldap server. > ????Also, when trying to log in with invalid password (for domain > account), I get "The username or password is incorrect. Try again". > But if I provide correct password, I get "Welcome" and then "The > username or password is incorrect. Try again". > >-- Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie antywirusowe Avast. www.avast.com
Virgo Pärna
2025-Mar-06 14:35 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
Could the issue be with DC being 32 bit samba? I tried to capture kerberos network traffic with Wireshark and that showed "Requested effective lifetime is negative or too short" errors.. Now I do not know, what requested lifetime was, but in request packet were till and rtime values (as interpreted by Wireshark), that were from year 2100. Which would be an issue for 32 bit time_t.... Samba did log some time difference messages... -- Virgo P?rna virgo.parna at mail.ee