[Samba] RDP user can login as user at samdom.com but not as SAMDOM\user

Alex peter.alexander99 at gmail.com
Thu Dec 2 23:58:01 UTC 2021 

Hi!
I set up a Ubuntu 18.04.6 Samba 4 server on my home network to practice
with Samba / AD management, and I noticed an odd behaviour when trying to
RDP into a domain joined Win10 Pro computer.
The user is in the computer's Remote Desktop Users group.
If I login as:
User:  samuser
Domain: SAMDOM
or
User: SAMDOM\samuser

I get an invalid password error.

If I login as samuser at samdom.com, same password, then it works.

I am not sure if this is just a Windows behaviour I've never noticed
before, or maybe an issue in my Samba or Kerberos config files. The issue
is only when logging on via RDP. Locally, I can just login as "samuser", I
don't need to put samuser at samdom.com in the username field.
I've included a copy of my config files and relevant event viewer error.

Any tips would be appreciated!

Peter

------- smb.conf
[global]
        netbios name = SRV01
        realm = SAMDOM.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        disable netbios = yes

[netlogon]
        path = /var/lib/samba/sysvol/samdom.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

------ krb5.conf

[libdefaults]
        default_realm = SAMDOM.COM
        dns_lookup_kdc = true
        dns_lookup_realm = false

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        ticket_lifetime = 24h
        proxiable = true
        fcc-mit-ticketflags = true

[logging]
        default = FILE:/var/log/krb5/krb.log
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/kadmind.log

[realms]
        SAMDOM.COM = {
                admin_server = srv01.samdom.com
                default_domain = samdom.com
                master_kdc = srv01.samdom.com
                kdc = srv01.samdom.com
        }

----- Windows Event Viewer - Security entry for failed RDP

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: samuser
Account Domain: SAMDOM

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: DESKTOP-00000
Source Network Address: 192.168.1.5
Source Port: 0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

More information about the samba mailing list