[Samba] windows workstations needing reboot to validate passwords. --ADDENDUM

Ray Klassen ray.klassen at icloud.com
Tue Nov 21 00:39:07 UTC 2023



On Mon, 2023-11-20 at 15:19 -0500, James Atwell via samba wrote:
> > -----Original Message-----
> > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray
> > Klassen via
> > samba
> > Sent: Monday, November 20, 2023 2:10 PM
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] windows workstations needing reboot to
> > validate
> > passwords. --ADDENDUM
> > 
> > 
> > 
> > On Mon, 2023-11-20 at 13:43 -0500, James Atwell via samba wrote:
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray
> > > > Klassen
> > > > via samba
> > > > Sent: Monday, November 20, 2023 1:09 PM
> > > > To: samba at lists.samba.org
> > > > Subject: Re: [Samba] windows workstations needing reboot to
> > > > validate
> > > > passwords. --ADDENDUM
> > > > 
> > > > Audit logging has been a bust. The failed attempt by the
> > > > workstation
> > > > to validate the password does not show up in the logs.
> > > > 
> > > > 
> > > > On Thu, 2023-11-16 at 10:38 -0800, Ray Klassen via samba wrote:
> > > > > Thank you for the suggestion. Audit logging enabled.
> > > > > 
> > > > > On Thu, 2023-11-16 at 13:27 -0500, James Atwell via samba
> > > > > wrote:
> > > > > > Have you setup Samba audit logging? This may aid in your
> > > > > > efforts
> > > > > > to see the reasons for not authenticating from the servers
> > > > > > perspective.
> > > > > > 
> > > > > > https://wiki.samba.org/index.php/Setting_up_Audit_Logging
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of
> > > > > > Ray
> > > > > > Klassen via samba
> > > > > > Sent: Thursday, November 16, 2023 1:11 PM
> > > > > > To: samba at lists.samba.org
> > > > > > Subject: [Samba] windows workstations needing reboot to
> > > > > > validate
> > > > > > passwords. --ADDENDUM
> > > > > > 
> > > > > > I am (earlier reported under the subject "Peculiar
> > > > > > Problem")
> > > > > > having an issue that started several weeks ago, where
> > > > > > windows
> > > > > > (10 pro, server
> > > > > > 2019) computers randomly get into a state where they refuse
> > > > > > to
> > > > > > validate passwords. Rebooting (sometimes several times)
> > > > > > makes
> > > > > > the problem go away. You can also log in if you disconnect
> > > > > > the
> > > > > > PC from the network and then reconnect.
> > > > > > 
> > > > > > List of changes around the time it started.
> > > > > > 
> > > > > > Samba upgrade to 4.19.2
> > > > > > Samba schema upgrade to 2012_R2 functional level Samba
> > > > > > upgrade
> > > > > > to
> > > > > > 2008 functional level
> > > > > > 
> > > > > > List of measures taken (hoping that if best practises are
> > > > > > not
> > > > > > being observed, implementing them will fix things!!)
> > > > > > 
> > > > > > Moved DNS from SAMBA_INTERNAL to BIND_DLZ Moved ntp from
> > ntpsec
> > > > to
> > > > > > chrony
> > > > > > 
> > > > > > Diagnostic steps
> > > > > > 
> > > > > > Packet dumps (decoded with keytab) and loglevel 255 show no
> > > > > > glaring issues or errors.
> > > > > > 
> > > > > > Going to try restarting all of the DC's next time it
> > > > > > happens to
> > > > > > determine if the miscommunication originates with windows
> > > > > > or
> > > > > > samba.
> > > > > > 
> > > > > > Windows Eventviewer lists failure as Event ID 4625 Status
> > > > > > 0xC000006D Sub Status 0x0 Failure reason %%2304
> > > > > > 
> > > > > > 
> > > > > > Any other suggestions welcome!!
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > --
> > > > > > To unsubscribe from this list go to the following URL and
> > > > > > read
> > > > > > the
> > > > > > instructions: 
> > > > > > https://lists.samba.org/mailman/options/samba
> > > > > > 
> > > > > > 
> > > > --
> > > > To unsubscribe from this list go to the following URL and read
> > > > the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > 
> > > You mentioned restarting all your DC's. I assume you have more
> > > than 1
> > > DC and enabled audit logging on all your DC's. I also assume you
> > > verified on all DC's the logs do not exist if enabled on all?
> > > 
> > > 
> > > I have 4 DC's. I've got auditing enabled on all of them. And
> > > seeing
> > > audit entries on all of them regarding other traffic. The
> > > wkstation
> > > that misbehaved this morning shows entries on some of them over
> > > the
> > > weekend 'NT_STATUS_OK'and earlier. It looks like it doing a
> > > machine
> > > password update.
> > > 
> > > 
> > > 
> > > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> The fact that you can unplug the device and log back in tells me the
> workstation is using cached credentials to log back in.  
> 
> Try authenticating to the netlogon share from each of your DC's with
> one of the affected usernames. 
> 
> smbclient //localhost/netlogon -Uusername -c 'ls'
> 



> I would also check replication is working as expected and all
> databases match. 
> 
> https://wiki.samba.org/index.php/Samba-tool_ldapcmp
> 
> The biggest change you made was upgrading the schema. Did you ensure
> to include 
> 
> ad dc functional level = 2016
> 
> in the smb.conf file on all your DC's?
> 
> Without log files its hard to troubleshoot. You need to pull the
> authentication attempt failure to analyze. Do you have other services
> that use your DC for authentication that exhibit similar behavior?  
> 
> 


> The schema upgrade was described in the following wiki page without
> reference to upping the actual domain functional level. once the
> schema upgrade was successful I upped samba to the maximum allowed --
> 2008. Does samba level need to be equal to its schema? Should we
> update the wiki page to include that?
https://wiki.samba.org/index.php/Azure_AD_Connect_Cloud_sync> 

FYI samba-tool ldapcmp registers SUCCESS between the main DC and the
others on all comparisons 
samba-tool drs showrepl (something I check everytime I install a new
version) is showing 0 failures across the board.

I've got a server that has the problem... I'm looking for ways to
remotely reset the machine password to see if that's the issue. I don't
think it's using cached credentials for the user. If it was, it would
work, as disconnecting the box from the LAN and forcing cached
credentials works every time.

 



More information about the samba mailing list