[Samba] RDP user can login as user at samdom.com but not as SAMDOM\user

Fri Dec 3 01:08:48 UTC 2021

On Thu, Dec 2, 2021, 18:59 Alex via samba <samba at lists.samba.org> wrote:

> Hi!
> I set up a Ubuntu 18.04.6 Samba 4 server on my home network to practice
> with Samba / AD management, and I noticed an odd behaviour when trying to
> RDP into a domain joined Win10 Pro computer.
> The user is in the computer's Remote Desktop Users group.
> If I login as:
> User:  samuser
> Domain: SAMDOM
> or
> User: SAMDOM\samuser
>
> I get an invalid password error.
>
> If I login as samuser at samdom.com, same password, then it works.
>
> I am not sure if this is just a Windows behaviour I've never noticed
> before, or maybe an issue in my Samba or Kerberos config files. The issue
> is only when logging on via RDP. Locally, I can just login as "samuser", I
> don't need to put samuser at samdom.com in the username field.
> I've included a copy of my config files and relevant event viewer error.
>
> Any tips would be appreciated!
>
> Peter
>
> ------- smb.conf
> [global]
>         netbios name = SRV01
>         realm = SAMDOM.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         disable netbios = yes
>

Maybe 'disable netbios' is to blame?

[netlogon]
>         path = /var/lib/samba/sysvol/samdom.com/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> ------ krb5.conf
>
> [libdefaults]
>         default_realm = SAMDOM.COM
>         dns_lookup_kdc = true
>         dns_lookup_realm = false
>
> # The following krb5.conf variables are only for MIT Kerberos.
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         ticket_lifetime = 24h
>         proxiable = true
>         fcc-mit-ticketflags = true
>
> [logging]
>         default = FILE:/var/log/krb5/krb.log
>         kdc = FILE:/var/log/krb5/kdc.log
>         admin_server = FILE:/var/log/kadmind.log
>
> [realms]
>         SAMDOM.COM = {
>                 admin_server = srv01.samdom.com
>                 default_domain = samdom.com
>                 master_kdc = srv01.samdom.com
>                 kdc = srv01.samdom.com
>         }
>
> ----- Windows Event Viewer - Security entry for failed RDP
>
> An account failed to log on.
>
> Subject:
> Security ID: NULL SID
> Account Name: -
> Account Domain: -
> Logon ID: 0x0
>
> Logon Type: 3
>
> Account For Which Logon Failed:
> Security ID: NULL SID
> Account Name: samuser
> Account Domain: SAMDOM
>
> Failure Information:
> Failure Reason: Unknown user name or bad password.
> Status: 0xC000006D
> Sub Status: 0xC000006A
>
> Process Information:
> Caller Process ID: 0x0
> Caller Process Name: -
>
> Network Information:
> Workstation Name: DESKTOP-00000
> Source Network Address: 192.168.1.5
> Source Port: 0
>
> Detailed Authentication Information:
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Transited Services: -
> Package Name (NTLM only): -
> Key Length: 0
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>