[Samba] Windows 10 21H1: Domain users can't log in

Fri Oct 22 17:00:24 UTC 2021

Samba version: 4.15.0
Windows client version: Windows 10 Pro 21H1

With considerable help from this list I got my Samba AD-DC up and 
running and added some users:

--------------------------
root at samba-dc:/etc# samba-tool user show patrickgoetz
dn: CN=patrickgoetz,CN=Users,DC=ea,DC=linuxcs,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: patrickgoetz
instanceType: 4
whenCreated: 20211022132810.0Z
uSNCreated: 4082
name: patrickgoetz
objectGUID: 4804c5ec-b06c-4fca-a89a-636c55a34645
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-119141497-3680845326-3410742159-1104
sAMAccountName: patrickgoetz
sAMAccountType: 805306368
userPrincipalName: patrickgoetz at ea.linuxcs.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ea,DC=linuxcs,DC=com
userAccountControl: 66048
accountExpires: 0
lastLogonTimestamp: 132793878419244250
pwdLastSet: 132793913687487360
whenChanged: 20211022154928.0Z
uSNChanged: 4100
lastLogon: 132793941436045700
logonCount: 9
distinguishedName: CN=patrickgoetz,CN=Users,DC=ea,DC=linuxcs,DC=com
--------------------------

And was able to bind my Windows 10 client to the domain (which for some 
reason took a long time; well over an hour):

--------------------------
root at samba-dc:/etc# samba-tool computer show ibs100$
dn: CN=IBS100,CN=Computers,DC=ea,DC=linuxcs,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: IBS100
instanceType: 4
whenCreated: 20211022133340.0Z
uSNCreated: 4087
name: IBS100
objectGUID: ece89aa4-3a09-4d17-9924-e1e078e1398c
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 132793832203610020
primaryGroupID: 515
objectSid: S-1-5-21-119141497-3680845326-3410742159-1105
accountExpires: 9223372036854775807
sAMAccountName: IBS100$
sAMAccountType: 805306369
dNSHostName: ibs100.ea.linuxcs.com
servicePrincipalName: HOST/ibs100.ea.linuxcs.com
servicePrincipalName: RestrictedKrbHost/ibs100.ea.linuxcs.com
servicePrincipalName: HOST/IBS100
servicePrincipalName: RestrictedKrbHost/IBS100
objectCategory: 
CN=Computer,CN=Schema,CN=Configuration,DC=ea,DC=linuxcs,DC=com
isCriticalSystemObject: FALSE
lastLogonTimestamp: 132793854775159630
whenChanged: 20211022141117.0Z
operatingSystem: Windows 10 Pro
operatingSystemVersion: 10.0 (19043)
msDS-SupportedEncryptionTypes: 28
uSNChanged: 4090
lastLogon: 132793935819108290
logonCount: 7
distinguishedName: CN=IBS100,CN=Computers,DC=ea,DC=linuxcs,DC=com
--------------------------

However I am unable to do a domain login with this user account using 
either patrickgoetz or EA\patrickgoetz

The response is "The user name or password is incorrect. Try again."

As a reality check I used `samba-tool user setpassword patrickgoetz` to 
reset the password.

I ran all the tests suggested on the Samba Wiki to make sure 
DNS/Kerberos are working correctly on the DC.

When I look in the Event log on the Windows 10 client, I see User Device 
Registration Errors that look like this:

--------------------------
Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c001d
Server error:
Tenant type: undefined
Registration type: undefined
Debug Output:
joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: 36846c7a-1563-414b-bbc3-e84fda33ac37
adalLog:
undefined
adalResponseCode: 0x0
--------------------------

followed by:

--------------------------
Automatic registration failed. Failed to lookup the registration service 
information from Active Directory. Exit code: Unknown HResult Error 
code: 0x801c001d. See http://go.microsoft.com/fwlink/?LinkId=623042
--------------------------

The usual helpful Windows error logs. <:)

The Windows host has the IP address of the Samba AD-DC set as its 
primary DNS server. I haven't configured any kind of file sharing 
service yet, nor install GPO templates, or anything like this.  Trying 
to take it one step at a time.

Anyone have any idea why I can't log in?