[Samba] Printserver after latest MS updates

Achim Gottinger achim at ag-web.biz
Mon Oct 25 14:03:59 UTC 2021 


Am 25.10.2021 um 13:51 schrieb cn--- via samba:
> Am 25.10.21 um 13:47 schrieb Achim Gottinger via samba:
>>
>>
>> Am 25.10.2021 um 11:14 schrieb L.P.H. van Belle via samba:
>>>> Hello Christian and Louis,
>>>>
>>>> I assume both of you use domain accounts for testing.
>>> Yes, that is correct.
>>>
>>>> Does  printing and connecting new printers also work with local non
>>>> domain accounts?
>>> I dont have any "none domain" accounts here.
>>>
>>>> Here this (local account printing) works
>>>> with Windows 11 but not with Windows 10 LTSC ( I assume
>>>> windows server 2019 will be affected as well). I did not
>>>> release the Oktober Update on our WSUS servers here, but last
>>>> Friday an work colleague called because he could no longer
>>>> print to the office from his home office pc (Windows 10 Pro,
>>>> local account). Afterwards I started testing and posted
>>>> results here a few days ago for comparison.
>>> I do have 2 windows 11 pc's currenlty these also work as far i know.
>>> I'll let that user print some for me.
>>> All windows 10 versions i have running are 2004 or up.
>>>
>> Thank you for the reply.
>> For sake of completeness I tried it with Windows Server 2019 Version 1809 Update 2021-10 installed.
>> Again no issues with domain accounts but with an local administrator if i try to connect an printer an credential window pops up and after entering domain credentials again an dialog pops up saying
>> the account is not allowed to install/access this printer.
>> So only Windows 11 seems to work with local accounts. The collegue first having the problem here uses  Windows 10 21H2.
>>
>> This is the log (level 2) with when I connect to a printer (debian stretch samba 4.10) from server 2019 logged in with an domain account. Seems to be all kerberos here.
>>
>> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.715406,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
>> Okt 25 11:39:57 ad-test smbd[57830]:   Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.715385 UTC] Remote host [ipv4:192....:50475]
>> local host [ipv4:192....:445]
>> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.814763,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
>> Okt 25 11:39:57 ad-test smbd[57830]:   Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.814742 UTC] Remote host [ipv4:192....:50475]
>> local host [ipv4:192....:445]
>> Okt 25 11:39:57 ad-test smbd[57830]: [2021/10/25 11:39:57.914702,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
>> Okt 25 11:39:57 ad-test smbd[57830]:   Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:57.914680 UTC] Remote host [ipv4:192....:50475]
>> local host [ipv4:192....:445]
>> Okt 25 11:39:58 ad-test smbd[57830]: [2021/10/25 11:39:58.020295,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
>> Okt 25 11:39:58 ad-test smbd[57830]:   Successful AuthZ: [spoolss,ncacn_np] user [TEST]\[Administrator] [S-1-5-21-XXX-500] at [Mo, 25 Okt 2021 11:39:58.020273 UTC] Remote host [ipv4:192....:50475]
>> local host [ipv4:192....:445]
>>
>> Same test environment local account not working printer connect attempt:
>>
>> Okt 25 11:43:16 ad-test smbd[57852]: [2021/10/25 11:43:16.553308,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
>> Okt 25 11:43:16 ad-test smbd[57852]:   Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.553281 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation
>> [S2019-TEST] remote host [ipv4:192....:59221] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445]
>> Okt 25 11:43:16 ad-test smbd[57853]: [2021/10/25 11:43:16.648050,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
>> Okt 25 11:43:16 ad-test smbd[57853]:   Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.648022 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation
>> [S2019-TEST] remote host [ipv4:192....:59222] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445]
>> Okt 25 11:43:16 ad-test smbd[57854]: [2021/10/25 11:43:16.683346,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
>> Okt 25 11:43:16 ad-test smbd[57854]:   Auth: [SMB2,NTLMSSP] user [S2019-TEST]\[Administrator] at [Mo, 25 Okt 2021 11:43:16.683315 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation
>> [S2019-TEST] remote host [ipv4:192....:59223] mapped to [S2019-TEST]\[Administrator]. local host [ipv4:192....:445]
>
> Which points to the fact that Rowland mentioned. The computers try to use NTLM which fails for non Domain computers?! Or am I wrong here?
>
> Here a Link I have found which talks about the NTLM Problem.
>
> https://borncity.com/win/2021/10/19/microsoft-besttigt-windows-netzwerkdruckproblem-nach-oktober-2021-updates/
>

Indeed, which raises the quetion can kerberos be used with local account?
Quick web search showed there is an kinit Utility coming with Sun/Oracle Java JDK.
I can kinit successfull klists shows a valid ticket but if I connect to the samba server I'm asked for credentials again. Log shows failed NTLMv2 password.
Same with heimdal kerberos client and secure endpoints network identity manager.

More information about the samba mailing list