[Samba] Windows 11 22h1 Beta (Build 22581) client refuses to auth with Samba DC
Luke Barone
lukebarone at gmail.com
Fri Apr 8 17:23:24 UTC 2022
My smb.conf file on the DC (working with regular Win 11 and all the Win 10
machines):
# testparm -s
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
bind interfaces only = Yes
disable netbios = Yes
interfaces = lo enp1s0
ntlm auth = ntlmv1-permitted
passdb backend = samba_dsdb
realm = AD.DOMAIN.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
winbind separator = /
workgroup = EDGE
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/ad.domain.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
(The ntlm auth line is for an external service we rely on)
On Fri, Apr 8, 2022 at 10:14 AM Luke Barone <lukebarone at gmail.com> wrote:
> This is happening to me on Build 22593 as well. I created a new Win11 VM,
> ran all the Windows Updates, and cannot join it to a domain setup with only
> Samba Domain Controllers. I tried a standard user account, my account
> (member of the Domain Admins group), and the Domain Administrator account,
> all saying "Incorrect username and password".
>
> If someone can show me how to turn the logging for join events on the
> domain controller, I'd get those errors. In the Windows Event Log, it's
> failing with error 1326.
>
> I got it joined just now by using "*username at ad.domain.com
> <username at ad.domain.com>*" instead of just *username* or *AD\username*.
> However, I cannot sign in (using anything at all).
>
> On Sun, Apr 3, 2022 at 7:07 PM Andrew Bartlett via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 2022-04-01 at 15:18 -0500, Daniel Givens via samba wrote:
>> > I wanted to be sure you all were aware of an issue that's come up in
>> > recent Insider builds of Windows 11. I upgraded my local Windows 11
>> > to the most recent beta build 22581 and had to roll back because I
>> > was unable to login to the system. The logs on my Samba domain
>> > controller indicate the authentication is successful, but Windows
>> > says I entered an incorrect password.
>> >
>> > According to the u/BFeely1, in a Reddit post[1], they've submitted
>> > feedback about it, but I don't have much hope Microsoft is going to
>> > make it a high priority to resolve. I wasn't able to find any reports
>> > to this mailing list or in any Samba related bug tracking for the
>> > project or any distribution trackers mentioning the issue.
>> >
>> > I would like to help if I can, but I would need some direction on
>> > what info would be useful.
>>
>> Thanks. Given your description, it is going to be difficult to fix
>> this - far easier if Samba is rejecting the request.
>>
>> If a Samba developer was to raise this with Microsoft, I think they
>> first thing MS would want would be a paired network (wireshark PCAP or
>> PCAPng) and TTD trace.
>>
>>
>> https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-record
>>
>> A comparative trace with a windows DC joined to the same domain,
>> alongside a full keytab (samba-tool domain exportkeytab) for that
>> (TEST!) domain would also be very useful.
>>
>> Sadly I've not had any customers ask about this yet, so I've not been
>> able to put any time into this myself.
>>
>> Sorry,
>>
>> Andrew Bartlett
>>
>>
>> --
>> Andrew Bartlett (he/him) https://samba.org/~abartlet/
>> Samba Team Member (since 2001) https://samba.org
>> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>>
>> Samba Development and Support, Catalyst IT - Expert Open Source
>> Solutions
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list