[Samba] Windows 11 22h1 Beta (Build 22581) client refuses to auth with Samba DC

Luke Barone lukebarone at gmail.com
Fri Apr 8 17:23:24 UTC 2022


My smb.conf file on the DC (working with regular Win 11 and all the Win 10
machines):

# testparm -s
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
        bind interfaces only = Yes
        disable netbios = Yes
        interfaces = lo enp1s0
        ntlm auth = ntlmv1-permitted
        passdb backend = samba_dsdb
        realm = AD.DOMAIN.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        winbind separator = /
        workgroup = EDGE
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr


[netlogon]
        path = /var/lib/samba/sysvol/ad.domain.com/scripts
        read only = No


[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

(The ntlm auth line is for an external service we rely on)

On Fri, Apr 8, 2022 at 10:14 AM Luke Barone <lukebarone at gmail.com> wrote:

> This is happening to me on Build 22593 as well. I created a new Win11 VM,
> ran all the Windows Updates, and cannot join it to a domain setup with only
> Samba Domain Controllers. I tried a standard user account, my account
> (member of the Domain Admins group), and the Domain Administrator account,
> all saying "Incorrect username and password".
>
> If someone can show me how to turn the logging for join events on the
> domain controller, I'd get those errors. In the Windows Event Log, it's
> failing with error 1326.
>
> I got it joined just now by using "*username at ad.domain.com
> <username at ad.domain.com>*" instead of just *username* or *AD\username*.
> However, I cannot sign in (using anything at all).
>
> On Sun, Apr 3, 2022 at 7:07 PM Andrew Bartlett via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 2022-04-01 at 15:18 -0500, Daniel Givens via samba wrote:
>> > I wanted to be sure you all were aware of an issue that's come up in
>> > recent Insider builds of Windows 11. I upgraded my local Windows 11
>> > to the most recent beta build 22581 and had to roll back because I
>> > was unable to login to the system. The logs on my Samba domain
>> > controller indicate the authentication is successful, but Windows
>> > says I entered an incorrect password.
>> >
>> > According to the u/BFeely1, in a Reddit post[1], they've submitted
>> > feedback about it, but I don't have much hope Microsoft is going to
>> > make it a high priority to resolve. I wasn't able to find any reports
>> > to this mailing list or in any Samba related bug tracking for the
>> > project or any distribution trackers mentioning the issue.
>> >
>> > I would like to help if I can, but I would need some direction on
>> > what info would be useful.
>>
>> Thanks.  Given your description, it is going to be difficult to fix
>> this - far easier if Samba is rejecting the request.
>>
>> If a Samba developer was to raise this with Microsoft, I think they
>> first thing MS would want would be a paired network (wireshark PCAP or
>> PCAPng) and TTD trace.
>>
>>
>> https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-record
>>
>> A comparative trace with a windows DC joined to the same domain,
>> alongside a full keytab (samba-tool domain exportkeytab) for that
>> (TEST!) domain would also be very useful.
>>
>> Sadly I've not had any customers ask about this yet, so I've not been
>> able to put any time into this myself.
>>
>> Sorry,
>>
>> Andrew Bartlett
>>
>>
>> --
>> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
>> Samba Team Member (since 2001) https://samba.org
>> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
>>
>> Samba Development and Support, Catalyst IT - Expert Open Source
>> Solutions
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


More information about the samba mailing list