[Samba] Windows 11 22h1 Beta (Build 22581) client refuses to auth with Samba DC

Luke Barone lukebarone at gmail.com
Tue Apr 26 18:14:37 UTC 2022 

Still happening on Windows 11 build 22598.200.

Found a workaround on the Feedback Hub (https://aka.ms/AAfikdn, Windows
only) to set the Encryption Types allowed for Kerberos:

Local Security Policy > Local Policies > Security Options > Network
security: Configure encryption types allowed for Kerberos
Check only DES_CBC_CRC and DES_CBC_MD5

I'd like to give credit, but the Feedback Hub does not let me copy the
username, and it's not in my alphabet.

On Fri, Apr 8, 2022 at 10:23 AM Luke Barone <lukebarone at gmail.com> wrote:

> My smb.conf file on the DC (working with regular Win 11 and all the Win 10
> machines):
>
> # testparm -s
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> # Global parameters
> [global]
>         bind interfaces only = Yes
>         disable netbios = Yes
>         interfaces = lo enp1s0
>         ntlm auth = ntlmv1-permitted
>         passdb backend = samba_dsdb
>         realm = AD.DOMAIN.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         winbind separator = /
>         workgroup = EDGE
>         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         map archive = No
>         vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ad.domain.com/scripts
>         read only = No
>
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> (The ntlm auth line is for an external service we rely on)
>
> On Fri, Apr 8, 2022 at 10:14 AM Luke Barone <lukebarone at gmail.com> wrote:
>
>> This is happening to me on Build 22593 as well. I created a new Win11 VM,
>> ran all the Windows Updates, and cannot join it to a domain setup with only
>> Samba Domain Controllers. I tried a standard user account, my account
>> (member of the Domain Admins group), and the Domain Administrator account,
>> all saying "Incorrect username and password".
>>
>> If someone can show me how to turn the logging for join events on the
>> domain controller, I'd get those errors. In the Windows Event Log, it's
>> failing with error 1326.
>>
>> I got it joined just now by using "*username at ad.domain.com
>> <username at ad.domain.com>*" instead of just *username* or *AD\username*.
>> However, I cannot sign in (using anything at all).
>>
>> On Sun, Apr 3, 2022 at 7:07 PM Andrew Bartlett via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Fri, 2022-04-01 at 15:18 -0500, Daniel Givens via samba wrote:
>>> > I wanted to be sure you all were aware of an issue that's come up in
>>> > recent Insider builds of Windows 11. I upgraded my local Windows 11
>>> > to the most recent beta build 22581 and had to roll back because I
>>> > was unable to login to the system. The logs on my Samba domain
>>> > controller indicate the authentication is successful, but Windows
>>> > says I entered an incorrect password.
>>> >
>>> > According to the u/BFeely1, in a Reddit post[1], they've submitted
>>> > feedback about it, but I don't have much hope Microsoft is going to
>>> > make it a high priority to resolve. I wasn't able to find any reports
>>> > to this mailing list or in any Samba related bug tracking for the
>>> > project or any distribution trackers mentioning the issue.
>>> >
>>> > I would like to help if I can, but I would need some direction on
>>> > what info would be useful.
>>>
>>> Thanks.  Given your description, it is going to be difficult to fix
>>> this - far easier if Samba is rejecting the request.
>>>
>>> If a Samba developer was to raise this with Microsoft, I think they
>>> first thing MS would want would be a paired network (wireshark PCAP or
>>> PCAPng) and TTD trace.
>>>
>>>
>>> https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-record
>>>
>>> A comparative trace with a windows DC joined to the same domain,
>>> alongside a full keytab (samba-tool domain exportkeytab) for that
>>> (TEST!) domain would also be very useful.
>>>
>>> Sadly I've not had any customers ask about this yet, so I've not been
>>> able to put any time into this myself.
>>>
>>> Sorry,
>>>
>>> Andrew Bartlett
>>>
>>>
>>> --
>>> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
>>> Samba Team Member (since 2001) https://samba.org
>>> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
>>>
>>> Samba Development and Support, Catalyst IT - Expert Open Source
>>> Solutions
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>

More information about the samba mailing list