[Samba] Smart cards and Windows 11 22H2
rj_t1 at redglow.org
Thu Nov 10 19:35:42 UTC 2022
As our users have been installing the Windows 11 22H2 update, smart card authentication has been breaking for them. Password-based authentication works fine. Our setup:
- Two AD DCs running Samba 4.17.2 on Rocky Linux
- File server as domain member, running Samba 4.17.2 on Rocky
Client, a Windows domain member with 22H2, tries to use their smart card and gets “\\fileserver\share is not accessible. You might not have permission to use this network resource. …” It works just fine from Windows 11 21H2.
(I don’t think it has anything directly to do with Samba-as-file-server, because we get the same behavior when trying to use smart cards to authenticate RDP to another Windows domain member.)
The logs on the DCs indicate that the client successfully authenticates with their smart card (as far as I understand), at the time of the file server access:
Nov 10 09:08:59 dctwo samba: Auth: [Kerberos KDC,PK-INIT(ietf) Pre-authentication] user [(null)]\[user at example.com] at [Thu, 10 Nov 2022 09:08:59.966192 EST] with [DC=com,DC=example,emailAddress=user at example.com,CN=Example User,OU=Users,O=Example,L=City,S=State,C=US] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:client-ip-address:54788] became [EXAMPLE]\[user] [S-1-5-21-2701415260-1665427813-2465724181-1272]. local host [NULL]
There’s nothing obvious in the file server logs, at least without debug-level logging.
Where should we look/log to help sort this out?
More information about the samba