[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Denis CARDON dcardon at tranquil.it
Mon Oct 3 09:15:26 UTC 2022

Hi everyone,

we had a call last week from a client with a win11 workstation that 
upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 anymore.

There are a few related post on reddit [1] and it seems to be linked to 
this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
probably due to the integration of with Heimdal-8.0pre.

The issue is due to a timestamp in the TGS-REQ where it is set to max 
value in Microsoft kerberos client instead of the usual 2038 timestamp 
(till=99990913024805Z), and Microsoft says it is by the specs [3] and 
won't be changed.

I didn't found any Samba bugzilla entry for this bug, which is going to 
get widespread quite fast as Microsoft starts force-feeding this upgrade 
on unsuspicious end users. I can create a bugzilla entry if there is 
none yet.

There is only one supported version that is impacted (4.15), but it 
should at least be more communication to encourage people to upgrade 
before being bitten by this issue.



[2] https://github.com/heimdal/heimdal/issues/1011
[3] https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488

More information about the samba mailing list