[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
Denis CARDON
dcardon at tranquil.it
Mon Oct 3 09:15:26 UTC 2022
Hi everyone,
we had a call last week from a client with a win11 workstation that
upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 anymore.
There are a few related post on reddit [1] and it seems to be linked to
this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue,
probably due to the integration of with Heimdal-8.0pre.
The issue is due to a timestamp in the TGS-REQ where it is set to max
value in Microsoft kerberos client instead of the usual 2038 timestamp
(till=99990913024805Z), and Microsoft says it is by the specs [3] and
won't be changed.
I didn't found any Samba bugzilla entry for this bug, which is going to
get widespread quite fast as Microsoft starts force-feeding this upgrade
on unsuspicious end users. I can create a bugzilla entry if there is
none yet.
There is only one supported version that is impacted (4.15), but it
should at least be more communication to encourage people to upgrade
before being bitten by this issue.
Cheers,
Denis
[1]
https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
[2] https://github.com/heimdal/heimdal/issues/1011
[3] https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
More information about the samba
mailing list