[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
Rowland Penny
rpenny at samba.org
Mon Oct 3 10:27:44 UTC 2022
On 03/10/2022 10:15, Denis CARDON via samba wrote:
> Hi everyone,
>
> we had a call last week from a client with a win11 workstation that
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 anymore.
>
> There are a few related post on reddit [1] and it seems to be linked to
> this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue,
> probably due to the integration of with Heimdal-8.0pre.
>
> The issue is due to a timestamp in the TGS-REQ where it is set to max
> value in Microsoft kerberos client instead of the usual 2038 timestamp
> (till=99990913024805Z), and Microsoft says it is by the specs [3] and
> won't be changed.
>
> I didn't found any Samba bugzilla entry for this bug, which is going to
> get widespread quite fast as Microsoft starts force-feeding this upgrade
> on unsuspicious end users. I can create a bugzilla entry if there is
> none yet.
>
> There is only one supported version that is impacted (4.15), but it
> should at least be more communication to encourage people to upgrade
> before being bitten by this issue.
>
> Cheers,
>
> Denis
>
> [1]
> https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
> [2] https://github.com/heimdal/heimdal/issues/1011
> [3] https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
>
>
Hi Denis, the problem is that it isn't really a Samba bug, but if it is
a bug, it has been fixed in 4.16.0 , so if you do open a bug report, it
will probably get closed very quickly.
I would imagine that backporting Heimdal 8.0pre was considered but
rejected because it isn't a maintenance or security problem and would
probably require multiple other changes, but I am guessing here.
As for upgrading Samba, I keep saying that users should try to keep up
with the latest samba, this is because Samba is rapidly evolving and
using old versions of Samba in a domain is not advised.
Rowland
More information about the samba
mailing list