[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

[Rowland Penny]

On 03/10/2022 10:15, Denis CARDON via samba wrote:
> Hi everyone,
> 
> we had a call last week from a client with a win11 workstation that 
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 anymore.
> 
> There are a few related post on reddit [1] and it seems to be linked to 
> this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
> probably due to the integration of with Heimdal-8.0pre.
> 
> The issue is due to a timestamp in the TGS-REQ where it is set to max 
> value in Microsoft kerberos client instead of the usual 2038 timestamp 
> (till=99990913024805Z), and Microsoft says it is by the specs [3] and 
> won't be changed.
> 
> I didn't found any Samba bugzilla entry for this bug, which is going to 
> get widespread quite fast as Microsoft starts force-feeding this upgrade 
> on unsuspicious end users. I can create a bugzilla entry if there is 
> none yet.
> 
> There is only one supported version that is impacted (4.15), but it 
> should at least be more communication to encourage people to upgrade 
> before being bitten by this issue.
> 
> Cheers,
> 
> Denis
> 
> [1] 
> https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
> [2] https://github.com/heimdal/heimdal/issues/1011
> [3] https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
> 
> 

Hi Denis, the problem is that it isn't really a Samba bug, but if it is 
a bug, it has been fixed in 4.16.0 , so if you do open a bug report, it 
will probably get closed very quickly.

I would imagine that backporting Heimdal 8.0pre was considered but 
rejected because it isn't a maintenance or security problem and would 
probably require multiple other changes, but I am guessing here.

As for upgrading Samba, I keep saying that users should try to keep up 
with the latest samba, this is because Samba is rapidly evolving and 
using old versions of Samba in a domain is not advised.

Rowland