[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
Andrew Bartlett
abartlet at samba.org
Mon Oct 3 19:57:29 UTC 2022
On Mon, 2022-10-03 at 11:15 +0200, Denis CARDON via samba wrote:
> Hi everyone,
>
> we had a call last week from a client with a win11 workstation that
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15
> anymore.
>
> There are a few related post on reddit [1] and it seems to be linked
> to
> this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue,
> probably due to the integration of with Heimdal-8.0pre.
>
> The issue is due to a timestamp in the TGS-REQ where it is set to
> max
> value in Microsoft kerberos client instead of the usual 2038
> timestamp
> (till=99990913024805Z), and Microsoft says it is by the specs [3]
> and
> won't be changed.
Thanks so much for digging into this. I'm sorry that while I did see
the early references, I didn't dig into it.
> I didn't found any Samba bugzilla entry for this bug, which is going
> to
> get widespread quite fast as Microsoft starts force-feeding this
> upgrade
> on unsuspicious end users. I can create a bugzilla entry if there is
> none yet.
Please do, with all the references etc.
We may be able to kludge around that if it is as you describe, but
otherwise we need a place to coordinate efforts.
> There is only one supported version that is impacted (4.15), but it
> should at least be more communication to encourage people to upgrade
> before being bitten by this issue.
Thanks,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list