[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Andrew Bartlett abartlet at samba.org
Mon Oct 3 19:57:29 UTC 2022

On Mon, 2022-10-03 at 11:15 +0200, Denis CARDON via samba wrote:
> Hi everyone,
> we had a call last week from a client with a win11 workstation that 
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15
> anymore.
> There are a few related post on reddit [1] and it seems to be linked
> to 
> this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
> probably due to the integration of with Heimdal-8.0pre.
> The issue is due to a timestamp in the TGS-REQ where it is set to
> max 
> value in Microsoft kerberos client instead of the usual 2038
> timestamp 
> (till=99990913024805Z), and Microsoft says it is by the specs [3]
> and 
> won't be changed.

Thanks so much for digging into this.  I'm sorry that while I did see
the early references, I didn't dig into it. 

> I didn't found any Samba bugzilla entry for this bug, which is going
> to 
> get widespread quite fast as Microsoft starts force-feeding this
> upgrade 
> on unsuspicious end users. I can create a bugzilla entry if there is 
> none yet.

Please do, with all the references etc.  

We may be able to kludge around that if it is as you describe, but
otherwise we need a place to coordinate efforts. 

> There is only one supported version that is impacted (4.15), but it 
> should at least be more communication to encourage people to upgrade 
> before being bitten by this issue.


Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list