[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Dr. Nicola Mingotti nmingotti at gmail.com
Mon Oct 17 14:58:17 UTC 2022 

Thank you a lot for reporting this in the mailing list.

I also found this horrible issue putting a new Win-11 laptop in the 
Samba domain and lost hours in anger trying to make it work.

Windows as usual reports silly/useless error messages. On Samba logs i 
found a suspicious line and googling that i was able to find a blog 
where the thing is discussed (and in Reddit)
*https://bitcoden.com/answers/samba-wont-join-computers-to-domain-anymore*

Then finally I see the message here, and I am more confident the info is 
reliable.

I may recommend to put a well visible link in Samba Web homepage when 
this kind of issues emerge.
Even if it is Microsoft who broke things and it is not a Samba bug, we 
proud Samba users/admins will suffer, so better to warn us before we 
bang our head against the wall for hours, if possible ;)


bye
Nicola








On 10/3/22 11:15, Denis CARDON via samba wrote:
> Hi everyone,
>
> we had a call last week from a client with a win11 workstation that 
> upgraded to 22H2 and couldn't authenticate to their Samba-AD 4.15 
> anymore.
>
> There are a few related post on reddit [1] and it seems to be linked 
> to this issue in Heimdal [2]. Upgrading to Samba 4.16 fixed the issue, 
> probably due to the integration of with Heimdal-8.0pre.
>
> The issue is due to a timestamp in the TGS-REQ where it is set to max 
> value in Microsoft kerberos client instead of the usual 2038 timestamp 
> (till=99990913024805Z), and Microsoft says it is by the specs [3] and 
> won't be changed.
>
> I didn't found any Samba bugzilla entry for this bug, which is going 
> to get widespread quite fast as Microsoft starts force-feeding this 
> upgrade on unsuspicious end users. I can create a bugzilla entry if 
> there is none yet.
>
> There is only one supported version that is impacted (4.15), but it 
> should at least be more communication to encourage people to upgrade 
> before being bitten by this issue.
>
> Cheers,
>
> Denis
>
> [1] 
> https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
> [2] https://github.com/heimdal/heimdal/issues/1011
> [3] 
> https://github.com/heimdal/heimdal/issues/1011#issuecomment-1256577488
>
>

More information about the samba mailing list