[Samba] Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue

Mason Schmitt mason at ftlcomputing.com
Mon Oct 17 23:09:19 UTC 2022

I'd like to add a few more details and symptoms, in the hope that it might
help others who are running into this issue, but may not know it yet.

At this time, in order to prevent further disruption, we have prevented all
our PCs from upgrading to either Win11 22H2 or Win10 22H2.  We're still
applying security patches of course, just not these feature packs.

- It's not possible to join a Win11 22H2 PC to a Samba domain that is
running 4.15.x or older
- If you implement the "fix" which has shown up on Reddit and elsewhere,
you will essentially break kerberos auth, which will also prevent you from
doing the following.  You will however succeed in allowing your Win11 22H2
PCs to access file servers using NTLM authentication.
    - GPOs will not be applied
    - A regular user will not be able to enter domain credentials into a
UAC prompt in order to elevate their privileges

Indications you are experiencing this problem
If you're looking for signs of the problem in your Samba AD DC logs,
they'll show up in log.samba.  With basic auth logging enabled (log level =
1 auth_audit:3 auth_json_audit:3), you should see multiple entries showing
successful kerberos pre-auth, like this

[2022/10/12 13:21:25.502451,  3]
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[<admin_acct>@<domain>] at [Wed, 12 Oct 2022 13:21:25.502446 PDT]
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:<Client_IP>:49868] became [<NT_DOMAIN>]\[<admin_acct>]
[<admin SID>]. local host [NULL]
[2022/10/12 13:21:25.502485,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2022-10-12T13:21:25.502467-0700",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL",
"remoteAddress": "ipv4:<Client_IP>:49868", "serviceDescription": "Kerberos
KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null,
"clientAccount": "<admin_acct>@<domain>", "workstation": null,
"becameAccount": " <admin_acct>  ", "becameDomain": "<NT_DOMAIN>",
"becameSid": "<admin SID>", "mappedAccount": " <admin_acct>  ",
"mappedDomain": "<NT_DOMAIN>", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)",
"passwordType": "aes256-cts-hmac-sha1-96"}}
[2022/10/12 13:21:25.546607,  3]
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[<admin_acct>@<DOMAIN>] at [Wed, 12 Oct 2022 13:21:25.546603 PDT]
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)]
remote host [ipv4:<Client_IP>:49872] became [<NT_DOMAIN>]\[ <admin_acct>  ]
[<admin SID>]. local host [NULL]
[2022/10/12 13:21:25.546642,  3] ../auth/auth_log.c:220(log_json)

The root of the issue is more obvious with debug logs enabled.  Warning, a
single attempt to join a domain will generate over 100,000 log entries.

Change your log level
 #log level = 1 auth_audit:3 auth_json_audit:3
 log level = 10
 debug pid = true
 max log size = 0

You'll see entries like this - https://pastebin.com/5nEvJbQ4

How to resolve the issue
At this time, I'm not aware that any of the common Linux distro LTS
versions are supplying a version of Samba, in which this issue has been
resolved (unless you consider rolling distros like Arch)**.  As Rowland has
pointed out, it's possible to get 4.16.5 for Debian Bullseye from
Backports.  Of course there are third party commercial packages available.



** https://pkgs.org/search/?q=samba

More information about the samba mailing list