[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5

Oliver Freyd Oliver.Freyd at iontof.com
Thu Oct 27 10:02:53 UTC 2022 

Hello,

>Which DC did you upgrade and how ?
>Did it hold any of the FSMO roles and did you upgrade it in place, or 
>add a new DC and demote the old one ?

I upgraded the "second" DC, called sambapdc2, it did not have any FSMO roles.
In the first try I upgraded it in place, first doing a debian version upgrade,
which worked fine, then upgrading samba to the version in bullseye-backports, which is 4.16.5.

The authentication problems did not start right away, but after a few hours.

Then I demoted that DC and renamed the /var/lib/samba directory, and joined it again to the domain.

Again it seemed to work fine but after a few hours the RDP problems started again.

>Sounds like a dns problem.

I'm wondering if this is a Kerberos problem,
whenever I try to connect to a windows machine via RDP I get such errors in the samba logs:

  Kerberos: Verify PAC failed for TERMSRV/oliver64.example.lan at IONTOF.LAN (oliver64$@EXAMPLE.LAN) from ipv4:192.168.100.54:50814 with TGT has been revoked


>Can you post the contents (sanitised) of the following files:
>/etc/hostname
>/etc/hosts
>/etc/resolv.conf
>/etc/krb5.conf
>
>Rowland

I've attached these files...
-------------- next part --------------
sambapdc2

-------------- next part --------------
127.0.0.1 localhost.localdomain localhost
192.168.0.251 sambapdc2.example.lan sambapdc2

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
-------------- next part --------------
[libdefaults]
	default_realm = EXAMPLE.LAN
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
EXAMPLE.LAN = {
	default_domain = example.lan
}

[domain_realm]
	SAMBAPDC2 = EXAMPLE.LAN
-------------- next part --------------
search example.lan
nameserver 192.168.0.251
options timeout:1
#nameserver 192.168.0.12
-------------- next part --------------
# Global parameters
[global]
	netbios name = SAMBAPDC2
	realm = EXAMPLE.LAN
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	workgroup = EXAMPLE
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes

	#added by Oliver Freyd, 05.07.2018
	winbind enum users = yes
	winbind enum groups = yes
	tls enabled = yes
	tls keyfile = /etc/samba/tls/CASignedSambaPdc2Key.pem
	tls certfile = /etc/samba/tls/CASignedSambaPdc2Cert.pem
	tls cafile = /etc/samba/tls/ExampleCA2.pem
	#'tls verify peer' has a default of as_strictly_as_possible which
	#complains of missing crlfile. ca_and_name is the strictest option
	#below that. 
	tls verify peer =  ca_and_name	

	log file = /var/log/samba/machines/log.%m
	max log size = 3000
	syslog = 1

	log level = 3

[netlogon]
	path = /var/lib/samba/sysvol/example.lan/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[inout]
        include = /etc/samba/global-share-settings.conf
        comment = Testshare fuer Migration
        path = /data/inout

#[extra]
#        include = /etc/samba/global-share-settings.conf
#        path = /data/extra

More information about the samba mailing list