[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5
rpenny at samba.org
Thu Oct 27 10:49:03 UTC 2022
On 27/10/2022 11:02, Oliver Freyd via samba wrote:
>> Which DC did you upgrade and how ?
>> Did it hold any of the FSMO roles and did you upgrade it in place, or
>> add a new DC and demote the old one ?
> I upgraded the "second" DC, called sambapdc2, it did not have any FSMO
> In the first try I upgraded it in place, first doing a debian version
> which worked fine, then upgrading samba to the version in
> bullseye-backports, which is 4.16.5.
In this instance, I would have created a new computer (in a VM or bare
metal), joined this as a new DC, that way you are sure that there isn't
anything from the old DC hanging about. At this point, I would have
demoted the old DC.
I would suggest you do this now, there is a very big jump between 4.12.x
and 4.16.x , not least the new Heimdal version, the changes could be
part of your problem.
> The authentication problems did not start right away, but after a few
> Then I demoted that DC and renamed the /var/lib/samba directory, and
> joined it again to the domain.
But you could still have 'old' Samba bits floating around.
> Again it seemed to work fine but after a few hours the RDP problems
> started again.
>> Sounds like a dns problem.
> I'm wondering if this is a Kerberos problem,
> whenever I try to connect to a windows machine via RDP I get such errors
> in the samba logs:
> Kerberos: Verify PAC failed for
> TERMSRV/oliver64.example.lan at IONTOF.LAN (oliver64$@EXAMPLE.LAN) from
> ipv4:192.168.100.54:50814 with TGT has been revoked
Yes, but kerberos relies on dns, no dns, no kerberos.
>> Can you post the contents (sanitised) of the following files:
> I've attached these files...
Sorry, but this list strips attachments, so can you try again, but this
time, post them in the reply.
More information about the samba