[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5

[Rowland Penny]

On 27/10/2022 11:02, Oliver Freyd via samba wrote:
> Hello,
> 
>> Which DC did you upgrade and how ?
>> Did it hold any of the FSMO roles and did you upgrade it in place, or 
>> add a new DC and demote the old one ?
> 
> I upgraded the "second" DC, called sambapdc2, it did not have any FSMO 
> roles.
> In the first try I upgraded it in place, first doing a debian version 
> upgrade,
> which worked fine, then upgrading samba to the version in 
> bullseye-backports, which is 4.16.5.

In this instance, I would have created a new computer (in a VM or bare 
metal), joined this as a new DC, that way you are sure that there isn't 
anything from the old DC hanging about. At this point, I would have 
demoted the old DC.

I would suggest you do this now, there is a very big jump between 4.12.x 
and 4.16.x , not least the new Heimdal version, the changes could be 
part of your problem.

> 
> The authentication problems did not start right away, but after a few 
> hours.
> 
> Then I demoted that DC and renamed the /var/lib/samba directory, and 
> joined it again to the domain.

But you could still have 'old' Samba bits floating around.

> 
> Again it seemed to work fine but after a few hours the RDP problems 
> started again.
> 
>> Sounds like a dns problem.
> 
> I'm wondering if this is a Kerberos problem,
> whenever I try to connect to a windows machine via RDP I get such errors 
> in the samba logs:
> 
>   Kerberos: Verify PAC failed for 
> TERMSRV/oliver64.example.lan at IONTOF.LAN (oliver64$@EXAMPLE.LAN) from 
> ipv4:192.168.100.54:50814 with TGT has been revoked

Yes, but kerberos relies on dns, no dns, no kerberos.

> 
> 
>> Can you post the contents (sanitised) of the following files:
>> /etc/hostname
>> /etc/hosts
>> /etc/resolv.conf
>> /etc/krb5.conf
>>
>> Rowland
> 
> I've attached these files...

Sorry, but this list strips attachments, so can you try again, but this 
time, post them in the reply.

Rowland