[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5
Rowland Penny
rpenny at samba.org
Thu Oct 27 10:49:03 UTC 2022
On 27/10/2022 11:02, Oliver Freyd via samba wrote:
> Hello,
>
>> Which DC did you upgrade and how ?
>> Did it hold any of the FSMO roles and did you upgrade it in place, or
>> add a new DC and demote the old one ?
>
> I upgraded the "second" DC, called sambapdc2, it did not have any FSMO
> roles.
> In the first try I upgraded it in place, first doing a debian version
> upgrade,
> which worked fine, then upgrading samba to the version in
> bullseye-backports, which is 4.16.5.
In this instance, I would have created a new computer (in a VM or bare
metal), joined this as a new DC, that way you are sure that there isn't
anything from the old DC hanging about. At this point, I would have
demoted the old DC.
I would suggest you do this now, there is a very big jump between 4.12.x
and 4.16.x , not least the new Heimdal version, the changes could be
part of your problem.
>
> The authentication problems did not start right away, but after a few
> hours.
>
> Then I demoted that DC and renamed the /var/lib/samba directory, and
> joined it again to the domain.
But you could still have 'old' Samba bits floating around.
>
> Again it seemed to work fine but after a few hours the RDP problems
> started again.
>
>> Sounds like a dns problem.
>
> I'm wondering if this is a Kerberos problem,
> whenever I try to connect to a windows machine via RDP I get such errors
> in the samba logs:
>
> Kerberos: Verify PAC failed for
> TERMSRV/oliver64.example.lan at IONTOF.LAN (oliver64$@EXAMPLE.LAN) from
> ipv4:192.168.100.54:50814 with TGT has been revoked
Yes, but kerberos relies on dns, no dns, no kerberos.
>
>
>> Can you post the contents (sanitised) of the following files:
>> /etc/hostname
>> /etc/hosts
>> /etc/resolv.conf
>> /etc/krb5.conf
>>
>> Rowland
>
> I've attached these files...
Sorry, but this list strips attachments, so can you try again, but this
time, post them in the reply.
Rowland
More information about the samba
mailing list