[Samba] Remote Desktop problem after upgrading samba AD DC to 4.16.5
matt.s at aptalaska.net
Thu Oct 27 23:36:01 UTC 2022
On 10/26/22 4:27 AM, Oliver Freyd via samba wrote:
> I'm running a network with 2 samba AD DCs that were on 4.12.15 on
> debian buster (debian 10, oldstable).
> Because of the Win11 22H2 bug I upgraded one of the DCs to samba 4.6.5
> on debian bullseye, via the samba package from bullseye-backports.
> This DC has one problem though, when people connect to their Windows
> machines via RDP the connection fails when this DC is used (verified
> that by switching off the old DC and only using the new one), it seems
> the password authentication does not work correctly, RDP will should
> the username/password dialog repeatedly...
> This happens only when the RDP connection is made with the DNS-name of
> the client machine, the connection works if one connects with the IP
> of the client machine.
> Checking with wireshark I see a kerberos error: KRB5KDC_ERR_TGT_REVOKED
> Another weird thing is that yesterday I re-joined that new DC, and
> temporarily everything worked fine, only after a day or so it fails
> Any ideas on how I could debug this issue?
> best regards,
> Oliver Freyd
I'm also having problems with RDP sessions not authenticating against
samba heimdal kdc. What is odd is that the initial RDP connection
(network level connection) works fine and authenticates me, but when I
get to the desktop, I get access denied and that my password is wrong as
if I used a wrong password at the console. If I put in the wrong
password into the initial rdp session for network level connection, it
immediately rejects me without letting me see the desktop.
Looking at wireshark under the covers, I suspect it's a kerberos issue,
however all of my hosts have dns settings of samba domain controllers
and my samba servers do appear to get AD updates.
I was running 4.16.4 but now I'm on 4.17.2 with no change.
I wonder if something changed on the windows side. I see Jakob posted
about a 22H2 update breaking this. Anyone know the specific fix and how
to roll it back?
More information about the samba