[Samba] samba 4.13.17 ubuntu 20.04

Marco Querci mquerci75 at gmail.com
Thu Jan 26 07:20:28 UTC 2023


Hi everyone,

I'm posting here because I'm facing a kerberos authentication problem after
the 2:4.13.17~dfsg-0ubuntu1.20.04.4 samba upgrade.
The clients, win10, win11, win2016 cannot login to AD anymore.
On server logs the authentication succeeded but in the Event Viewer on the
client I have this error:

Security-Kerberos
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
cor-win10$. The target name used was COR-WIN10$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can
occur when the target server principal name (SPN) is registered on an
account other than the account the target service is using. Ensure that the
target SPN is only registered on the account used by the server. This error
can also happen if the target service account password is different than
what is configured on the Kerberos Key Distribution Center for that target
service. Ensure that the service on the server and the KDC are both
configured to use the same password. If the server name is not fully
qualified, and the target domain (ACME.LAN) is different from the client
domain (ACME.LAN), check if there are identically named server accounts in
these two domains, or use the fully-qualified name to identify the server.

This is my smb.conf:
# Global parameters
[global]
netbios name = AD5
realm = ACME.LAN
server role = active directory domain controller
workgroup = ACME
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8

log file = /var/log/samba/log.ad5
max log size = 100000
log level = 3 passdb:5 auth:5

time server = yes
#load printers = yes

#printing = CUPS
#rpc_server:spoolss = external
#rpc_daemon:spoolssd = fork
#spoolss: architecture = Windows x64

host msdfs = yes
#vfs object = dfs_samba4

disable netbios = yes
smb ports = 445


[sysvol]
comment = SYSVOL share
        path = /var/lib/samba/sysvol
        read only = no
        browseable = no

[gpo]
        comment = GPO files share
        path = /var/lib/samba/sysvol/acme.lan/gpo
        read only = no
        browseable = no

I also tried with samba 4.15 on ubuntu 22.04 ... same problem.

I don't know what's the problem and how to handle it, maybe some related to
the latest samba security update together with some configuration in my
environment.
Can anyone help me in some way?

Thanks.


More information about the samba mailing list