[Samba] samba 4.13.17 ubuntu 20.04
Rowland Penny
rpenny at samba.org
Thu Jan 26 07:50:47 UTC 2023
On 26/01/2023 07:20, Marco Querci via samba wrote:
> Hi everyone,
>
> I'm posting here because I'm facing a kerberos authentication problem after
> the 2:4.13.17~dfsg-0ubuntu1.20.04.4 samba upgrade.
> The clients, win10, win11, win2016 cannot login to AD anymore.
> On server logs the authentication succeeded but in the Event Viewer on the
> client I have this error:
>
> Security-Kerberos
> The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> cor-win10$. The target name used was COR-WIN10$.
I think this might be a dns problem. From your smb.conf, the DC's
hostname is 'AD5' yet the error message is referring to a 'server'
called 'COR-WIN10'
>This indicates that the
> target server failed to decrypt the ticket provided by the client. This can
> occur when the target server principal name (SPN) is registered on an
> account other than the account the target service is using. Ensure that the
> target SPN is only registered on the account used by the server. This error
> can also happen if the target service account password is different than
> what is configured on the Kerberos Key Distribution Center for that target
> service. Ensure that the service on the server and the KDC are both
> configured to use the same password. If the server name is not fully
> qualified, and the target domain (ACME.LAN) is different from the client
> domain (ACME.LAN), check if there are identically named server accounts in
> these two domains, or use the fully-qualified name to identify the server.
>
> This is my smb.conf:
> # Global parameters
> [global]
> netbios name = AD5
> realm = ACME.LAN
> server role = active directory domain controller
> workgroup = ACME
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 8.8.8.8
>
> log file = /var/log/samba/log.ad5
> max log size = 100000
> log level = 3 passdb:5 auth:5
>
> time server = yes
> #load printers = yes
>
> #printing = CUPS
> #rpc_server:spoolss = external
> #rpc_daemon:spoolssd = fork
> #spoolss: architecture = Windows x64
>
> host msdfs = yes
> #vfs object = dfs_samba4
>
> disable netbios = yes
> smb ports = 445
>
>
> [sysvol]
> comment = SYSVOL share
> path = /var/lib/samba/sysvol
> read only = no
> browseable = no
>
> [gpo]
> comment = GPO files share
> path = /var/lib/samba/sysvol/acme.lan/gpo
> read only = no
> browseable = no
Where did '[netlogon]' go and why do you have a share for GPO's ?
>
> I also tried with samba 4.15 on ubuntu 22.04 ... same problem.
>
> I don't know what's the problem and how to handle it, maybe some related to
> the latest samba security update together with some configuration in my
> environment.
> Can anyone help me in some way?
>
> Thanks.
Samba upgraded Heimdal (the kdc) at 4.16.0, which was lucky, later
versions of win10 upwards need it.
You can find later versions of Samba here:
http://www.corpit.ru/mjt/packages/samba/
Rowland
More information about the samba
mailing list