[Samba] windows workstations needing reboot to validate passwords. --ADDENDUM

james.atwell365 at gmail.com james.atwell365 at gmail.com
Mon Nov 20 20:19:34 UTC 2023


> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray Klassen via
> samba
> Sent: Monday, November 20, 2023 2:10 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] windows workstations needing reboot to validate
> passwords. --ADDENDUM
> 
> 
> 
> On Mon, 2023-11-20 at 13:43 -0500, James Atwell via samba wrote:
> >
> >
> > > -----Original Message-----
> > > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray Klassen
> > > via samba
> > > Sent: Monday, November 20, 2023 1:09 PM
> > > To: samba at lists.samba.org
> > > Subject: Re: [Samba] windows workstations needing reboot to validate
> > > passwords. --ADDENDUM
> > >
> > > Audit logging has been a bust. The failed attempt by the workstation
> > > to validate the password does not show up in the logs.
> > >
> > >
> > > On Thu, 2023-11-16 at 10:38 -0800, Ray Klassen via samba wrote:
> > > > Thank you for the suggestion. Audit logging enabled.
> > > >
> > > > On Thu, 2023-11-16 at 13:27 -0500, James Atwell via samba wrote:
> > > > > Have you setup Samba audit logging? This may aid in your efforts
> > > > > to see the reasons for not authenticating from the servers
> > > > > perspective.
> > > > >
> > > > > https://wiki.samba.org/index.php/Setting_up_Audit_Logging
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of Ray
> > > > > Klassen via samba
> > > > > Sent: Thursday, November 16, 2023 1:11 PM
> > > > > To: samba at lists.samba.org
> > > > > Subject: [Samba] windows workstations needing reboot to validate
> > > > > passwords. --ADDENDUM
> > > > >
> > > > > I am (earlier reported under the subject "Peculiar Problem")
> > > > > having an issue that started several weeks ago, where windows
> > > > > (10 pro, server
> > > > > 2019) computers randomly get into a state where they refuse to
> > > > > validate passwords. Rebooting (sometimes several times) makes
> > > > > the problem go away. You can also log in if you disconnect the
> > > > > PC from the network and then reconnect.
> > > > >
> > > > > List of changes around the time it started.
> > > > >
> > > > > Samba upgrade to 4.19.2
> > > > > Samba schema upgrade to 2012_R2 functional level Samba upgrade
> > > > > to
> > > > > 2008 functional level
> > > > >
> > > > > List of measures taken (hoping that if best practises are not
> > > > > being observed, implementing them will fix things!!)
> > > > >
> > > > > Moved DNS from SAMBA_INTERNAL to BIND_DLZ Moved ntp from
> ntpsec
> > > to
> > > > > chrony
> > > > >
> > > > > Diagnostic steps
> > > > >
> > > > > Packet dumps (decoded with keytab) and loglevel 255 show no
> > > > > glaring issues or errors.
> > > > >
> > > > > Going to try restarting all of the DC's next time it happens to
> > > > > determine if the miscommunication originates with windows or
> > > > > samba.
> > > > >
> > > > > Windows Eventviewer lists failure as Event ID 4625 Status
> > > > > 0xC000006D Sub Status 0x0 Failure reason %%2304
> > > > >
> > > > >
> > > > > Any other suggestions welcome!!
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read
> > > > > the
> > > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > >
> > > > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> > You mentioned restarting all your DC's. I assume you have more than 1
> > DC and enabled audit logging on all your DC's. I also assume you
> > verified on all DC's the logs do not exist if enabled on all?
> >
> >
> > I have 4 DC's. I've got auditing enabled on all of them. And seeing
> > audit entries on all of them regarding other traffic. The wkstation
> > that misbehaved this morning shows entries on some of them over the
> > weekend 'NT_STATUS_OK'and earlier. It looks like it doing a machine
> > password update.
> >
> >
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


The fact that you can unplug the device and log back in tells me the workstation is using cached credentials to log back in.  

Try authenticating to the netlogon share from each of your DC's with one of the affected usernames. 

smbclient //localhost/netlogon -Uusername -c 'ls'

I would also check replication is working as expected and all databases match. 

https://wiki.samba.org/index.php/Samba-tool_ldapcmp

The biggest change you made was upgrading the schema. Did you ensure to include 

ad dc functional level = 2016

in the smb.conf file on all your DC's?

Without log files its hard to troubleshoot. You need to pull the authentication attempt failure to analyze. Do you have other services that use your DC for authentication that exhibit similar behavior?  





More information about the samba mailing list