[Samba] Problem looking up domain users

Lux smb4 at iotti.biz
Wed Apr 16 09:38:34 UTC 2025 

Hi all.

I have a problem with a Samba DC for a small domain. It is a Centos 
Stream 8 with samba-4.18.5 compiled by me with AD support. Windows 11 
Pro clients.
The problem shows when a Win11 client needs to search the domain users, 
for example when I want to add a domain user to some local group, or I 
want to add an ACE entry on a file ACL.
When I type the user name in the dialog to select the domain user to add 
to the group, or to the ACL, it asks me to enter network credentials 
(username ad password) of a user authorized for the domain. I enter the 
credentials of a valid user but Windows always gives an error about 
unusable credentials and wrong username/password. Obviously I tried 
varius users: the one currently logged on to the PC, or another Domain 
Adimn, or another ordinary user. Nothing changes, in this particular 
operation (when you have to choose a user name in the domain) it fails.
The surprising thing, for me, is that I am logged in on the local 
Windows 11 PC with a valid domain user (in particular, a Domain Admin) 
and the logon is good. I can browse restricted network shares, so the 
user authentication should be good. I found the problem only when I have 
to lookup domain users. Even my own domain user, which I am logged on to 
the PC.

When I try the operation, I find this in the logs (mit-krb5 log mixed 
with Samba'):

[2025/04/16 08:21:38.585358,  3] 
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): AS_REQ (4 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
DEPRECATED:arcfour-hmac(23), UNSUPPORTED:des-cbc-md5(3)}) 192.168.1.115: 
NEEDED_PREAUTH: root at DOMAIN for krbtgt/DOMAIN at DOMAIN, Additional 
pre-authentication required
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): closing down fd 23
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): AS_REQ (4 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
DEPRECATED:arcfour-hmac(23), UNSUPPORTED:des-cbc-md5(3)}) 192.168.1.115: 
ISSUE: authtime 1744784498, etypes {rep=DEPRECATED:arcfour-hmac(23), 
tkt=DEPRECATED:arcfour-hmac(23), ses=DEPRECATED:arcfour-hmac(23)}, 
root at DOMAIN for krbtgt/DOMAIN at DOMAIN
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): 
descriptor_prepare_commit: changes: num_registrations=0
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): 
descriptor_prepare_commit: changes: num_registered=0
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): 
descriptor_prepare_commit: changes: num_toplevel=0
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): 
descriptor_prepare_commit: changes: num_processed=0
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): 
descriptor_prepare_commit: objects: num_processed=0
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): 
descriptor_prepare_commit: objects: num_skipped=0
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): closing down fd 23
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): TGS_REQ (7 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
DEPRECATED:arcfour-hmac(23), UNSUPPORTED:des-cbc-md5(3), 
UNSUPPORTED:des-cbc-crc(1), DEPRECATED:arcfour-hmac-exp(24), 
UNSUPPORTED:(-135)}) 192.168.1.115: ISSUE: authtime 1744784498, etypes 
{rep=DEPRECATED:arcfour-hmac(23), tkt=DEPRECATED:arcfour-hmac(23), 
ses=DEPRECATED:arcfour-hmac(23)}, root at AD.DOMAIN.IT for 
LINUX$@AD.DOMAIN.IT
Apr 16 08:21:38 linux.domain.it krb5kdc[54100](info): closing down fd 23
[2025/04/16 08:21:38.716017,  3] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'


In other moments, not when I reproduce the problem I find these lines in 
the log about the particular client:

[2025/04/16 08:58:51.308153,  3] 
../../auth/gensec/schannel.c:958(schannel_update_internal)
   Could not find session key for attempted schannel connection from 
PC-CICCIO: NT_STATUS_NOT_FOUND
[2025/04/16 08:58:51.308647,  3] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 'dcesrv: 
NT_STATUS_CONNECTION_DISCONNECTED'
[2025/04/16 08:58:51.310458,  3] 
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb
[2025/04/16 08:58:51.315493,  3] 
../../auth/gensec/schannel.c:958(schannel_update_internal)
   Could not find session key for attempted schannel connection from 
PC-CICCIO: NT_STATUS_NOT_FOUND
[2025/04/16 08:58:51.316021,  3] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 'dcesrv: 
NT_STATUS_CONNECTION_DISCONNECTED'
[2025/04/16 08:58:51.317858,  3] 
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
   ldb_wrap open of secrets.ldb


The server is nomally running with crypto policy DEFAULT. I tried to 
downgrade it but nothing changed:
# update-crypto-policies --show
LEGACY:AD-SUPPORT


The protocols supported by the client:

# net ads enctypes list PC-CICCIO$ -UAdministrator
Password for [DOMAIN\Administrator]:
kerberos_kinit_password DOMAIN at AD.DOMAIN.IT failed: Client not found in 
Kerberos database
'PC-CICCIO$' uses "msDS-SupportedEncryptionTypes": 28 (0x0000001c)
[ ] 0x00000001 DES-CBC-CRC
[ ] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
[ ] 0x00000020 AES256-CTS-HMAC-SHA1-96-SK
[ ] 0x00080000 RESOURCE-SID-COMPRESSION-DISABLED

But I don't thik that the problem is in the krb5 deprecated protocols, 
but rather in the NT_STATUS_CONNECTION_DISCONNECTED log entry.
I took a tcpdump of the client transaction but I see nothing bad.

Any suggestion please?




I also took a log at level 10, but I don't see anything really helping:

Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
authsam_account_ok: Checking SMB password for user root at AD.DOMAIN.IT
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): logon_hours_ok: 
user root at AD.DOMAIN.IT allowed to logon at this time (Wed Apr 16 
06:41:34 2025
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): )
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): AS_REQ (4 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
DEPRECATED:arcfour-hmac(23), UNSUPPORTED:des-cbc-md5(3)}) 192.168.1.115: 
NEEDED_PREAUTH: root at DOMAIN for krbtgt/DOMAIN at DOMAIN, Additional 
pre-authentication required
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): closing down fd 25
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
authsam_account_ok: Checking SMB password for user root at AD.DOMAIN.IT
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): logon_hours_ok: 
user root at AD.DOMAIN.IT allowed to logon at this time (Wed Apr 16 
06:41:34 2025
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): )
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
kdb_samba_db_sign_auth_data: *** Sign data for client principal: 
root at AD.DOMAIN.IT [AS-REQ WITH_PAC GENERATE_PAC]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
kdb_samba_db_sign_auth_data: Generate PAC for AS-REQ [root at AD.DOMAIN.IT]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
kdb_samba_db_sign_auth_data: Signing PAC for AS-REQ [root at AD.DOMAIN.IT]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): AS_REQ (4 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
DEPRECATED:arcfour-hmac(23), UNSUPPORTED:des-cbc-md5(3)}) 192.168.1.115: 
ISSUE: authtime 1744785694, etypes {rep=DEPRECATED:arcfour-hmac(23), 
tkt=DEPRECATED:arcfour-hmac(23), ses=DEPRECATED:arcfour-hmac(23)}, 
root at DOMAIN for krbtgt/DOMAIN at DOMAIN
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): sync interval is 
14
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
authsam_calculate_lastlogon_sync_interval: randomised sync interval is 
14 (-0)
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): lastLogonTimestamp 
is 133891853816963240
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): old timestamp is 
133891853816963240, threshold 133880496943794170, diff 11356873169070
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): lastLogonTimestamp 
is 133891853816963240
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): old timestamp is 
133891853816963240, threshold 133880496943834050, diff 11356873129190
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): ldb:acl_modify: 
lastLogon
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): DSDB Change 
[Modify] at [Wed, 16 Apr 2025 08:41:34.385955 CEST] status [Success] 
remote host [Unknown] SID [S-1-5-18] DN 
[CN=root,CN=Users,DC=ad,DC=domain,DC=it] attributes [replace: lastLogon 
[133892592943834050] replace: logonCount [381]]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): {"timestamp": 
"2025-04-16T08:41:34.386279+0200", "type": "dsdbChange", "dsdbChange": 
{"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": 
"Success", "operation": "Modify", "remoteAddress": null, 
"performedAsSystem": false, "userSid": "S-1-5-18", "dn": 
"CN=root,CN=Users,DC=ad,DC=domain,DC=it", "transactionId": 
"d3356457-0c33-4bad-9762-eee30ba68877", "sessionId": 
"c16c0b56-8233-49d0-981a-fb13e789a9a6", "attributes": {"lastLogon": 
{"actions": [{"action": "replace", "values": [{"value": 
"133892592943834050"}]}]}, "logonCount": {"actions": [{"action": 
"replace", "values": [{"value": "381"}]}]}}}}
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
descriptor_prepare_commit: changes: num_registrations=0
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
descriptor_prepare_commit: changes: num_registered=0
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
descriptor_prepare_commit: changes: num_toplevel=0
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
descriptor_prepare_commit: changes: num_processed=0
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
descriptor_prepare_commit: objects: num_processed=0
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
descriptor_prepare_commit: objects: num_skipped=0
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): DSDB Transaction 
[commit] at [Wed, 16 Apr 2025 08:41:34.425158 CEST] duration [45671]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): {"timestamp": 
"2025-04-16T08:41:34.425269+0200", "type": "dsdbTransaction", 
"dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action": 
"commit", "transactionId": "d3356457-0c33-4bad-9762-eee30ba68877", 
"duration": 45671}}
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): closing down fd 25
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): gendb_search_v: 
DC=ad,DC=domain,DC=it NULL -> 1
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
kdb_samba_db_sign_auth_data: *** Sign data for client principal: 
root at AD.DOMAIN.IT [TGS_REQ FIND_PAC]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
kdb_samba_db_sign_auth_data: Found PAC data for TGS-REQ 
[root at AD.DOMAIN.IT]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
kdb_samba_db_sign_auth_data: Verify PAC for TGS [root at AD.DOMAIN.IT]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): 
kdb_samba_db_sign_auth_data: Signing PAC for TGS-REQ [root at AD.DOMAIN.IT]
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): TGS_REQ (7 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
DEPRECATED:arcfour-hmac(23), UNSUPPORTED:des-cbc-md5(3), 
UNSUPPORTED:des-cbc-crc(1), DEPRECATED:arcfour-hmac-exp(24), 
UNSUPPORTED:(-135)}) 192.168.1.115: ISSUE: authtime 1744785694, etypes 
{rep=DEPRECATED:arcfour-hmac(23), tkt=DEPRECATED:arcfour-hmac(23), 
ses=DEPRECATED:arcfour-hmac(23)}, root at AD.DOMAIN.IT for 
LINUX$@AD.DOMAIN.IT
Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info): closing down fd 25
[2025/04/16 08:41:34.473448,  3, pid=54914, effective(0, 0), real(0, 0)] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'
[2025/04/16 08:41:34.473721, 10, pid=54914, effective(0, 0), real(0, 0)] 
../../lib/messaging/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
   msg_dgm_ref_destructor: refs=0x561d52c50370
[2025/04/16 08:41:35.300200, 10, pid=54890, effective(0, 0), real(0, 0), 
class=drs_repl] 
../../source4/dsdb/repl/drepl_notify.c:467(dreplsrv_notify_schedule)
   dreplsrv_notify_schedule: dreplsrv_notify_schedule(5) scheduled for: 
Wed Apr 16 08:41:40 2025 CEST

More information about the samba mailing list