[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

Virgo Pärna virgo.parna at mail.ee
Wed Jan 22 05:16:45 UTC 2025 

	I'ma having a strange issue with Samba 4.21.3 (from debian bookworm 
backports) and Windows 11 24H2 Pro, where domain user can no longer log 
in. 	

	Error is "The username or password is incorrect". Used to work with 
4.17.12 from bookworm, but I upgraded, because ever since 24H2 upgrade 
there were issues with passwordless authentication between domain 
computers, when using RDP since 24H2 upgrade.

	When logged in as local user "test-computersecurechannel" reports True. 
Same with "test-computersecurechannel -repair".

	Strange thing is, that if I'm accessing folder shared that computer 
from computer that is not in domain, then supplying same username and 
password works... I can access the share. I can also access shares from 
other domain Windows computers (running Windows 10) without problems. 
But I cannot log in locally, via remote desktop or via ssh server 
(OpenSSH).

	Initially I noticed in event log schannel message about ldap server 
certificate, but even giving ldap server certificate, that is issued by 
internal ca (root certificate is installed on that computer) did not fix 
login issue.
	There was also time syncing issue, that i fixed.

	On reboot or when restarting NETLOGON service I get:
------------------------------------------------------------------------
This computer was not able to set up a secure session with a domain
controller in domain MYDOMAIN due to the following:
An internal error occurred.
This may lead to authentication problems. Make sure that this computer
is connected to the network. If the problem persists, please contact
your domain administrator.
  
                                                        ADDITIONAL INFO 
  
                                       If this computer is a domain 
controller for the specified domain, it 
                          sets up the secure session to the primary 
domain controller emulator in 
             the specified domain. Otherwise, this computer sets up the 
secure 
session to any domain controller in the specified domain.
------------------------------------------------------------------------

gpupdate fails to update machine policy.
----------------------------------------------------------------------
Updating policy...

Computer policy could not be updated successfully. The following errors
were encountered:

The processing of Group Policy failed because of lack of network
connectivity to a domain controller. This may be a transient condition.
A success message would be generated once the machine gets connected to
the domain controller and Group Policy has successfully processed. If
you do not see a success message for several hours, then contact your
administrator.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from the command line to access information about Group
Policy results.
----------------------------------------------------------------------

-- 
Virgo Pärna
virgo.parna at mail.ee

More information about the samba mailing list