[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
Georg Weickelt
georg.weickelt at ibedelmann.de
Wed Jan 22 08:29:07 UTC 2025
Hello,
this has also happened to us recently. However, the login of this user
then worked on another computer and often also after a restart of the
client.
I suspect it is related to changes in Windows. Apparently, older RC4
tickets are no longer supported. We have the same Samba version and I am
sure that the newer Kerberos encryption types AES 128 or AES 256 are
supported. Maybe you can check the following:
In the user manager under ‘Account’: ‘This account supports Kerberos AES
128-bit encryption’ and ‘This account supports Kerberos AES 256-bit
encryption’ - are they ticked?
Have the passwords perhaps not been changed for a long time?
Unfortunately, I have not yet solved the problem.
Best regards
Georg
Am 22.01.2025 um 06:16 schrieb Virgo Pärna via samba:
> I'ma having a strange issue with Samba 4.21.3 (from debian
> bookworm backports) and Windows 11 24H2 Pro, where domain user can no
> longer log in.
>
> Error is "The username or password is incorrect". Used to work
> with 4.17.12 from bookworm, but I upgraded, because ever since 24H2
> upgrade there were issues with passwordless authentication between
> domain computers, when using RDP since 24H2 upgrade.
>
> When logged in as local user "test-computersecurechannel" reports
> True. Same with "test-computersecurechannel -repair".
>
> Strange thing is, that if I'm accessing folder shared that
> computer from computer that is not in domain, then supplying same
> username and password works... I can access the share. I can also
> access shares from other domain Windows computers (running Windows 10)
> without problems. But I cannot log in locally, via remote desktop or
> via ssh server (OpenSSH).
>
> Initially I noticed in event log schannel message about ldap
> server certificate, but even giving ldap server certificate, that is
> issued by internal ca (root certificate is installed on that computer)
> did not fix login issue.
> There was also time syncing issue, that i fixed.
>
> On reboot or when restarting NETLOGON service I get:
> ------------------------------------------------------------------------
> This computer was not able to set up a secure session with a domain
> controller in domain MYDOMAIN due to the following:
> An internal error occurred.
> This may lead to authentication problems. Make sure that this computer
> is connected to the network. If the problem persists, please contact
> your domain administrator.
>
> ADDITIONAL INFO
> If this computer is a domain
> controller for the specified domain, it sets up the secure session to
> the primary domain controller emulator in the specified
> domain. Otherwise, this computer sets up the secure session to any
> domain controller in the specified domain.
> ------------------------------------------------------------------------
>
> gpupdate fails to update machine policy.
> ----------------------------------------------------------------------
> Updating policy...
>
> Computer policy could not be updated successfully. The following errors
> were encountered:
>
> The processing of Group Policy failed because of lack of network
> connectivity to a domain controller. This may be a transient condition.
> A success message would be generated once the machine gets connected to
> the domain controller and Group Policy has successfully processed. If
> you do not see a success message for several hours, then contact your
> administrator.
> User Policy update has completed successfully.
>
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html from the command line to access information about Group
> Policy results.
> ----------------------------------------------------------------------
>
More information about the samba
mailing list