[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

Rowland Penny rpenny at samba.org
Wed Jan 22 10:25:56 UTC 2025


On Wed, 22 Jan 2025 11:38:24 +0200
Virgo Pärna via samba <samba at lists.samba.org> wrote:

> On 22.01.2025 10:29, Georg Weickelt via samba wrote:
> > this has also happened to us recently. However, the login of this
> > user then worked on another computer and often also after a restart
> > of the client.
> 
> 	I did have problem with Windows 10 computers for last few
> weeks, that domain user could not log via remote desktop. But could
> log in directly from console. And that was fixed by restart.
> 	But did you also have NETLOGON errors on Event log?
> 
> > I suspect it is related to changes in Windows. Apparently, older
> > RC4 tickets are no longer supported. We have the same Samba version
> > and I am sure that the newer Kerberos encryption types AES 128 or
> > AES 256 are supported. Maybe you can check the following:
> > In the user manager under ‘Account’: ‘This account supports
> > Kerberos AES 128-bit encryption’ and ‘This account supports
> > Kerberos AES 256-bit encryption’ - are they ticked?
> 
> 	Nothing is checked there for user account.
> 
> > Have the passwords perhaps not been changed for a long time?
> 
> 	After this started happening, I did try setting same password
> again for user with smbpasswd in linux.

Try using samba-tool to set a new password for the user.

> 
> 	But that NETLOGON message in event log makes it look, like
> more generic problem.
> 	I thought of checking name resolution, but Windows nslookup
> seems to be unable to resolve SRV records. But they seem to be ok.
> Windows nslookup requiring ending name with dot caused some initial
> confusion.

If Windows cannot resolve SRV records, then it looks like you have DNS
problems, are the clients using a DC as their first nameserver ?

Rowland





More information about the samba mailing list