[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
Virgo Pärna
virgo.parna at mail.ee
Thu Jan 30 09:35:56 UTC 2025
On 29.01.2025 17:07, Rowland Penny via samba wrote:
> On Wed, 29 Jan 2025 12:27:31 +0200
> Virgo Pärna via samba <samba at lists.samba.org> wrote:
>
>> # FLAG_ALLOW_RENAME 0x400000
>> systemFlags: 1073741824
>>
>> Although 1073741824 is 0x4000 0000, not 0x40 0000
>
> Setting systemFlags to 1073741824 does allow the object to be renamed,
> so that is correct.
>
Yeah, seems to be an error in Microsoft Schema-Updates.md
documentation. In which Samba Schema-Updates.md is based.
FLAG_CONFIG_ALLOW_RENAME is actually 0x4000 0000.
> That is where it appears to go wrong, but 2348810240 is computed from:
>
> FLAG_DISALLOW_DELETE 2147483648
> FLAG_DOMAIN_DISALLOW_RENAME 134217728
> FLAG_DOMAIN_DISALLOW_MOVE 67108864
>
> and if you add up all the numbers, you get 2348810240, so that should
> be correct. Have you checked the ldif for abnormalities ? Spaces etc.
>
And "Expiring Group Membership Feature" originally had same
systemFlags. It is actually added in same transaction (when upgrading
schema from 2012 to 2016).
I have not changed that Schema-Updates.md by myself (it was part of
samba package). And I cannot see any differences.
> Management Feature,CN=Optional .......' DN, I found that the
> systemFlags attribute is set to '-1946157056', which, as far as I can
> see, is 'no changes allowed', I have no idea how it was set to that.
>
Strange. There do not seem to be any additional patches by Samba to it
either.
> Have you tried adding '-d10' to the 'samba-tool domain join' command to
> see if any further error messages are printed ?
>
Joining to domain is not and issue. At least I was able to join Windows
11 24H2 test-vm and 22H2 test-vm to domain. But I cannot log in with
domain account to either of those... So the actual problem is not tied
to Windows 11 24H2. Something about my DC must be wrong.
I did do one thing in wrong order. I used
samba-tool domain level
to raise domain level before schema upgrades. In original 4.17.12 to
2008_R2 (that was before some time before the logging in issue
appeared). And then all the way to 2016 after I already had login
problem. I only now discovered that there are separate schema upgrades.
Since the problem appears to be tied with specific domain, that
discrepancy could be an issue, unfortunately I am unable to upgrade
schema to same level.
Otherwise Windows test-computersecurechannel and "
test-computersecurechannel -repair" both work.
And "dcdiag /s:dc.domain" fails on some tests, but from google results
they appear to be common failures for Samba DC.
* SysVolCheck - SysVol is not ready... But that mentions FRS which is
sysvol replication, which Samba does not support. And googling about
seemed to imply taht it is expected
* ObjectsReplicated is passed, but complains that replication access was
denied
* Replications is failed with same error.
* Services fails, because Samba does not have Windows services, that it
expects. And samba NETLOGON is WIN32_OWN_PROCESS, not WIN32_SHARE_PROCESS
* VerifyReferences fails, because there are no sysvol replication
attribute. That is expected.
* ForestDnsZones CheckSDRefDom test fails because of missing
msDS-SD-Reference-Domain attribute. Same with DomainDnsZones
CheckSDRefDom test.
--
Virgo Pärna
virgo.parna at mail.ee
More information about the samba
mailing list