[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

Virgo Pärna virgo.parna at mail.ee
Thu Jan 30 09:35:56 UTC 2025


On 29.01.2025 17:07, Rowland Penny via samba wrote:
> On Wed, 29 Jan 2025 12:27:31 +0200
> Virgo Pärna via samba <samba at lists.samba.org> wrote:
> 
>> # FLAG_ALLOW_RENAME 0x400000
>> systemFlags: 1073741824
>>
>> Although 1073741824 is 0x4000 0000, not 0x40 0000
> 
> Setting systemFlags to 1073741824 does allow the object to be renamed,
> so that is correct.
> 

	Yeah, seems to be an error in Microsoft Schema-Updates.md 
documentation. In which Samba Schema-Updates.md is based. 
FLAG_CONFIG_ALLOW_RENAME is actually 0x4000 0000.

> That is where it appears to go wrong, but 2348810240 is computed from:
> 
> FLAG_DISALLOW_DELETE 2147483648
> FLAG_DOMAIN_DISALLOW_RENAME 134217728
> FLAG_DOMAIN_DISALLOW_MOVE 67108864
> 
> and if you add up all the numbers, you get 2348810240, so that should
> be correct. Have you checked the ldif for abnormalities ? Spaces etc.
> 

	And "Expiring Group Membership Feature" originally had same 
systemFlags. It is actually added in same transaction (when upgrading 
schema from 2012 to 2016).
	I have not changed that Schema-Updates.md by myself (it was part of 
samba package). And I cannot see any differences.

> Management Feature,CN=Optional .......' DN, I found that the
> systemFlags attribute is set to '-1946157056', which, as far as I can
> see, is 'no changes allowed', I have no idea how it was set to that.
> 

	Strange. There do not seem to be any additional patches by Samba to it 
either.

> Have you tried adding '-d10' to the 'samba-tool domain join' command to
> see if any further error messages are printed ?
> 

	Joining to domain is not and issue. At least I was able to join Windows 
11 24H2 test-vm and 22H2 test-vm to domain. But I cannot log in with 
domain account to either of those... So the actual problem is not tied 
to Windows 11 24H2. Something about my DC must be wrong.
	I did do one thing in wrong order. I used
samba-tool domain level
to raise domain level before schema upgrades. In original 4.17.12 to 
2008_R2 (that was before some time before the logging in issue 
appeared). And then all the way to 2016 after I already had login 
problem. I only now discovered that there are separate schema upgrades.

	Since the problem appears to be tied with specific domain, that 
discrepancy could be an issue, unfortunately I am unable to upgrade 
schema to same level.

	Otherwise Windows  test-computersecurechannel and " 
test-computersecurechannel -repair" both work.
	And "dcdiag /s:dc.domain" fails on some tests, but from google results 
they appear to be common failures for Samba DC.

* SysVolCheck - SysVol is not ready... But that mentions FRS which is 
sysvol replication, which Samba does not support. And googling about 
seemed to imply  taht it is expected
* ObjectsReplicated is passed, but complains that replication access was 
denied
* Replications is failed with same error.
* Services fails, because Samba does not have Windows services, that it 
expects. And samba NETLOGON is WIN32_OWN_PROCESS, not WIN32_SHARE_PROCESS
* VerifyReferences fails, because there are no sysvol replication 
attribute. That is expected.
* ForestDnsZones CheckSDRefDom test fails because of missing 
msDS-SD-Reference-Domain attribute. Same with DomainDnsZones 
CheckSDRefDom test.


-- 
Virgo Pärna
virgo.parna at mail.ee



More information about the samba mailing list