[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
Rowland Penny
rpenny at samba.org
Thu Jan 30 19:44:05 UTC 2025
On Thu, 30 Jan 2025 11:35:56 +0200
Virgo Pärna via samba <samba at lists.samba.org> wrote:
> On 29.01.2025 17:07, Rowland Penny via samba wrote:
> > On Wed, 29 Jan 2025 12:27:31 +0200
> > Virgo Pärna via samba <samba at lists.samba.org> wrote:
> >
> >> # FLAG_ALLOW_RENAME 0x400000
> >> systemFlags: 1073741824
> >>
> >> Although 1073741824 is 0x4000 0000, not 0x40 0000
> >
> > Setting systemFlags to 1073741824 does allow the object to be
> > renamed, so that is correct.
> >
>
> Yeah, seems to be an error in Microsoft Schema-Updates.md
> documentation. In which Samba Schema-Updates.md is based.
> FLAG_CONFIG_ALLOW_RENAME is actually 0x4000 0000.
>
> > That is where it appears to go wrong, but 2348810240 is computed
> > from:
> >
> > FLAG_DISALLOW_DELETE 2147483648
> > FLAG_DOMAIN_DISALLOW_RENAME 134217728
> > FLAG_DOMAIN_DISALLOW_MOVE 67108864
> >
> > and if you add up all the numbers, you get 2348810240, so that
> > should be correct. Have you checked the ldif for abnormalities ?
> > Spaces etc.
> >
>
> And "Expiring Group Membership Feature" originally had same
> systemFlags. It is actually added in same transaction (when upgrading
> schema from 2012 to 2016).
> I have not changed that Schema-Updates.md by myself (it was
> part of samba package). And I cannot see any differences.
>
> > Management Feature,CN=Optional .......' DN, I found that the
> > systemFlags attribute is set to '-1946157056', which, as far as I
> > can see, is 'no changes allowed', I have no idea how it was set to
> > that.
> >
>
> Strange. There do not seem to be any additional patches by
> Samba to it either.
>
> > Have you tried adding '-d10' to the 'samba-tool domain join'
> > command to see if any further error messages are printed ?
> >
>
> Joining to domain is not and issue. At least I was able to
> join Windows 11 24H2 test-vm and 22H2 test-vm to domain. But I cannot
> log in with domain account to either of those... So the actual
> problem is not tied to Windows 11 24H2. Something about my DC must be
> wrong. I did do one thing in wrong order. I used
> samba-tool domain level
> to raise domain level before schema upgrades. In original 4.17.12 to
> 2008_R2 (that was before some time before the logging in issue
> appeared). And then all the way to 2016 after I already had login
> problem. I only now discovered that there are separate schema
> upgrades.
>
> Since the problem appears to be tied with specific domain,
> that discrepancy could be an issue, unfortunately I am unable to
> upgrade schema to same level.
>
> Otherwise Windows test-computersecurechannel and "
> test-computersecurechannel -repair" both work.
> And "dcdiag /s:dc.domain" fails on some tests, but from
> google results they appear to be common failures for Samba DC.
>
> * SysVolCheck - SysVol is not ready... But that mentions FRS which is
> sysvol replication, which Samba does not support. And googling about
> seemed to imply taht it is expected
> * ObjectsReplicated is passed, but complains that replication access
> was denied
> * Replications is failed with same error.
> * Services fails, because Samba does not have Windows services, that
> it expects. And samba NETLOGON is WIN32_OWN_PROCESS, not
> WIN32_SHARE_PROCESS
> * VerifyReferences fails, because there are no sysvol replication
> attribute. That is expected.
> * ForestDnsZones CheckSDRefDom test fails because of missing
> msDS-SD-Reference-Domain attribute. Same with DomainDnsZones
> CheckSDRefDom test.
>
>
A post on reddit on a similar subject lead to this:
https://learn.microsoft.com/en-us/answers/questions/2086759/insufficient-system-resources-exist-to-complete-th
Perhaps it will help.
Rowland
More information about the samba
mailing list