[Samba] Connection is now "unauthorized" to Samba from Windows 11 client

Rick Hollinbeck admin at westernwares.com
Tue Mar 11 01:16:03 UTC 2025 

I've been trying to fix this problem connecting from a Windows 11 client 
to Samba 4.11.13

I'm hoping for troubleshooting advice
or maybe this is a known problem with recent Windows updates?

The problem:

On w11 client, most services work just fine...
I can log into my AD account, access the network shares and the 
internet, etc.

However, now, despite this, the Ethernet connection in Windows shows as 
"(unauthorized)" and this prevents
Remote Desktop from working to this machine, for example.

Oddly, this client used to connect just fine to the same Samba server
and I could use Remote Desktop, for example, to access it.
The connection did not show as unauthorized.

But lately, as Windows updates occurred, the problem got worse,
but I was able to sometimes repeatedly disable and re-enable the network 
interface to fix it.

I finally put another Ethernet network card in the machine to see if it 
was a hardware problem.

But the connection using this new network card also showed 
"unauthorized" and had the same problem,
so I reverted the network cable back to the original card.

Now, the connection ALWAYS shows "unauthorized".

I tried Resetting the Computer account in ADUC (from a Win10 client that 
works), but it didn't help.

It seems to be related to PREAUTH failing in Samba.

Here is what I see in the log.samba file:

   Kerberos: Probing for AS-REQ
   Kerberos: Not a FAST request
   Kerberos: AS-REQ win11client$@REALM.DOMAIN.COM from 
ipv4:192.168.0.166:55446 for krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM
   Kerberos: Client sent patypes: 128
   Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=128
   Kerberos: Looking for PK-INIT(ietf) pa-data -- 
win11client$@REALM.DOMAIN.COM
   Kerberos: Looking for PK-INIT(win2k) pa-data -- 
win11client$@REALM.DOMAIN.COM
   Kerberos: Looking for ENC-TS pa-data -- win11client$@REALM.DOMAIN.COM
   Kerberos: Looking for GSS pa-data -- win11client$@REALM.DOMAIN.COM
   Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
   Kerberos: as-req: sending error: -1765328359 to client
   Kerberos: Making non-FAST KRB-ERROR
   Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.016224
   Kerberos: heim_audit_vaddkv(): kv pair[0] 
e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
   Kerberos: AS-REQ ERR_PREAUTH_REQUIRED ipv4:192.168.0.166:55446 
win11client$@REALM.DOMAIN.COM krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM 
client-pa=128 e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ 
elapsed=0.016224
   stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'
   Kerberos: Probing for AS-REQ
   Kerberos: Not a FAST request
   Kerberos: AS-REQ win11client$@REALM.DOMAIN.COM from 
ipv4:192.168.0.166:55447 for krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM
   Kerberos: Client sent patypes: ENC-TS, 128
   Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=ENC-TS,128
   Kerberos: Looking for PK-INIT(ietf) pa-data -- 
win11client$@REALM.DOMAIN.COM
   Kerberos: Looking for PK-INIT(win2k) pa-data -- 
win11client$@REALM.DOMAIN.COM
   Kerberos: Looking for ENC-TS pa-data -- win11client$@REALM.DOMAIN.COM
   Kerberos: heim_audit_vaddkv(): kv pair[0] pa=ENC-TS
   Kerberos: Failed to decrypt PA-DATA -- win11client$@REALM.DOMAIN.COM 
(enctype aes256-cts-hmac-sha1-96) error Decrypt integrity check failed 
for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
   Kerberos: heim_audit_setkv_number(): setting kv pair pa-etype=18
   Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=5
   descriptor_prepare_commit: changes: num_registrations=0
   descriptor_prepare_commit: changes: num_registered=0
   descriptor_prepare_commit: changes: num_toplevel=0
   descriptor_prepare_commit: changes: num_processed=0
   descriptor_prepare_commit: objects: num_processed=0
   descriptor_prepare_commit: objects: num_skipped=0
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[win11client$@REALM.DOMAIN.COM] at [Mon, 10 Mar 2025 
16:03:32.592824 MDT] with [aes256-cts-hmac-sha1-96] status 
[NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host 
[ipv4:192.168.0.166:55447] mapped to [REALM]\[win11client$]. local host 
[NULL]
   {"timestamp": "2025-03-10T16:03:32.593039-0600", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "87fe363f495ddfd9", "logonType": 3, 
"status": "NT_STATUS_WRONG_PASSWORD", "localAddress": null, 
"remoteAddress": "ipv4:192.168.0.166:55447", "serviceDescription": 
"Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", 
"clientDomain": null, "clientAccount": "win11client$@REALM.DOMAIN.COM", 
"workstation": null, "becameAccount": "win11client$", "becameDomain": 
"REALM", "becameSid": "S-1-5-21-3876585788-2465688680-3807591480-24615", 
"mappedAccount": "win11client$", "mappedDomain": "REALM", 
"netlogonComputer": null, "netlogonTrustAccount": null, 
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, 
"netlogonTrustAccountSid": null, "passwordType": 
"aes256-cts-hmac-sha1-96", "duration": 23540}}
   Kerberos: as-req: sending error: -1765328360 to client
   Kerberos: Making non-FAST KRB-ERROR
   Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.024250
   Kerberos: AS-REQ ERR_PREAUTH_FAILED ipv4:192.168.0.166:55447 
win11client$@REALM.DOMAIN.COM krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM 
pa=ENC-TS pa-etype=18 client-pa=ENC-TS,128 elapsed=0.024250
   stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'

Is there a known issue with recent Windows updates that might have 
broken PREAUTH with Samba 4.11.13?

Thanks.

More information about the samba mailing list