[Samba] Connection is now "unauthorized" to Samba from Windows 11 client

Rowland Penny rpenny at samba.org
Tue Mar 11 09:05:08 UTC 2025 

On Mon, 10 Mar 2025 19:16:03 -0600
Rick Hollinbeck via samba <samba at lists.samba.org> wrote:

> I've been trying to fix this problem connecting from a Windows 11
> client to Samba 4.11.13
> 
> I'm hoping for troubleshooting advice
> or maybe this is a known problem with recent Windows updates?
> 
> The problem:
> 
> On w11 client, most services work just fine...
> I can log into my AD account, access the network shares and the 
> internet, etc.
> 
> However, now, despite this, the Ethernet connection in Windows shows
> as "(unauthorized)" and this prevents
> Remote Desktop from working to this machine, for example.
> 
> Oddly, this client used to connect just fine to the same Samba server
> and I could use Remote Desktop, for example, to access it.
> The connection did not show as unauthorized.
> 
> But lately, as Windows updates occurred, the problem got worse,
> but I was able to sometimes repeatedly disable and re-enable the
> network interface to fix it.
> 
> I finally put another Ethernet network card in the machine to see if
> it was a hardware problem.
> 
> But the connection using this new network card also showed 
> "unauthorized" and had the same problem,
> so I reverted the network cable back to the original card.
> 
> Now, the connection ALWAYS shows "unauthorized".
> 
> I tried Resetting the Computer account in ADUC (from a Win10 client
> that works), but it didn't help.
> 
> It seems to be related to PREAUTH failing in Samba.
> 
> Here is what I see in the log.samba file:
> 
>    Kerberos: Probing for AS-REQ
>    Kerberos: Not a FAST request
>    Kerberos: AS-REQ win11client$@REALM.DOMAIN.COM from 
> ipv4:192.168.0.166:55446 for krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM
>    Kerberos: Client sent patypes: 128
>    Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=128
>    Kerberos: Looking for PK-INIT(ietf) pa-data -- 
> win11client$@REALM.DOMAIN.COM
>    Kerberos: Looking for PK-INIT(win2k) pa-data -- 
> win11client$@REALM.DOMAIN.COM
>    Kerberos: Looking for ENC-TS pa-data --
> win11client$@REALM.DOMAIN.COM Kerberos: Looking for GSS pa-data --
> win11client$@REALM.DOMAIN.COM Kerberos: Need to use
> PA-ENC-TIMESTAMP/PA-PK-AS-REQ Kerberos: as-req: sending error:
> -1765328359 to client Kerberos: Making non-FAST KRB-ERROR
>    Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.016224
>    Kerberos: heim_audit_vaddkv(): kv pair[0] 
> e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ
>    Kerberos: AS-REQ ERR_PREAUTH_REQUIRED ipv4:192.168.0.166:55446 
> win11client$@REALM.DOMAIN.COM
> krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM client-pa=128
> e-text=Need\sto\suse\sPA-ENC-TIMESTAMP/PA-PK-AS-REQ elapsed=0.016224
>    stream_terminate_connection: Terminating connection - 
> 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
> NT_STATUS_CONNECTION_DISCONNECTED'
>    Kerberos: Probing for AS-REQ
>    Kerberos: Not a FAST request
>    Kerberos: AS-REQ win11client$@REALM.DOMAIN.COM from 
> ipv4:192.168.0.166:55447 for krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM
>    Kerberos: Client sent patypes: ENC-TS, 128
>    Kerberos: heim_audit_vaddkv(): kv pair[0] client-pa=ENC-TS,128
>    Kerberos: Looking for PK-INIT(ietf) pa-data -- 
> win11client$@REALM.DOMAIN.COM
>    Kerberos: Looking for PK-INIT(win2k) pa-data -- 
> win11client$@REALM.DOMAIN.COM
>    Kerberos: Looking for ENC-TS pa-data --
> win11client$@REALM.DOMAIN.COM Kerberos: heim_audit_vaddkv(): kv
> pair[0] pa=ENC-TS Kerberos: Failed to decrypt PA-DATA --
> win11client$@REALM.DOMAIN.COM (enctype aes256-cts-hmac-sha1-96) error
> Decrypt integrity check failed for checksum type hmac-sha1-96-aes256,
> key type aes256-cts-hmac-sha1-96 Kerberos: heim_audit_setkv_number():
> setting kv pair pa-etype=18 Kerberos: heim_audit_setkv_number():
> setting kv pair #auth_event=5 descriptor_prepare_commit: changes:
> num_registrations=0 descriptor_prepare_commit: changes:
> num_registered=0 descriptor_prepare_commit: changes: num_toplevel=0
>    descriptor_prepare_commit: changes: num_processed=0
>    descriptor_prepare_commit: objects: num_processed=0
>    descriptor_prepare_commit: objects: num_skipped=0
>    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
> [(null)]\[win11client$@REALM.DOMAIN.COM] at [Mon, 10 Mar 2025 
> 16:03:32.592824 MDT] with [aes256-cts-hmac-sha1-96] status 
> [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host 
> [ipv4:192.168.0.166:55447] mapped to [REALM]\[win11client$]. local
> host [NULL]
>    {"timestamp": "2025-03-10T16:03:32.593039-0600", "type": 
> "Authentication", "Authentication": {"version": {"major": 1, "minor": 
> 2}, "eventId": 4625, "logonId": "87fe363f495ddfd9", "logonType": 3, 
> "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": null, 
> "remoteAddress": "ipv4:192.168.0.166:55447", "serviceDescription": 
> "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", 
> "clientDomain": null, "clientAccount":
> "win11client$@REALM.DOMAIN.COM", "workstation": null,
> "becameAccount": "win11client$", "becameDomain": "REALM",
> "becameSid": "S-1-5-21-3876585788-2465688680-3807591480-24615",
> "mappedAccount": "win11client$", "mappedDomain": "REALM",
> "netlogonComputer": null, "netlogonTrustAccount": null,
> "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType":
> 0, "netlogonTrustAccountSid": null, "passwordType":
> "aes256-cts-hmac-sha1-96", "duration": 23540}} Kerberos: as-req:
> sending error: -1765328360 to client Kerberos: Making non-FAST
> KRB-ERROR Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.024250
>    Kerberos: AS-REQ ERR_PREAUTH_FAILED ipv4:192.168.0.166:55447 
> win11client$@REALM.DOMAIN.COM
> krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM pa=ENC-TS pa-etype=18
> client-pa=ENC-TS,128 elapsed=0.024250 stream_terminate_connection:
> Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> 
> Is there a known issue with recent Windows updates that might have 
> broken PREAUTH with Samba 4.11.13?

There have been quite a few Windows updates that have caused problems
with Samba, most, if not all, have been fixed, just not in your very old
version, it went EOL 4 years ago.
I suggest you upgrade to a much more recent version of Samba, the newer
the better.

Rowland

More information about the samba mailing list