Join Log in
Score:0
Fraŋkini avatar Server

windows client can't join samba domain anymore

at flag
Fraŋkini

DISCLAMER:
I'm still trying to fully learn and understand how to properly maintain a samba domain controller.

The Problem:

I had a working samba installation with AD controlle but now, just a month after my last computer join, it won't work anymore. On Windows it says "unknown user or password" but I've checked them to be correct.

I tried setting the log level to 3 in "smb.conf" and while trying to join a computer this gets logged:

[2022/10/04 12:11:58.018256,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ [email protected] from ipv4:172.27.2.58:50124 for krbtgt/[email protected]
[2022/10/04 12:11:58.039839,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2022/10/04 12:11:58.040080,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- [email protected]
[2022/10/04 12:11:58.040191,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2022/10/04 12:11:58.040341,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected]
[2022/10/04 12:11:58.043598,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/04 12:11:58.054880,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ [email protected] from ipv4:172.27.2.58:50125 for krbtgt/[email protected]
[2022/10/04 12:11:58.076255,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2022/10/04 12:11:58.076483,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- [email protected]
[2022/10/04 12:11:58.076587,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2022/10/04 12:11:58.077527,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] using aes256-cts-hmac-sha1-96
[2022/10/04 12:11:58.077840,  3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[[email protected]] at [Tue, 04 Oct 2022 12:11:58.077747 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.27.2.58:50125] became [EXAMPLE]\[admuser] [S-1-5-21-578677625-3635414378-1858279571-1104]. local host [NULL] 
  {"timestamp": "2022-10-04T12:11:58.086113+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "c61be2b0d84a3e12", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.27.2.58:50125", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "[email protected]", "workstation": null, "becameAccount": "admuser", "becameDomain": "EXAMPLE", "becameSid": "S-1-5-21-578677625-3635414378-1858279571-1104", "mappedAccount": "admuser", "mappedDomain": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 31663}}
[2022/10/04 12:11:58.160727,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2022-10-04T12:11:58 starttime: unset endtime: 2022-10-04T22:11:58 renew till: 2022-10-11T12:11:58
[2022/10/04 12:11:58.161033,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/10/04 12:11:58.161206,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2022/10/04 12:11:58.165799,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/04 12:11:58.178036,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type aes256-cts-hmac-sha1-96
[2022/10/04 12:11:58.178282,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.58:50126

As you can see, the authentication here is reported to be successful. So far it's the same issue as here, so I tried the following commands:

 root@SMBDC1:~# host -t SRV _ldap._tcp.example.net
    _ldap._tcp.example.net has SRV record 0 100 389 smbdc1.example.net.
 root@SMBDC1:~# host -t SRV _kerebros._udp.example.net
    Host _kerebros._udp.example.net not found: 3(NXDOMAIN)
 root@SMBDC1:~# host -t A focal.exapmle.net
    Host focal.example.net not found: 3(NXDOMAIN)
    
 root@SMBDC1:~# dig -t SRV _kerebros._udp.frankini.net
    
    ; <<>> DiG 9.16.1-Ubuntu <<>> -t SRV _kerebros._udp.frankini.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 138
    ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;_kerebros._udp.frankini.net.   IN      SRV
    
    ;; AUTHORITY SECTION:
    frankini.net.           3600    IN      SOA        
    smbdc1.frankini.net. hostmaster.        frankini.net. 55 900 600 86400 3600
    
    ;; Query time: 3 msec
    ;; SERVER: 172.27.1.1#53(172.27.1.1)
    ;; WHEN: Fri Oct 07 21:44:12 CEST 2022
    ;; MSG SIZE  rcvd: 99

This originally worked but now i get "Host not found"... what could have changed?

My setup

router:     172.27.0.1
smbdc:      172.27.1.1
dns:        172.27.1.2

dhcp range: 172.27.2.2 - 172.27.2.254

Samba runs on an Orange Pi Zero and I connect to it through Putty and FileZilla

I route communication between the xxx.xxx.0.xxx, xxx.xxx.1.xxx and xxx.xxx.2.xxx ip ranges and set the network mask to be 255.255.0.0

System

 OS:    Armbian 22.05.3 Focal with Linux 5.15.48-sunxi
 SAMBA: Samba version 4.13.17-Ubuntu

smb.conf

# Global parameters
[global]
    dns forwarder = 172.27.1.2
    netbios name = SMBDC1
    realm = EXAMPLE.NET
    server role = active directory domain controller
    workgroup = EXAMPLE
    idmap_ldb:use rfc2307 = yes
    host msdfs = yes
    log level = 3

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[netlogon]
    path = /var/lib/samba/sysvol/example.net/scripts
    read only = No

UPDATE:

I made an image of the disk as a backup, then did a bunch of tests with no success. so I finally reverted the image to the disk as it was, and now suddenly these comands work:

root@SMBDC1:~# host -t SRV _ldap._tcp.example.net
    _ldap._tcp.example.net has SRV record 0 100 389 smbdc1.example.net.
root@SMBDC1:~# host -t SRV _kerberos._udp.example.net
    _kerberos._udp.example.net has SRV record 0 100 88 smbdc1.example.net.
root@SMBDC1:~# host -t A SMBDC1.example.net
    SMBDC1.example.net has address 172.27.1.4

So the situation now is as follows:

I added the computer "TESTING-W11" to the domain with my domain admin user, not with 'administrator'. It works only if i do "[email protected]" and not "user", which used to work before. and if someone asks, yes I also tried with administrator and it only work as "[email protected]"

after the computer rebooted I tried to login but it says wrong user or password.

this is the log file of login attempt:

[2022/10/12 19:39:25.980185,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ user2@EXAMPLE from ipv4:172.27.2.26:50574 for krbtgt/EXAMPLE@EXAMPLE
[2022/10/12 19:39:26.008882,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2022/10/12 19:39:26.009229,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- user2@EXAMPLE
[2022/10/12 19:39:26.009433,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- user2@EXAMPLE
[2022/10/12 19:39:26.009709,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- user2@EXAMPLE
[2022/10/12 19:39:26.013190,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.024021,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ user2@EXAMPLE from ipv4:172.27.2.26:50575 for krbtgt/EXAMPLE@EXAMPLE
[2022/10/12 19:39:26.051743,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2022/10/12 19:39:26.052093,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- user2@EXAMPLE
[2022/10/12 19:39:26.052302,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- user2@EXAMPLE
[2022/10/12 19:39:26.052948,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- user2@EXAMPLE using aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.053349,  3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\ [user2@EXAMPLE] at [Wed, 12 Oct 2022 19:39:26.053205 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.27.2.26:50575] became [EXAMPLE]\[user2] [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL] 
  {"timestamp": "2022-10-12T19:39:26.053767+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "d3433331ec6a5bf7", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.27.2.26:50575", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "user2@EXAMPLE", "workstation": null, "becameAccount": "user2", "becameDomain": "EXAMPLE", "becameSid": "S-1-5-21-578677625-3635414378-1858279571-1105", "mappedAccount": "user2", "mappedDomain": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 30203}}
[2022/10/12 19:39:26.089947,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
[2022/10/12 19:39:26.090338,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.090474,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2022/10/12 19:39:26.097520,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.106943,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.107170,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50576
[2022/10/12 19:39:26.110456,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.114239,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ [email protected] from ipv4:172.27.2.26:50577 for krbtgt/[email protected]
[2022/10/12 19:39:26.127198,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2022/10/12 19:39:26.127410,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- [email protected]
[2022/10/12 19:39:26.127580,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2022/10/12 19:39:26.127768,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected]
[2022/10/12 19:39:26.130816,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.140450,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ [email protected] from ipv4:172.27.2.26:50578 for krbtgt/[email protected]
[2022/10/12 19:39:26.152897,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2022/10/12 19:39:26.153102,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- [email protected]
[2022/10/12 19:39:26.153210,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2022/10/12 19:39:26.153583,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] using aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.153816,  3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[[email protected]] at [Wed, 12 Oct 2022 19:39:26.153732 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.27.2.26:50578] became [EXAMPLE]\[user2] [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL]
  {"timestamp": "2022-10-12T19:39:26.154039+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "869dfe1fc68f82a8", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.27.2.26:50578", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "[email protected]", "workstation": null, "becameAccount": "user2", "becameDomain": "EXAMPLE", "becameSid": "S-1-5-21-578677625-3635414378-1858279571-1105", "mappedAccount": "user2", "mappedDomain": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13913}}
[2022/10/12 19:39:26.182189,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
[2022/10/12 19:39:26.182483,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.182612,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2022/10/12 19:39:26.187831,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.197162,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.197385,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50579
[2022/10/12 19:39:26.202216,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.206268,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ [email protected] from ipv4:172.27.2.26:50580 for krbtgt/[email protected]
[2022/10/12 19:39:26.218896,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2022/10/12 19:39:26.219112,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- [email protected]
[2022/10/12 19:39:26.219220,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2022/10/12 19:39:26.219367,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected]
[2022/10/12 19:39:26.226212,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.236585,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ [email protected] from ipv4:172.27.2.26:50581 for krbtgt/[email protected]
[2022/10/12 19:39:26.249060,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2022/10/12 19:39:26.249272,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- [email protected]
[2022/10/12 19:39:26.249377,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2022/10/12 19:39:26.249842,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] using aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.250084,  3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[[email protected]] at [Wed, 12 Oct 2022 19:39:26.250002 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.27.2.26:50581] became [EXAMPLE]\[user2] [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL] 
  {"timestamp": "2022-10-12T19:39:26.250309+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "b111aea5f91526ac", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.27.2.26:50581", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "[email protected]", "workstation": null, "becameAccount": "user2", "becameDomain": "EXAMPLE", "becameSid": "S-1-5-21-578677625-3635414378-1858279571-1105", "mappedAccount": "user2", "mappedDomain": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13999}}
[2022/10/12 19:39:26.278425,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
[2022/10/12 19:39:26.278721,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.278850,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2022/10/12 19:39:26.284069,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.293333,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.293567,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50582
[2022/10/12 19:39:26.297119,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.301280,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ [email protected] from ipv4:172.27.2.26:50583 for krbtgt/[email protected]
[2022/10/12 19:39:26.314043,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2022/10/12 19:39:26.314253,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- [email protected]
[2022/10/12 19:39:26.314361,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2022/10/12 19:39:26.314507,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- [email protected]
[2022/10/12 19:39:26.317995,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.328064,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ [email protected] from ipv4:172.27.2.26:50584 for krbtgt/[email protected]
[2022/10/12 19:39:26.340620,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2022/10/12 19:39:26.340832,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- [email protected]
[2022/10/12 19:39:26.340934,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- [email protected]
[2022/10/12 19:39:26.341304,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] using aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.341534,  3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[[email protected]] at [Wed, 12 Oct 2022 19:39:26.341453 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:172.27.2.26:50584] became [EXAMPLE]\[user2] [S-1-5-21-578677625-3635414378-1858279571-1105]. local host [NULL] 
  {"timestamp": "2022-10-12T19:39:26.341761+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "4baa7d35daccf446", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:172.27.2.26:50584", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "[email protected]", "workstation": null, "becameAccount": "user2", "becameDomain": "EXAMPLE", "becameSid": "S-1-5-21-578677625-3635414378-1858279571-1105", "mappedAccount": "user2", "mappedDomain": "EXAMPLE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 13987}}
[2022/10/12 19:39:26.369985,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2022-10-12T19:39:26 starttime: unset endtime: 2022-10-13T05:39:26 renew till: 2022-10-19T19:39:26
[2022/10/12 19:39:26.370274,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.370405,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2022/10/12 19:39:26.375775,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/12 19:39:26.385121,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type aes256-cts-hmac-sha1-96
[2022/10/12 19:39:26.385343,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed parsing TGS-REQ from ipv4:172.27.2.26:50585
[2022/10/12 19:39:26.388686,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

is there something wrong in the log file?

1849
2 + 0
Score:0
Rowland Penny avatar Server
ba flag
Rowland Penny

Is this deja-vue ? I thought I answered this once, either you are fat fingering the typing or you are spelling kerberos and example wrong. Your main problem is that YOU CANNOT JOIN A COMPUTER TO A SAMBA DOMAIN UNLESS YOU USE 'Administrator'. Windows allows any tom, dick or harry to join computers, but Samba doesn't. This really isn't the place to discuss this, I suggest you go here: https://lists.samba.org/mailman/listinfo/samba

Subscribe to the samba mailing list and come and discuss it with me there.

+ 0
Score:0
Fraŋkini avatar Server
at flag
Fraŋkini

After being redirected here by Rowland, I was able to reach someone that found the problem instantly!

Windows11 version 22H2 is not compatible with Samba 4.15 and I'm now trying to upgrade to Samba 4.16 to fix it!

...it just happened that all the PCs I was trying to join to the domain were all fresh Win11 installs and so I never caught the discrepency (still works on older versions of windows).

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.