Windows 10 can't login to samba 4.15 Domain Controller

avi9526 · 2021-09-29 02:21:21

I have Samba (currently 4.14.5) running as domain controller

[global]
        log level = 1 auth_audit:3 auth_json_audit:3

        dns forwarder = ****
        netbios name = ****
        realm = ****
        server role = active directory domain controller
        workgroup = ****
        idmap_ldb:use rfc2307 = yes
        smb encrypt = required

        full_audit:failure = none
        full_audit:success = pwrite write rename
        full_audit:prefix = USER=%u|IP=%I|MACHINE=%m|VOLUME=%S
        full_audit:facility = local7
        full_audit:priority = NOTICE

        #vfs objects = acl_xattr
        map acl inherit = yes
        inherit acls = yes
        inherit owner = yes
        inherit permissions = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        vfs objects = full_audit

[netlogon]
        path = /var/lib/samba/sysvol/****/scripts
        read only = No
        vfs objects = full_audit
[****]
        path = /vhome/samba/****
        read only = No
        vfs objects = full_audit

and it worked well, until update to version 4.15.0. PC with Windows 10 could not login to domain users with "The user name or password is incorrect" error. Time is synchronized. Leaving domain on PC side, reboot, join domain, reboot - does not help. I can login as local PC user and access shares on this Samba server using domain credentials, but still cannot login as that domain user.

journalctl -u samba

does contain message about login (NT_STATUS_OK), but no error.

Important details:

— I login to PC using SSH port forwarding and RDP client.
— PC and Samba server is on different VLANs connected through router. PC can access server on any port and response will be accepted. But server can't connect to PC by itself (but no blocked packets logged on the side of a router)
— Reverting samba version from 4.15.0 to 4.14.5 solved login problems.
— Another PC could login to new samba DC, until that PC get updated and restarted few times
— Windows event logger show audit failure with code "0xC000006D" (which match "The user name or password is incorrect" message)

Last edited by avi9526 (2021-09-29 02:28:31)

SkyBeam · 2021-09-29 17:36:26

A similar (or identical) issue is discussed on the Samba mailing list. See here.

hortimech · 2021-09-30 15:10:54

Remove the 'vfs objects' lines, you have turned off the defaults and you need them for authentication.

SkyBeam · 2021-09-30 21:00:24

hortimech wrote:

Remove the 'vfs objects' lines, you have turned off the defaults and you need them for authentication.

I might have a different issue (see link) with same symptoms but I don't have any 'vfs objects' lines in my configuration and still facing the very same problem on a number of computes after Samba 4.15 upgrade.

Arch Linux

#1 2021-09-29 02:21:21

Windows 10 can't login to samba 4.15 Domain Controller

#2 2021-09-29 17:36:26

Re: Windows 10 can't login to samba 4.15 Domain Controller

#3 2021-09-30 15:10:54

Re: Windows 10 can't login to samba 4.15 Domain Controller

#4 2021-09-30 21:00:24

Re: Windows 10 can't login to samba 4.15 Domain Controller

Board footer