Cannot login/join AD domain after Windows 11 22H2 update

DavidePrincipi commented 2 years ago

After update to 22H2, Windows 11 clients cannot join or log in anymore to AD domain.

Steps to reproduce

Install/Update Windows 11 with 22H2 update
Attempt to join the AD domain or log in (if already joined)

Expected behavior

Join the domain / continue to log in.

Actual behavior

The Windows client cannot join the domain. If the client was already joined, the user cannot login.

Components

nethserver-dc-1.8.4-1.ns7.x86_64

See also

DavidePrincipi commented 2 years ago

Important notices

~~The nethserver-dc RPM is actually attached to PR NethServer/nethserver-dc#112. Still it is not available from nethserver-testing. Updates to this issue are coming: stay tuned.~~
When Samba 4.16 starts, it updates the DB: downgrading to 4.9 could not be possible :warning:

For each test case

test the bug is not reproducible: both join and Windows 11 workstation login must work
for samba file server, ensure share access is still working
the procedure that changes the IP of the DC must work
backup/restore should work, also starting from a Samba 4.9 backup set
Windows 11 client time resync must succeed: w32tm /resync
password complexity policy is honored

Useful commands

Get the samba version installed in nsdc

nsdc-run -e -- samba -V
Get the samba running status

systemctl -M nsdc status samba

Test case 1

New installation. Enable nethserver-testing repo with the commands below, then configure a local AD account provider.

 mkdir -p /etc/e-smith/templates-custom/etc/nethserver/eorepo.conf/
 echo nethserver-testing > /etc/e-smith/templates-custom/etc/nethserver/eorepo.conf/99testing
 signal-event software-repos-save

Test case 2

Update existing installation.

yum update --enablerepo=nethserver-testing  nethserver-dc

Test case 3

Restore an old configuration backup.

Enable nethserver-testing with the custom template described above for test case 1.
Update nethserver-backup-config from nethserver-testing, to get https://github.com/NethServer/nethserver-backup-config/pull/45
Run the restore-config procedure as usual

nethbot commented 2 years ago

in 7.9.2009/testing:

nethserver-dc-1.8.4-1.1.g4aaf012.ns7.x86_64.rpm x86_64

DavidePrincipi commented 2 years ago

During development I found a little regression bug:

A user cannot be created with name containing extended chars (e.g. é)

Workaround:

Use plain ASCII
Edit the user name: extended chars are still allowed.

DavidePrincipi commented 2 years ago

Thanks to @nrauso for reporting a regression while restoring the DC

Sep 30 10:47:34 mynscom7 esmith::event[3114]: ---> Package ns-samba.x86_64 0:4.16.5-1.ns7 will be installed
Sep 30 10:47:34 mynscom7 esmith::event[3114]: --> Processing Dependency: libgnutls.so.30(GNUTLS_3_4)(64bit) for package: ns-samba-4.16.5-1.ns7.x86_64
Sep 30 10:47:34 mynscom7 esmith::event[3114]: --> Processing Dependency: libgnutls.so.30(GNUTLS_3_6_10)(64bit) for package: ns-samba-4.16.5-1.ns7.x86_64
Sep 30 10:47:34 mynscom7 esmith::event[3114]: --> Processing Dependency: libgnutls.so.30(GNUTLS_3_6_3)(64bit) for package: ns-samba-4.16.5-1.ns7.x86_64
Sep 30 10:47:34 mynscom7 esmith::event[3114]: --> Processing Dependency: libgnutls.so.30()(64bit) for package: ns-samba-4.16.5-1.ns7.x86_64
Sep 30 10:47:34 mynscom7 esmith::event[3114]: --> Finished Dependency Resolution
Sep 30 10:47:34 mynscom7 esmith::event[3114]: Error: Package: ns-samba-4.16.5-1.ns7.x86_64 (/ns-samba-M6f19bog5.x86_64)
Sep 30 10:47:34 mynscom7 esmith::event[3114]:           Requires: libgnutls.so.30()(64bit)
Sep 30 10:47:34 mynscom7 esmith::event[3114]: Error: Package: ns-samba-4.16.5-1.ns7.x86_64 (/ns-samba-M6f19bog5.x86_64)
Sep 30 10:47:34 mynscom7 esmith::event[3114]:           Requires: libgnutls.so.30(GNUTLS_3_6_3)(64bit)
Sep 30 10:47:34 mynscom7 esmith::event[3114]: Error: Package: ns-samba-4.16.5-1.ns7.x86_64 (/ns-samba-M6f19bog5.x86_64)
Sep 30 10:47:34 mynscom7 esmith::event[3114]:           Requires: libgnutls.so.30(GNUTLS_3_6_10)(64bit)
Sep 30 10:47:34 mynscom7 esmith::event[3114]: Error: Package: ns-samba-4.16.5-1.ns7.x86_64 (/ns-samba-M6f19bog5.x86_64)
Sep 30 10:47:34 mynscom7 esmith::event[3114]:           Requires: libgnutls.so.30(GNUTLS_3_4)(64bit)
Sep 30 10:47:34 mynscom7 esmith::event[3114]: You could try using --skip-broken to work around the problem
Sep 30 10:47:34 mynscom7 esmith::event[3114]: You could try running: rpm -Va --nofiles --nodigest

Edit: updated test case 3

nethbot commented 2 years ago

in 7.9.2009/testing:

nethserver-backup-config-2.5.2-1.1.g784db3e.ns7.noarch.rpm x86_64 armhfp aarch64

nrauso commented 2 years ago

Test case 1: verified Test case 2: verified Test case 3 (with the new nethserver-backup-config package): verified

bonus track 1: tested GPOs deployment, too bonus track 2: tested Account Provider upgrade in the NethServer upgrade procedure scenario bonus track 3: tested Windows 10 retrocompatibility

DavidePrincipi commented 2 years ago

I had an issue with Webtop, symptom login failed:

2022-10-03 09:59:25 [ERROR] c.s.s.auth.directory.LdapDirectory - LdapError
org.ldaptive.LdapException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1]
        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
        at org.ldaptive.provider.jndi.JndiConnection.processNamingException(JndiConnection.java:619)
        at org.ldaptive.provider.jndi.JndiConnection.simpleBind(JndiConnection.java:261)
        at org.ldaptive.provider.jndi.JndiConnection.bind(JndiConnection.java:203)
        at org.ldaptive.BindOperation.invoke(BindOperation.java:28)

This is the procedure I applied to downgrade the RPM from testing:

yum downgrade --noplugins nethserver-dc
systemctl stop nsdc
cd /var/lib/machines/ ; mv nsdc nsdc.old
restore-config

DavidePrincipi commented 2 years ago

The authentication exception refers to user ldapservice.

The error code 531 leads to this PR https://github.com/NethServer/nethserver-dc/pull/71

By removing its userWorkstations attribute, the login succeedes. In nsdc shell run

$ ldbmodify -v -i -H /var/lib/samba/private/sam.ldb <<EOF
dn: CN=ldapservice,CN=Users,DC=ad,DC=dp,DC=nethserver,DC=net
changetype: modify
replace: userWorkstations
EOF

nethbot commented 2 years ago

in 7.9.2009/testing:

nethserver-dc-1.8.4-1.2.g83995f7.ns7.x86_64.rpm x86_64

DavidePrincipi commented 2 years ago

Test case 4

Test user login on Webtop, Ejabberd, Nextcloud, NethVoice,
Test Roundcube addressbook

nrauso commented 2 years ago

Test case 4: verified

Tested on suggested packages, even in disaster recovery scenario. Tried:

fresh installation: ok
backup/restore from Samba 4.9 to Samba 4.16: ok
backup/restore from Samba 4.16 to Samba 4.16: ok
backup/restore from Samba 4.9 to Samba 4.9 for retrocompatibility (using new backup-config package): ok

Neustradamus commented 2 years ago

@DavidePrincipi: Thanks for this big improvement that I have requested a long time ago!

DavidePrincipi commented 2 years ago

It was reported a regression of the backup-data command/procedure.

In /var/log/backup/*.log

Ran into unknown state (hex char: 29) at /usr/share/perl5/vendor_perl/NethServer/Backup.pm line 252.

The backup ends with success. The message is only annoying.

The message originates from the upstream bug https://rt.cpan.org/Public/Bug/Display.html?id=91150, since Samba DC 4.16 processes use ) in their titles. For instance run:

ps -afx -o pid,comm | grep -- \)

Packages:

nethserver-dc-1.8.4-1.2.g83995f7.ns7.x86_64
perl-Proc-ProcessTable-0.48-1.el7.x86_64

NethServer / dev

Cannot login/join AD domain after Windows 11 22H2 update #6702