Now that the 22H2 has rolled out:
it is possible to login with the policy fix, but things like GPOs and administrative tools just wont work. Are there possible fixes for the older Samba-dc version Nethserver 7 uses? Because it seems that latest version of Samba has fixed this issue.
Login/join issues after Windows was updated are reported here too:
- https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/
- KDC: TGS-REQ problem with Windows 11 22H2 client · Issue #1011 · heimdal/heimdal · GitHub
As the Microsoft update is released, it seems the only chance to work around the issue is to upgrade nsdc Samba to 4.16+
@giacomo just completed a build of Samba 4.16.5 for the DC component. Hopefully a build of nethserver-dc that ships it is soon to come. Stay tuned.
Good to know about that last update, have you tried joining domain before updating and checking if Gpos still work?
Is Windows 11 a “thing” where you guys live? I barely see Windows 11 installed here in Brazil… new computers okey, i see plenty, but whoever has windows 10 working fine under a Core iSomething 7th below 11th gen i dont see people updating very often.
Hi Walter
Here in Switzerland, all my clients are still happy with Win10. No business software (yet) requires Win11 specifically,
New Computers / Notebooks are usually kept with Win11, but none of my clients have purchased a new Notebook with Win11 for their businesses yet…
I’m not complaining, Win10 works very well for Windows…
My 2 cents
Andy
Hello everyone!
Well it’s a thing here in Latvia. We have an educational environment with ~300 computers and around 80 are already on Windows 11. That’s why I am a little bit concerned. The 11 update popup on 10 just shows up and well there it is! Havent seen 22H2 update to pop up yet, but it will get there, cant do nothing about it. We also like to present the latest MS Office and Windows versions to our students and we don’t delay any updates. And new computers already come with 11, so installing 10 over it would be a downgrade.
Well we also have tons of older machines with no TPM 2.0 etc, so 11 doesnt like that and the update popup doesn’t show up on those machines. We use the standard OS branch, not LTSC. LTSC 10 would be no trouble for a long time and I understand that there are lots of businesses that dont consider using 11, at least not yet. But lets say you buy a new PC in your organisation that already comes with 11 and there you have a problem.
I am rolling NS7 since the release of it and it has been rock solid since, an updated nsdc would be a lifesaver. No pressure on you devs, at least there is now a workaround to log in to these systems.
A long time ago i used WSUS with Windows. It was quite nice and really good to test out stuff before updating.
Here are some instructions to help the development of the new Samba DC rebased on version 4.16.5!
Cannot login/join AD domain after Windows 11 22H2 update · Issue #6702 · NethServer/dev · GitHub
The RPM is still under development (it is not even in the testing repository – do not install on production). It must be downloaded from this pull request link to the autobuild repository: Samba 4.16.5 by DavidePrincipi · Pull Request #112 · NethServer/nethserver-dc · GitHub
It seems the service starts correctly after the update. However test case 2.3 (changing the DC IP) fails with errors:
Sep 28 22:52:30 nsdc-nscom1.ad.dp.nethserver.net samba[27]: _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 - The request is invalid.. Failed to set default priorities
The error appears during a TLS connection attempt. It can reproduced with a command like
ldapsearch -ZZ -H ldap://<IP of DC> -D '' -w '' -b '' -s base
Edit: thanks to @giacomo the TLS issue has been found
I think someone will have good use of a large box of coffee…
There is a package to test in nethserver-testing
Do not test on production servers because the Samba DC 4.16 upgrade could not be reversible! Update, see this comment.
To run a fresh install on a clean machine activate permanently the nethserver-testing repo with a custom template:
mkdir -p /etc/e-smith/templates-custom/etc/nethserver/eorepo.conf/
echo nethserver-testing > /etc/e-smith/templates-custom/etc/nethserver/eorepo.conf/99testing
signal-event software-repos-save
Then install from Software Center as usual.
The test cases and checks to run are described here:
I bet my next coffee for a test phase before consider an official deploy.
Do you need specific cases, environment, whatever to speedup the process?
Yes, you got it
I’m concerned about legacy systems like printers & scanners but also weird LDAPS clients. I did not study background information (i.e. Samba and Gnutls release notes) enough…
So investigating that part is really welcome!
Could it be possible to backup and restore my production samba database to the testing version on a virtual environment? Havent done that before. I can do some testing.
Well… it’s a matter of split paths.
Microsoft deprecated SMBv1 in 2014. SMBv2 is Vista-old, SMBv2.1 is 7/2008r2 old, SMBv2.2/3.0 is 8-2012 old. The latter will be EOL from Redmond at the end of the year.
Several non SMBv1 compliant MFCs had been “translated” to FTP by me, but the bigger issue is when the device will query for address books NSDC or LDAP.
If your package will still honour SMBv1, maybe the issue might not be that big; however, SMBv1 is severely old, faulty, insecure, so might be considered an entry point for data extraction or AD attack.
Also: i’m not sure if the solely capability to respond to SMBv1 might classify from Windows 11 22H2 the other endpoint as insecure…
My old motto is “cut the rope”; SMBv1 in any place is a big no-no. But in any case, sysadmin should be aware of the big change.
Thanks to @nrauso, the QA tests are successful and now the package can be tested in non-critical production environments.
…Like Java applications
… Hell of a job!
I had an issue with Webtop and the testing RPM: login no longer works. I added the details to the issue on GitHub.
The regression was fixed. A new RPM is available from nethserver-testing
I tested some apps and it looks good so far.
Local AD:
dokuwiki
dolibarr
moodle
nextcloud
phpldapadmin
sogo
webmail roundcube
webtop
Remote AD:
ejabberd
guacamole
openvpn
squid
Joined to domain:
OpenSUSE Leap 15.3, 15.4
Windows 10, 11 incl. 22H2 update
Short update /cc @ibinetwork
The RPM has been marked VERIFIED but there is still no release date for it. AFAIK few production sites are using it to solve the issue. It seems few people uses (or updates) Windows 11.
I’d like to release the update as late as possible, after it has been widely tested in real world environments.
Side note, please do not use the GitHub tracker for questions and comments. Write here your comments so everyone in the community can follow the discussion.
Hi@davidep,
after it has been widely tested in real world environments.
What must i do to test it in my environment?
Regards…
Uwe
.