I upgraded A windows host from windows 10 to windows 11, and of course i could no longer authenticate.
Samba logs showed
[2022/10/02 15:48:24.186783, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@DOMAIN] using aes256-cts-hmac-sha1-96
[2022/10/02 15:48:24.186919, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[Administrator@DOMAIN] at [Sun, 02 Oct 2022 15:48:24.186874 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(
null)] remote host [ipv4:192.168.50.47:59182] became [DOMAIN]]\[Administrator] [S-1-5-21-3293602716-1359220633-1131700490-500]. local host [NULL]
{"timestamp": "2022-10-02T15:48:24.187054+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "3be75b668c8b39de", "logonType": 3, "statu
s": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.50.47:59182", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientA
ccount": "Administrator@DOMAIN]", "workstation": null, "becameAccount": "Administrator", "becameDomain": "DOMAIN]", "becameSid": "S-1-5-21-3293602716-1359220633-1131700490-500", "mappedAccount": "Ad
ministrator", "mappedDomain": "DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "p
asswordType": "aes256-cts-hmac-sha1-96", "duration": 10444}}
[2022/10/02 15:48:24.280991, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2022-10-02T15:48:24 starttime: unset endtime: 2022-10-03T01:48:24 renew till: 2022-10-09T15:48:24
[2022/10/02 15:48:24.281140, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, arcfour-hmac-md5, -133, -128, 24, -135, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/10/02 15:48:24.281273, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
[2022/10/02 15:48:24.285839, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/02 15:48:24.293498, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type aes256-cts-hmac-sha1-96
[2022/10/02 15:48:24.293619, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed parsing TGS-REQ from ipv4:192.168.50.47:59183
[2022/10/02 15:48:24.297725, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2022/10/02 15:49:29.696239, 3] ../../source4/lib/socket/interface.c:91(add_interface)
I know NTLM /SMB1 is now disabled by default in windows 11, but i could not figure out how thats related.
in the end i found:
The fast solution is
Local Security Policy> Local Policies> Security Options> Network security: Configure encryption types allowed for Kerberos Check only DES_CBC_CRC and DES_CBC_MD5
Apparently samba 4.16 also fixes it. But its not hit stable yet for debian.
Martin Barlow 