Author Topic: AD Stop Working on Windows 11 22H2  (Read 1043 times)

emilioortiz

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
AD Stop Working on Windows 11 22H2
« on: October 06, 2022, 02:36:29 pm »
I'm using Zentyal 6.2 .
New laptops with Windows 11 Pro 22H2 stop joining domain.
After search It's seems related to Kerberos encryption.
Workaround 1: Upgrade Samba to 4.16 (problem: zentyal 6.2 ships samba 4.7 and zentyal 7.0 ships samba 4.11, ubuntu 22.10 ships samba 4.16)
Workaround 2: In local security policies, network security > allow only DES encryption:
This reenable AD JOIN and Shared Drives but GPO still not working

Is there any workaround to upgrade samba to 4.16 on ubuntu 18.04 or ubuntu 22.04 ?

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #1 on: October 07, 2022, 11:32:34 am »
Same problem here.  This seems huge...

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #2 on: October 07, 2022, 11:54:59 am »
Workaround 2: In local security policies, network security > allow only DES encryption:

Please, could you elaborate on this configuration...? I cannot find the key you mention.
Thanks a lot in advance.

turalyon

  • Zen Warrior
  • ***
  • Posts: 139
  • Karma: +13/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #3 on: October 07, 2022, 12:53:46 pm »
Hi,

The following link explains the path to the Local Security Path. I tested it and it is just a workaround, with that you can join the domain and use the share folders, however, the GPO does not work.

* https://lists.samba.org/archive/samba/2022-April/240502.html

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #4 on: October 07, 2022, 04:07:27 pm »
Thank you very much.  With the correct path, I found the key.

This is bothering me a lot.  I have more than 10 Zentyal servers, some of them 6.2.

My main concern is the lack of information from the Zentyal developers, and the fact that they answer to every bug in GitHub with "We will add it to the roadmap".  A roadmap for correcting bugs...?  And last commit on GitHub was three months ago...?  They argued they were relocating to the U.S.A... Many months ago.  Very little activity since then.

Zentyal is a more or less reasonable solution.  Far from perfect, quite far...

I never seen a samba version update inside a Zentyal version.  I am afraid we will have this bug lying around for a long time...  I managed to stop my Windows 11 from updating, but only allowed for 5 weeks from now...

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #5 on: October 07, 2022, 04:18:28 pm »
Hi,

The following link explains the path to the Local Security Path. I tested it and it is just a workaround, with that you can join the domain and use the share folders, however, the GPO does not work.

* https://lists.samba.org/archive/samba/2022-April/240502.html

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever".

I can confirm this workaround allow to join a Windows 11 22H2 to a Zentyal 7.0 domain.

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #6 on: October 07, 2022, 04:33:53 pm »
I can also confirm that GPO are not being applied.
Using gpupdate /force returns an error.

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #7 on: October 07, 2022, 05:40:08 pm »
Apparently, dynamic DNS is also not working.  Client cannot update DNS register on Zentyal server (permission denied)

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #8 on: October 07, 2022, 05:52:02 pm »
After joining the domain, network is not identified as "domain" but as "public".  No options to change to "domain", only to change to "private"

jwilliams1976

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +1/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #9 on: October 08, 2022, 12:16:54 am »
I'm on Zentyal 6.1 and was able to join the domain fine but I'm not able to log into the domain account from Win 11? If I log into that machine with a local account I can then access the samba shares by logging in with user@domain but those same credentials will not let me log into the computer. No issues with several machines that where already on the domain with Win 10 and then upgraded to Win 11. This one is a brand new native Win 11 install.

I tried the DES encryption workaround but it made no difference for me. Any other ideas or workarounds?

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #10 on: October 08, 2022, 06:55:34 pm »
The problem seems to be in the Heimdal Kerberos module from samba prior to version 8.0
The problem was corrected in Heimdal version 8.0
Samba 4.16.0 apparently uses Heimdal version 8.0
Zentyal 7.0.2 still uses samba version 4.13.17...
A path to upgrade samba to, at least, 4.16 would be a possible solution.

https://old.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/iq0c2vo/

I opened a bug report on Github.

mikeinmaine

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #11 on: November 03, 2022, 01:24:39 pm »
I know very little but I was able to join my newly upgraded to Win11pro computer to my Zentyal domain and fix the user bad password domain login problem by changing the local security policy encryption.  However, I found this on youtube related to Windows 11 and Zentyal CA certificates. Has anyone tried it?

https://www.youtube.com/watch?v=pme0LcVVQMA

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #12 on: November 03, 2022, 01:34:28 pm »
I know very little but I was able to join my newly upgraded to Win11pro computer to my Zentyal domain and fix the user bad password domain login problem by changing the local security policy encryption.  However, I found this on youtube related to Windows 11 and Zentyal CA certificates. Has anyone tried it?

https://www.youtube.com/watch?v=pme0LcVVQMA

Yes, changing some local policies allows joining the domain, but domain policies are not sinchronized, and workstation DNS records are not updated, and maybe more things don't work.
This video is addressing a different problem.  It was posted 7 mothns ago, before Windows 11 version 22H2, so it is not addressing this problem.

The problem is that Zentyal has been left behind samba updates (samba already addressed and soved this problem at the beginning of 2022).

In Github, the developers argued that they are stuck with ubuntu 20.04 for the samba version.  But they could have done the same as other solutions, like Univention (which I am migrating to.  15 systems), which make WEEKLY updates to their system.

Not to mention the bugs that have been liying for months on github, or the pull requests people made with love, abandoned for years...  This is not proper open source.

For your information, Zentyal developers have already declared that they will not launch a new version of Zentyal until MAY 2023...  Although they claimed to prepare a patch... I really don't know how they will address this, if solution depends on a new version of Samba, which they say cannot be done on current Zentyal 7, based on Ubuntu 20.04

My advice: run away from Zentyal.  As quick as possible.  Don't waste your time on this.  I am a systems administrator.  I know what I am talking about.

Good luck to everyone.

trashman

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #13 on: November 03, 2022, 04:51:47 pm »
I know very little but I was able to join my newly upgraded to Win11pro computer to my Zentyal domain and fix the user bad password domain login problem by changing the local security policy encryption.  However, I found this on youtube related to Windows 11 and Zentyal CA certificates. Has anyone tried it?

https://www.youtube.com/watch?v=pme0LcVVQMA

Yes, changing some local policies allows joining the domain, but domain policies are not sinchronized, and workstation DNS records are not updated, and maybe more things don't work.
This video is addressing a different problem.  It was posted 7 mothns ago, before Windows 11 version 22H2, so it is not addressing this problem.

The problem is that Zentyal has been left behind samba updates (samba already addressed and soved this problem at the beginning of 2022).

In Github, the developers argued that they are stuck with ubuntu 20.04 for the samba version.  But they could have done the same as other solutions, like Univention (which I am migrating to.  15 systems), which make WEEKLY updates to their system.

Not to mention the bugs that have been liying for months on github, or the pull requests people made with love, abandoned for years...  This is not proper open source.

For your information, Zentyal developers have already declared that they will not launch a new version of Zentyal until MAY 2023...  Although they claimed to prepare a patch... I really don't know how they will address this, if solution depends on a new version of Samba, which they say cannot be done on current Zentyal 7, based on Ubuntu 20.04

My advice: run away from Zentyal.  As quick as possible.  Don't waste your time on this.  I am a systems administrator.  I know what I am talking about.

Good luck to everyone.

But what is the alternative ? I really don't want to use windows server so does that mean installing samba etc from scratch.

I have been contemplating rolling out Zentyal - but communication seems spotty and I've noticed a lot of unusual little problems in my testing.

As a concept Zentyal should be a winner, even just as a AD server / File Server which is my own use case, but theres no way I can justify paying for something that is lacking support.

Looks like i'm going to have to look further.

Cheers

peptoniET

  • Zen Apprentice
  • *
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: AD Stop Working on Windows 11 22H2
« Reply #14 on: November 03, 2022, 04:58:23 pm »
I know very little but I was able to join my newly upgraded to Win11pro computer to my Zentyal domain and fix the user bad password domain login problem by changing the local security policy encryption.  However, I found this on youtube related to Windows 11 and Zentyal CA certificates. Has anyone tried it?

https://www.youtube.com/watch?v=pme0LcVVQMA

Yes, changing some local policies allows joining the domain, but domain policies are not sinchronized, and workstation DNS records are not updated, and maybe more things don't work.
This video is addressing a different problem.  It was posted 7 mothns ago, before Windows 11 version 22H2, so it is not addressing this problem.

The problem is that Zentyal has been left behind samba updates (samba already addressed and soved this problem at the beginning of 2022).

In Github, the developers argued that they are stuck with ubuntu 20.04 for the samba version.  But they could have done the same as other solutions, like Univention (which I am migrating to.  15 systems), which make WEEKLY updates to their system.

Not to mention the bugs that have been liying for months on github, or the pull requests people made with love, abandoned for years...  This is not proper open source.

For your information, Zentyal developers have already declared that they will not launch a new version of Zentyal until MAY 2023...  Although they claimed to prepare a patch... I really don't know how they will address this, if solution depends on a new version of Samba, which they say cannot be done on current Zentyal 7, based on Ubuntu 20.04

My advice: run away from Zentyal.  As quick as possible.  Don't waste your time on this.  I am a systems administrator.  I know what I am talking about.

Good luck to everyone.

But what is the alternative ? I really don't want to use windows server so does that mean installing samba etc from scratch.

I have been contemplating rolling out Zentyal - but communication seems spotty and I've noticed a lot of unusual little problems in my testing.

As a concept Zentyal should be a winner, even just as a AD server / File Server which is my own use case, but theres no way I can justify paying for something that is lacking support.

Looks like i'm going to have to look further.

Cheers

Hi,

For me, after a long research, feature and process testing, and more than 20 lab test migrations of my current systems (and after completing the first production transparent migration), my alternative is Univention (https://www.univention.com/).

Univention even has a plugin called adtakeover, that can migrate a whole domain (users, groups, passwords, etc.)