Koozali.org: home of the SME Server

Domain joined PC's can no longer Login since Win 10 1809 update

Offline natdata

  • 10
  • +0/-0
Domain joined PC's can no longer Login since Win 10 1809 update
« on: January 28, 2019, 05:24:11 PM »
Hi all,

We have a server that is the DC for our network. Last week one of the PC's got stuck in a loop at login with the Win 10 taskbar just flashing on and off as if explorer was crashing and restarting over and over. Local machine account logins work but any domain accounts all fail. then this week a second PC updated to 1809 and now that is experiencing the same issue so we are pretty convinced its an 1809 issue. What surprises me is that if this was a widespread issue I would have expected a lot more on here about it but searches don't turn anything up.

What we have tried:-

1. Enabling SMB 1 on the windows 10 machine.
2. config setprop smb ServerMaxProtocol SMB2
 expand-template /etc/smb.conf
 service smb restart
3. Logging in as sme administrator on the PC (This worked once on the first PC but now gets the same result and didn't work on the second PC at all).
4. Adding the Domain User/Domain Admins/Domain Guests groups

I can't see anything that looks relevant in the samba logs or windows event viewer.

Any suggestions or advice would be appreciated

Kind regards
Ian

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #1 on: January 29, 2019, 01:51:34 AM »
There are masses of stuff on the interwebs about it, a few long threads here, and some bugs.

A good search will help you, and latest Win 10 updates should have fixed it if you read the threads here.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline natdata

  • 10
  • +0/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #2 on: January 30, 2019, 03:46:49 PM »
There are masses of stuff on the interwebs about it, a few long threads here, and some bugs.

A good search will help you, and latest Win 10 updates should have fixed it if you read the threads here.

I am not seeing anything about this exact issue. I can find stuff about joining a domain being broken in Win 10 1803, but this is 1809 and the problem isn't about joining a domain, its about a previously domain joined computer, no longer able to login. There are no newer updates available either. I searched the InterWeb (again!) but still I can't find anything regarding this issue, only stuff about joining a domain in 1803.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #3 on: January 30, 2019, 05:51:50 PM »
I am not seeing anything about this exact issue. I can find stuff about joining a domain being broken in Win 10 1803, but this is 1809 and the problem isn't about joining a domain, its about a previously domain joined computer, no longer able to login. There are no newer updates available either. I searched the InterWeb (again!) but still I can't find anything regarding this issue, only stuff about joining a domain in 1803.

Hmmmm. There must be an error somewhere.

On SME have a look in /var/log/secure and /var/log/samba/*

You can increase the default log level (I had to modify the wiki page and add this info here https://wiki.contribs.org/DB_Variables_Configuration#Samba_global_settings_.28smbd.29)

Code: [Select]
config setprop smb LogLevel 3
signal-event workgroup-update

That should give you some increased logging on SME

I'm afraid I have no idea how to increase logging on Windows as I have no Windows machines (Yay........!)

You'll have to go and have a read around for that.

Just for reference regarding MaxProtocol from smb.conf for samba 3 as installed on SME:

Quote
max protocol (G)

The value of the parameter (a string) is the highest protocol level that will be supported by the server.

Possible values are :

           ·   CORE: Earliest version. No concept of user names.
           ·   COREPLUS: Slight improvements on CORE for efficiency.
           ·   LANMAN1: First
                modern version of the protocol. Long filename support.
           ·   LANMAN2: Updates to Lanman1 protocol.
           ·   NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
           ·   SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and newer.

Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ttech

  • 8
  • +0/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #4 on: January 30, 2019, 05:54:54 PM »
Hi - passing thru...  A quick search using this string ...

https://www.google.com/search?q=Domain+joined+PC%27s+can+no+longer+Log+In+since+Win+10+1809+update+%22since+Win+10+1809+update%22&lr=&hl=en&tbs=qdr:y&sa=X&as_q=&spell=1&ved=0ahUKEwjIj6iS9ZXgAhVxmK0KHSr_BNYQBQgUKAA

yields a number of potential links that MAY be helpful.  I don't have 1809, and did not want update win7 clients in Jan 2019 for other similar reasons.  The following link (from this search) may help you get out of the woods...

https://social.technet.microsoft.com/Forums/en-US/a251c06a-e68b-4269-9b1d-0fb3e9e08db3/after-updating-to-win-10-1809-i-can-no-longer-see-my-other-private-network-computers-from-explorer?forum=win10itpronetworking

This may help you find the domain controller, maybe not (no testing environment at hand).  Just a thought only, YMMV.  Good luck.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #5 on: January 30, 2019, 06:03:36 PM »
Every day that goes by I relish in the fact I dumped Windows..... best decision I ever made :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline natdata

  • 10
  • +0/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #6 on: February 18, 2019, 11:03:30 AM »
We have had another machine update and fail (we switched off updates on most of the machines for 35 days while we try and work this out)

in the machines samba log we get the following (with the increased logging from this thread) :-

/var/log/samba/log.desktop-73afst3: Viewed at Mon 18 Feb 2019 09:52:28 AM GMT.
[2019/02/18 08:04:38.726286,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client DESKTOP-73AFST3 machine account DESKTOP-73AFST3$
[2019/02/18 08:54:39.194047,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client DESKTOP-73AFST3 machine account DESKTOP-73AFST3$
[2019/02/18 09:42:14.389194,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client DESKTOP-73AFST3 machine account DESKTOP-73AFST3$


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #7 on: February 18, 2019, 05:23:53 PM »
Have you tried searching the interwebs for the error in your logs?

rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.

 https://serverfault.com/questions/771388/how-can-i-fix-samba-3-6-25-the-trust-relationship-between-this-workstation-and

Can you check what samba version you have installed:

Code: [Select]
rpm -qa |grep sam
Here's mine

samba-common-3.6.23-51.el6.x86_64
e-smith-samba-2.4.0-26.el6.sme.noarch
samba-3.6.23-51.el6.x86_64
samba-winbind-clients-3.6.23-51.el6.x86_64
samba-winbind-3.6.23-51.el6.x86_64
samba-client-3.6.23-51.el6.x86_64

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline natdata

  • 10
  • +0/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #8 on: February 25, 2019, 03:01:37 PM »
Same as you as far as I can see:-

samba-common-3.6.23-51.el6.x86_64
samba-client-3.6.23-51.el6.x86_64
samba-winbind-3.6.23-51.el6.x86_64
samba-3.6.23-51.el6.x86_64
e-smith-samba-2.4.0-26.el6.sme.noarch
samba-winbind-clients-3.6.23-51.el6.x86_64

All the stuff I found with that error message were for bugs in later versions of Samba.

Offline ansentry

  • ***
  • 118
  • +0/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #9 on: February 25, 2019, 09:33:41 PM »
I'm running SME Server 9.2 as a DC at my home. I have 2 Windows 10 1809.316 computers logging in fine. I have SMB 1 enabled. Both of these computers are Upgraded from Windows 7.

What I would try is on one of you computers that will not log in:
1 Create an image of the computer. (I use Macrium Reflect - Free Version) Just in case my suggestion fails.
2 Remove the computer from the Domain - just let it join a Workgroup.
3 Reboot
4. Log in as normal workgroup user.
4 Re Join the Domain.
If this works good, if not restore with Macrium Reflect.

Hope this helps.

Regards,

John A

Offline natdata

  • 10
  • +0/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #10 on: March 12, 2019, 12:39:38 PM »
I'm running SME Server 9.2 as a DC at my home. I have 2 Windows 10 1809.316 computers logging in fine. I have SMB 1 enabled. Both of these computers are Upgraded from Windows 7.

What I would try is on one of you computers that will not log in:
1 Create an image of the computer. (I use Macrium Reflect - Free Version) Just in case my suggestion fails.
2 Remove the computer from the Domain - just let it join a Workgroup.
3 Reboot
4. Log in as normal workgroup user.
4 Re Join the Domain.
If this works good, if not restore with Macrium Reflect.

Hope this helps.

We just had another PC install the update (the 35 day delay on installing updates is up) and leaving and rejoining the domain did not fix the issue. There must be something in the configuration of this particular SME Server that is making this happen or lots more users would be having the issue.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #11 on: March 12, 2019, 01:05:38 PM »
We just had another PC install the update (the 35 day delay on installing updates is up) and leaving and rejoining the domain did not fix the issue. There must be something in the configuration of this particular SME Server that is making this happen or lots more users would be having the issue.

Hmmm. So what might you have changed on your server?

Have a look:

Code: [Select]
/sbin/e-smith/audittools/templates
Code: [Select]
/sbin/e-smith/audittools/newrpms
Code: [Select]
/sbin/e-smith/audittools/events
You can also have a look at your samba defaults/settings with:

Code: [Select]
testparm -v
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Online TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #12 on: March 12, 2019, 09:03:25 PM »
Mate I feel for you, it frustrating when noone else seems to suffer the same issue, sorry I don't have any answers only that there must be one, keep plugging away.

Earlier updates prior to 1809 were what broke the DC issue on Pro, update 1809 was supposed to be the panacea for the problem.

Can only  suspect a minor change to the server back when there were real big issues with windows 10 Pro
and back then there were suggested fixes that you did to a linux system AND your windows 10 to try and fix it.

This - config setprop smb ServerMaxProtocol SMB2 - see thread re SME10 comment by JP re sme9

Sorry small steps only
--
qui scribit bis legit

Online TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #13 on: March 12, 2019, 10:50:05 PM »
Fingers crossed, new update : March 12, 2019—KB4489899

one of the key changes

Security updates to Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, Windows Shell, Windows App Platform and Frameworks, Windows Kernel-Mode Drivers, Windows Server, Windows Linux, Windows Hyper-V, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Wireless Networking, the Microsoft JET Database Engine, Windows Kernel, Windows, and Windows Fundamentals.
--
qui scribit bis legit

Offline natdata

  • 10
  • +0/-0
Re: Domain joined PC's can no longer Login since Win 10 1809 update
« Reply #14 on: March 14, 2019, 12:09:23 PM »
Fingers crossed, new update : March 12, 2019—KB4489899

one of the key changes

Security updates to Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, Windows Shell, Windows App Platform and Frameworks, Windows Kernel-Mode Drivers, Windows Server, Windows Linux, Windows Hyper-V, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Wireless Networking, the Microsoft JET Database Engine, Windows Kernel, Windows, and Windows Fundamentals.

Thank Terry, for this and your other two responses. It is entirely possible we implemented a fix for an earlier issue with Windows 10 updates. Thanks for jogging my memory on that, i'll go through them and see if any have been applied.

Kind regards
Ian