Windows 11 22H2 and Samba-AD login issue

Thanks. Looks like we need to find a way to get windows 11 22H2 running on a VM to test this...

Looks like there is a similar situation with Windows 10 now, which is also getting a "22H2" upgrade

As mentioned on the Samba bug, the easiest way to test in a VM is with a download of the vNext release of Windows server.

The patch is actually quite low-risk as these things go, and has a regression test. I tested it manually on 4.12 for our customer and 4.15.

Any chance this gets backported to Ubuntu 18.04?

After updating to Windows 11 22H2 I can't login anymore to our Samba-AD domain on Ubuntu 22.04. I have to pull out the network cable to login to my notbook. Using any resources on file servers, etc. is not possible. VERY annoying.

I hear you. I'm working on this now.

@wagnerma this issue will not get fixed "immediately" as for a released ubuntu version every update has to go through a SRU process. That takes some time.

If you really need a fix "right now" you have 3.5 options
1) upgrade the dc to ubuntu 22.10
2) compile samba with the patch provided upstream yourself
3) use a ppa that has a version with that patch included (this is what I did, although the ppa is my own; see ppa:saxl/samba)
3.5) use the workarounds mentioned on some forums. note that this workarounds are not adequate security wise. This is why I don't count it as a full option

kinetic and later are not affected, as they have samba 4.16

https://github.com/heimdal/heimdal/issues/1011#issuecomment-1284971166

While I prepare the official stable release update (SRU), here is the PPA I have been using to test these patches for bionic, focal and jammy, if somebody wants to try out a pre-release build:

https://launchpad.net/~ahasenack/+archive/ubuntu/samba-22h2/

There will be another opportunity for testing from the official *-proposed pocket once the MPs I'm about to file are approved and the SRU team accepts the upload.

In my case.

Tested on:

AD: Zentyal 7.0 based on Ubuntu 20.04.5 LTS x64.
Client: Windows 11 x64 22H2 (updated, not clean install, already added to the domain).

Result:

Domain users can login.
Elevation requiring domain admin user creadentials is ok.
RSAT tool for manage domain users and groups apparently works fine (create, delete, modify, change groups, etc, but not tested intensibly).

Thanks!!

Thanks for the feedback. The PRs were approved and I just uploaded the packages to the respective unapproved queues of bionic, focal and jammy. It's now in the SRU team's queue waiting for approval.

Thank you very much for your efforts! Greatly appreciated.

Fixed typo in test recipe: server-dole -> server-role.

Hello msaxl, or anyone else affected,

Accepted samba into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.15.9+dfsg-0ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello msaxl, or anyone else affected,

Accepted samba into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.13.17~dfsg-0ubuntu1.20.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hey Andreas! I approved focal and jammy, but in bionic I see that the patch is different (misses 1/3 and 2/3) - is it because the test changes were not applicable to samba version on bionic?

All autopkgtests for the newly accepted samba (2:4.15.9+dfsg-0ubuntu0.3) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.48.2-0ubuntu1 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

> Hey Andreas! I approved focal and jammy, but in bionic I see that the patch is different
> (misses 1/3 and 2/3) - is it because the test changes were not applicable to samba version
> on bionic?

Hi,

yes, and I added this note[1] to the bionic patch about it:

    Ubuntu backport note: removed diff for files that do not exist in this version

1. https://git.launchpad.net/~ahasenack/ubuntu/+source/samba/tree/debian/patches/win-22H2-fix.patch?h=bionic-samba-win-22h2-fixes#n21

The gvfs failing dep8 test on jammy passed after a retry, and all tests are green now.

Per comment #19 it would be clearer to say: Removed diff chunks in the patch for the Kerberos protocol tests that are not present in this older version of Samba.

These tests have no role in the runtime operation of the system, so this is safe, particularly if the change has been manually verified.

Thanks ahasenack for your work to get this fix backported for our users, it is much appreciated.

Thrilled to see that this backport is imminent. No-Coding-Experience SysAdmins everywhere appreciate your hard work. I'll be updating my jammy-updates feed frequently and eagerly await this fix on my 22.04.1 server. Thank you all!

Hello msaxl, or anyone else affected,

Accepted samba into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.29 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.29) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.36.1-0ubuntu1.3.3 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Just wanted to say thank you! Currently I rolled back the Win 11 22H2-update and stayed with 22.04.1. Was about to upgrade to 22.10 and tested it already successfully in the VM. Your work prevented me to do this, so I can stay with the LTS-branch.I'll wait for the update to show up after 30.11 +7 days and then update to Win11 22H2! Once again, thank you!

I had to revert Windows 11 22H2 updates weeks ago after being unable to log into AD and coming across this bug. This afternoon I updated my Ubuntu 22.04 AD servers with the 2:4.15.9+dfsg-0ubuntu0.3/jammy-proposed update. After installing 22H2 again I have no issues logging in and accessing AD resources.

I downloaded to a test environment (Hyper-V Ubuntu 21.04 and Windows 10 22H2 machines) last night and had no issues joining my Windows machine to my Ubuntu machine and browsing file shares.

Seems solid to me. Any idea when we can expect this thing to go live? Looking forward to patching my production machines without having to resort to the "proposed" branch.

Jammy verification

AD DC installed and configured on jammy, ubuntu user created.

Using the jammy samba packages, trying to join a windows 11 22H2 machine to the domain fails.

root@j-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.15.9+dfsg-0ubuntu0.2
  Candidate: 2:4.15.9+dfsg-0ubuntu0.2
  Version table:
 *** 2:4.15.9+dfsg-0ubuntu0.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status

I then updated to the packages in proposed:
root@j-ad:~# dpkg -l | grep 4.15.9
ii libsmbclient:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba winbind client library
ii python3-samba 2:4.15.9+dfsg-0ubuntu0.3 amd64 Python 3 bindings for Samba
ii samba 2:4.15.9+dfsg-0ubuntu0.3 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.9+dfsg-0ubuntu0.3 all common files used by both the Samba server and client
ii samba-common-bin 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.9+dfsg-0ubuntu0.3 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.15.9+dfsg-0ubuntu0.3 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.15.9+dfsg-0ubuntu0.3 amd64 service to resolve user and group information from Windows NT servers
root@j-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.15.9+dfsg-0ubuntu0.3
  Candidate: 2:4.15.9+dfsg-0ubuntu0.3
  Version table:
 *** 2:4.15.9+dfsg-0ubuntu0.3 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.9+dfsg-0ubuntu0.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     2:4.15.5~dfsg-0ubuntu5 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

And the join worked immediately afterwards:

root@j-ad:~# samba-tool computer list
J-AD$
WIN11H22$ <-----

And a domain user can login in windows 11 just fine.

I still need to join a Windows 10 to the domain for that part of the test plan.

Removed the win11 machine, joined a windows 10 one:

root@j-ad:~# samba-tool computer list
DESKTOP-QDCU1C5$
J-AD$

Jammy verification succeeded.

I'm having hilarious problems with windows 10 just trying to change some local configs, prior to trying a domain join

I'm having hilarious problems with windows 10 just trying to change some local configs, prior to trying a domain join

And apparently launchpad also thinks it's funny

@Andreas - that's prior to joining a domain?? Oh lord. hahaha... I'm tempted to ask if your Win10 user is a local administrator, but even if they weren't I don't think THAT is what the screen would normally look like. That's more of a display/graphics issue of some kind? Is your Windows 10 running inside a VM? I'd be tempted to check device manager and see if it's showing any issues with hardware, or run Windows Update and see if it offers a generic graphics driver update?

Focal verification

With focal samba packages installed:
root@f-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.13.17~dfsg-0ubuntu1.20.04.1
  Candidate: 2:4.13.17~dfsg-0ubuntu1.20.04.1
  Version table:
 *** 2:4.13.17~dfsg-0ubuntu1.20.04.1 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status

Domain join from windows 11 does not work.
Then, while windows 11 was still showing the error in its gui, I updated the samba packages to the versions in proposed:
root@f-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.13.17~dfsg-0ubuntu1.20.04.2
  Candidate: 2:4.13.17~dfsg-0ubuntu1.20.04.2
  Version table:
 *** 2:4.13.17~dfsg-0ubuntu1.20.04.2 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.13.17~dfsg-0ubuntu1.20.04.1 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages

And just tried again in windows 11, and this time the join worked.

root@f-ad:~# samba-tool computer list
WIN11H22$
F-AD$

I won´t be doing the windows 10 join test, as it was done already for jammy, and for some reason it's a pain to reset a win10 machine to the pre-join state (and I can't use VM snapshots because it's UEFI boot, for some reason that is not supported).

Focal verification succeeded.

Bionic verification

Domain join from windows 11 fails when the bionic samba AD DC is provisioned with the normal bionic packages:

root@b-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.7.6+dfsg~ubuntu-0ubuntu2.28
  Candidate: 2:4.7.6+dfsg~ubuntu-0ubuntu2.28
  Version table:
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.28 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status

Updating to bionic-proposed packages:
root@b-ad:~# apt-cache policy samba
samba:
  Installed: 2:4.7.6+dfsg~ubuntu-0ubuntu2.29
  Candidate: 2:4.7.6+dfsg~ubuntu-0ubuntu2.29
  Version table:
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.29 500
        500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.7.6+dfsg~ubuntu-0ubuntu2.28 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
     2:4.7.6+dfsg~ubuntu-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

And just trying again in windows 11 after the bionic update worked.

The samba-tool script in bionic does not have the option to list domain computers unfortunately, so I can't paste its output here. But I tested a domain logon from that windows 11 machine, and that worked.

Bionic verification succeeded.

Apologies if this is the wrong place to post this, but I have upgraded to Samba 4.16.4 on Kinetic (Server is the sole AD on the domain). Previously, I was on Jammy and 4.15.9 in Jammy.

I'm able to join my Win11 22H2, and log in as a domain user, but any other domain activities, such as running the Active Directory Users & Groups app or even trying to select a domain user when changing ownership of a file (I'm a Domain Admin) fails. I was able to do this successfully before upgrading to Win11 and am still able to do it from a Win10 computer. I updated because I thought 4.16 had corrected this. Is there anything else I need to do/enable?

The samba log shows the following:

[2022/12/07 11:20:06.399155, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2022/12/07 11:20:06.408246, 5] ../../source4/ldap_server/ldap_backend.c:783(ldapsrv_SearchRequest)
  ldb_request BASE dn= filter=(objectclass=*)
[2022/12/07 11:20:06.411301, 5] ../../source4/ldap_server/ldap_backend.c:975(ldapsrv_SearchRequest)
  ldapsrv_SearchRequest: LDAP Query: Duration was 0.00s, SearchRequest by S-1-5-7 from ipv4:192.168.3.230:62160 filter: [(objectclass=*)] basedn: [] scope: [
BASE] result: Success
[2022/12/07 11:20:06.418530, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for AS-REQ
[2022/12/07 11:20:06.418728, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Not a FAST request
[2022/12/07 11:20:06.418843, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ <email address hidden> from ipv4:XXX.XXX.XXX.XXX:62161 for <email address hidden>
[2022/12/07 11:20:06.421842, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.423682, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.424602, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.426264, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.427052, 6] ../../lib/util/util_ldb.c:58(gendb_search_v)
  gendb_search_v: DC=domain,DC=company,DC=net NULL -> 1
[2022/12/07 11:20:06.427650, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Client (<email address hidden>) from ipv4:XXX.XXX.XXX.XXX:62161 has no common enctypes with KDC to use for the session key
[2022/12/07 11:20:06.427770, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: as-req: sending error: -1765328370 to client
[2022/12/07 11:20:06.427866, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Making non-FAST KRB-ERROR
[2022/12/07 11:20:06.428124, 3] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.009605
[2022/12/07 11:20:06.428245, 3] ../../source4/auth/kerberos/krb5_ini...

@R3N - has your Windows 10 computer upgraded to the 22H2 release yet, or not? It likely has not, which would explain why it still works, but I want to be sure.

@nuangel, you are correct, the Win10 machine is still at 21H2

I want to add, I found this reddit thread that details the root cause:

https://www.reddit.com/r/sysadmin/comments/xoqend/samba_495_windows_11_22h2_kerberos/

But it says that the Heimdal 8.0pre used in Samba 4.16 and higher has fixed the issue. That's what's making me think that there's something wrong in my installation.

This bug was fixed in the package samba - 2:4.15.9+dfsg-0ubuntu0.3

---------------
samba (2:4.15.9+dfsg-0ubuntu0.3) jammy; urgency=medium

  * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
    clients (LP: #1993934)

 -- Andreas Hasenack <email address hidden> Tue, 08 Nov 2022 10:59:27 -0300

The verification of the Stable Release Update for samba has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package samba - 2:4.13.17~dfsg-0ubuntu1.20.04.2

---------------
samba (2:4.13.17~dfsg-0ubuntu1.20.04.2) focal; urgency=medium

  * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
    clients (LP: #1993934)

 -- Andreas Hasenack <email address hidden> Tue, 08 Nov 2022 11:35:28 -0300

This bug was fixed in the package samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.29

---------------
samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.29) bionic; urgency=medium

  * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
    clients (LP: #1993934)

 -- Andreas Hasenack <email address hidden> Wed, 09 Nov 2022 11:42:14 -0300

POsting this for others who encounter my issue, I'd found a workaround for adding my Win11 22H2 laptop to the Samba 4.15.X AD and for logging into the computer as a domain user. That entailed modifying Local Security Policy> Local Policies> Security Options> Network security: Configure encryption types allowed for Kerberos Check only DES_CBC_CRC and DES_CBC_MD5. This worked for those two functions.

The reason the problem opening AD tools and getting user listings from my Win11 box was that I hadn't reversed that change when I upgraded to Samba 4.16.X. I did so and now everything works flawlessly. Thanks all.

Anyone having login issues even after applying this fix please read this:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/linux-accounts-cannot-get-aes-tickets

It may be your Samba host's LDAP entry operatingSystemVersion attribute causing this.
Numerical values less than 6 are interpreted as "not AES capable OS" by recent Windows updates.
Change value "4.x.x" to "Samba 4.x.x" and reboot Windows machine. Did the trick for me.

We've tried the solution from @Jan Bubik and checked the "operatingSystemVersion" of the DCs.
Both DCs (one is Zentyal 7, the other is Ubuntu 20.04) haven't this setting set. We've set this to "Samba 4.x.x" like @Jan suggested. While we checked this we've recognized, that on Zentyal DC, the value for "msDS-SupportedEncryptionTypes" was not set, while the settings was set on the Ubuntu 20.04 DC. Maybe this was caused, because the Zentyal is an upgraded system from Ubuntu 18.04 and the Ubuntu 20.04 was an fresh installation. Maybe this can be checked by someone?. We've set "msDS-SupportedEncryptionTypes" to (int) 31, which seems to be the default value for samba.

It seems to be, that "operatingSystemVersion" is a mandatory setting because of "schemaFlagsEx: FLAG_ATTR_IS_CRITICAL" in https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/linux-accounts-cannot-get-aes-tickets

If we now set the Local Security Policy or in a GPO > Local Policies> Security Options> Network security: "Configure encryption types allowed for Kerberos" and disallow DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD a login seems to be work, but if you start an application with run as administrator and enter some domain credentials the authentication fails. Also the run of 'gpupdate' fails with:
```
Die Computerrichtlinie konnte nicht erfolgreich aktualisiert werden. Folgende Probleme sind aufgetreten:

Fehler bei der Verarbeitung der Gruppenrichtlinie. Es wurde versucht, registrierungsbasierte Richtlinieneinstellungen für das Gruppenrichtlinienobjekt "LDAP://CN=Machine,CN={xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx},CN=Policies,CN=System,DC=xxxxx,DC=xx" zu lesen. Die Gruppenrichtlinieneinstellungen dürfen nicht erzwungen werden, bis dieses Ereignis behoben ist. Weitere Informationen über den Dateinamen und -pfad, der den Fehler verursacht hat, können den Ereignisdetails entnommen werden.
Die Benutzerrichtlinie konnte nicht erfolgreich aktualisiert werden. Folgende Probleme sind aufgetreten:

Fehler bei der Verarbeitung der Gruppenrichtlinie. Es wurde versucht, registrierungsbasierte Richtlinieneinstellungen für das Gruppenrichtlinienobjekt "LDAP://CN=User,CN={xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx},CN=Policies,CN=System,DC=xxxxx,DC=xx" zu lesen. Die Gruppenrichtlinieneinstellungen dürfen nicht erzwungen werden, bis dieses Ereignis behoben ist. Weitere Informationen über den Dateinamen und -pfad, der den Fehler verursacht hat, können den Ereignisdetails entnommen werden.
```
Only if we additional allow RC4_HMAC_MD and above (only disabled DES_CBC_CRC, DES_CBC_MD5) all seems to be working properly (gpupdate, runas administrator, login).

System info:
Server: Ubuntu 20.04 LTS with samba 2:4.13.17~dfsg-0ubuntu1.20.04.5
Clients: Windows 10 22H2 latest updates installed, Windows 11 22H2 latest updates installed