Cannot Join/Log in to AD domain after update to 22h2

[btankwart]

After update to 22h2, Windows 11 clients cannot join or log in to AD domain anymore.

Steps to reproduce
Install/Update Windows 11 with 22H2 update
Attempt to join the AD domain or log in (if already joined)

Expected behavior
Join the domain / continue to log in

Actual behavior
The Windows client cannot join the domain.
If the client was already joined, the user cannot login.

Components
TS-453D/8GB
QTS 5.0.1.2145

Credits
https://github.com/NethServer/dev/issues/6702 (User experienced same behaviour with NethServer)

What to do?

[FSC830]

Seems to be a Microsoft issue if different hardware servers are affected!?
Anyhow, a reason for not using a NAS as AD controller!
Seen to many issues with AD and QTS...

Did you already contacted MS support?

Regards

[hmkgl]

Have the same problem too. Did some digging and found a probable cause.
TL;DR: Y2K38 bug in Kerberos

Current version of Samba in the QTS (5.0.1) has a version of Heimdal that will not accept TGS-REQ with a till date above 2038-01-19. Windows up until 11 21H2 played along by sending requests below this date (example from a working machine: 2037-09-13 04:48:05 CEST), however requests in 22H2 seem to have a till date with the year 9999 (!!!). This is evident if you inspect the requests with software such as Wireshark and compare between the versions (on a working host and a 22H2 VM). A MS employee has even said that this is by design and they have no intent to reverse this. [2]

I cannot test if a newer version of Samba will fix the problem immediately, but this is the only possible lead I've got at the moment.

Samba from 4.16 seems to use Heimdal 8.0pre, which is free from said bug, whilst the current version of Samba in the latest QTS is 4.13.17. Seems the only solution is to wait for a QTS update.

Credits:
[1] https://www.reddit.com/r/sysadmin/comme ... &context=3
[2] https://github.com/heimdal/heimdal/issues/1011

[krang01]

i experience the same problem. I hope it will be fixed soon.

[dolbyman]

Make sure you report this in a ticket..moaning here will not do anything

[hmkgl]

Quick update: Windows 11 Insider build 25247 just went live, which changes the TGS-REQ timestamp to the year 2100 - After testing it on a VM with the same QTS / Samba version, everything (joining, logging in, accessing shares) now works.
Now it's either a matter of waiting untill the fix goes out to stable, or waiting for a newer version of Samba in the QTS.

[gasparcheng]

QNAP just release a Qfix patch for fixing this SAMBA issue

screenshot.png

QNAP download center link:
https://www.qnap.com/en/download

Direct link:
Global: https://download.qnap.com/Storage/Qfix/ ... .0_x86.zip
USA: https://us1.qnap.com/Storage/Qfix/Kerbe ... .0_x86.zip
Europe: https://eu1.qnap.com/Storage/Qfix/Kerbe ... .0_x86.zip

Install Steps:
1. Unzip file
2. Install it as FW

Hope this helps.

[btankwart]

I did not try the Qfix patch, but in the meantime https://www.qnap.com/en/release-notes/q ... 4/20221201 was also released, which solved the problem for me.

I thank everyone who has put thought and effort into this thread.

[krang01]

yes the fix also worked for me

[step]

hello, does this Qfix patch apply to older systems such as qnaps stucked in the 4.3.4 version ? or is this AD feature dead for us after 22h2 ?

[dolbyman]

The Qfix would be only for new firmware, but was this issue introduced with a certain firmware update on QNAP's side or was that a general incompatibility ?

[step]

I think it's a general one until certain version of kerberos heimdal software. So all QNAP nas will be affected.

[dolbyman]

you would have to inquire via ticket then, but EOL NAS normally only get security updates (but worth a shot)

[step]

No it's not a QNAP bug it's a windows "feature". All NAses using heimdal <8 as kerberos server are concerned (unless v5 up to date no hope).
I opened a ticket. For the moment the answer is "no maintenance for eol models" : (French)

"Bonjour,
Malheuresement, le R&D m'indique que le FW 4.3.4 est trop vieux pour supporter pleinement Windows 11 et ne pourra donc pas profiter de l'ensemble des fonctionnalité. Il vous suggère d'utiliser le TS-469L comme serveur autonome.
"
They asked the R&D, and as stated the only way is to create a new samba DC on another hardware (a spare computer...) with the last distro and sync it with the AD NAS before unpromoting it...Or accept the discount on new nas. As my hardware is working without problem and i hate software obsolesence, i'm working on an AD on an ARM i already have, the NAS will only be a nfs server in that case. I will use Linux extension for windows as a way to manipulate files.