I'm writing this here just in case someone can help me out a little bit here, since I'm kind of lost. I'm managing a domain controller through Samba version 4.1.12 (installed in a Debian 7), a little bit older version, but I'd like to know why recently I had 2 new computers that I tried to join to the DC that I couldn't join them because they said in each case the login + password for Administrator was incorrect.
The funny thing is that if I try to login / access to one of the shared folders we have, aside joining the domain, it works ok. I've just set up a laptop with the same Windows version and joined it to the domain and it also works okay, so I guess it must be some sort of Windows security update that only applied to these two new computers? They are 2 PC NUC11 with a fresh Windows 11 Pro installed.
So far, what I found is that Kerberos is complaining about the integrity check once you try to join the domain:
Kerberos: Failed to verify authenticator checksum: Decrypt integrity check failed for checksum type rsa-md5, key type arcfour-hmac-md5
On the other hand, when you start Samba the arcfour-hmac-md5 enctype is supported:
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5
Could you please anyone let me know what I might be doing wrong? Is there anything I should be paying attention to? I tried to modify my krb5.conf in order to add any new enctypes, but as far as I can see the enctype I want is already there. Should I add rsa-md5 to the list? I tried as well but it doesn't work at all.
Many, many thanks in advance for your kind help!
PS: I know I should update Samba :)
EDIT: In the end, I upgraded Samba with success, that was the only option left. You need to pay attention especially in what regards the following versions, I highly recommend you as well to perform small major upgrades before going to the latest version: https://wiki.samba.org/index.php/Updating_Samba
The was NO way we could get these workstations working. As far as I arrived was to get where @evs (below) referred to the Reddit link. We changed the OS cyphers for Kerberos at the Local Policy management and set-up some registry keys, but in any way we were able to access to get the system to load the GPOs (same cypher error and I could not locate where I could change it). That means, for instance, the workstations were not able to enable offline files or use folder redirection. There's a plus, there was no chance for a user to update his password. After that, I completely surrendered and updated the systems on a weekend... After reading online quite a lot, I'm afraid updates are strictly necessary in this case.
