[Samba] Joining 4.2.2 Samba client to Samba3 PDC

David Morgan dmorgan at westquad.med.harvard.edu
Thu Jun 11 15:37:09 MDT 2015 

Hi,

Not sure of the etiquette of this, so apologies if this is frowned upon, 
but a couple of months ago, this[1] question was asked.

I'm trying to join a Samba 4.2.2 server to a Samba 3.4.7 PDC (e.g. Think 
NT4, not AD), which is also our OpenLDAP principal server.  I'm failing 
because, although my "net rpc join" command seems to succeed, and the 
host entry is added to the directory, I keep getting messages such as 
this in /var/log/samba/log.CLIENT_IP on my PDC/LDAP host:

   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client CLIENT machine account CLIENT$
[2015/06/11 16:46:18,  0] 
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client CLIENT machine account CLIENT$

and the user that I've added, fails to log in, with basically a 
"permissions denied" error (I'm trying to log in from OS X 10.10.3). 
This login attempt correlates with the two error lines above.

The PDC is running Ubuntu 10.04 (* * *looks away in embarrassment* * *) 
and the client CLIENT[2] is Ubuntu Server 14.04.  The sensible advice 
might likely be: UPGRADE YOUR PDC HOST, DUMMY!, and I do intend to do 
that, but if we could get this working it would be really neat-o keen, 
and would buy us a bit of time.  The motivation for this is to give our 
OS X users the significant performance advantages that vfs_fruit has to 
offer them (Thanks again, Ralph![3]).  If the only solution is to 
upgrade the PDC, that's ultimately fine, but that will of course take 
more time.

If you've read this far, Thanks![4]

-DM


[1]
 > Francesco Malvezzi francesco.malvezzi at unimore.it
 > Tue Apr 14 00:41:15 MDT 2015
 >
 > hi all,
 >
 > my working samba-4.1.7 member of a samba3 domain (samba-3.5.3) failed
 > while updating to samba-4.2.0. Users were no longer able to access
 > shares because the trust account was broken.
 >
 > According to release notes (Winbindd/Netlogon improvements):
 >
 > For the client side we have the following new options:
 > "require strong key" (yes by default), "reject md5 servers" (no by > 
 > default).
 > E.g. for Samba 3.0.37 you need "require strong key = no" and
 > for NT4 DCs you need "require strong key = no" and "client NTLMv2 > > 
 > auth = no",
 >
 > so in samba-4.2.0 member's smb.conf I put:
 >
 >  require strong key = no
 >  client NTLMv2 auth = no
 >
 > but yet trust account wasn't able to authenticate on domain PDC.
 >
 > Which are the correct switches to allow a samba-4.2.0 member to join a
 > samba3 PDC?
 >
 > thank you,
 >
 > Francesco

[2] Not his real name.

[3] Legally required statement.

[4] ...but you might need to get outside more. :-O

-- 
David S Morgan, Ph.D.			 david_morgan at hms.harvard.edu
Director				 http://wqcg.med.harvard.edu
West Quad Computing Group		 Office: 617-651-0259
Harvard Medical School

More information about the samba mailing list