[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10

Paulo Cesar paulo_rallye at yahoo.com.br
Mon Sep 11 17:10:40 UTC 2023 

Hello everybody.

After installing a new AD domain controller with version 4.17.10+dfsg-0+deb12u1~bpo11+1, present in the Debian 11.7 backports repository, I am unable to join workstations running Windows XP SP3 to the domain. The Samba AD server was initially configured with the options "domain-sid=S-1-5-21-9500468976-950304483-95027178", "dns-backend=SAMBA_INTERNAL", "use-rfc2307" and "next-rid=5000000 ".
In previous tests, joining the domain with version 4.13.13 was working. I also tested version 4.17.9 (debian main repository) and 4.17.10 (debian-security repository) present in Debian 12 and the failure also occurs in both versions.
The tests were carried out with "fresh installations" of the Samba server and with the SMBv1 protocol, as well, as NTLMv1 active in the ADDC server configuration (smb.conf). I also tried enabling NTLMv2 on the Windows XP client but this had no effect.
The Windows XP SP3 installation is also "fresh", the local system firewall has been disabled and there is no firewall protecting the AD domain controller (neither local or through a service on the network). When trying to join the domain with the user "administrator" an "internal error" message is presented to the user along with the error "0x54f" (Unable to bind to DS) recorded in the file "C:\Windows\Debug\NetSetup .log" (full logs are available in this message).
I have successfully run the join tests with Windows 2003 Server (64-bit) and Windows 7 SP2.
Other actions I tried to take to try to solve the problem:
- Remove the client machine account running Windows XP from the directory service and purge this data (expunge by samba-tool), with no effect;
- Installing KB969084 on Windows XP due to some research on the internet regarding similar problems, with no effect;
- Change local security policies, specially related to communication channel signing (in network security options), with no effect;
- Change options related to authentication present on the server (smb.conf) but none of the changed settings, alone or together, had any effect.

The server's "smb.conf" file:
[global]
    dns forwarder = 10.1.1.9
    interfaces = lo ens18
    netbios name = SERVERT
    realm = TESTE.SMB4.REDE
    server role = active directory domain controller
    workgroup = TESTE
    idmap_ldb:use rfc2307 = yes
    server services = -nbt
    idmap_ldb:use rfc2307 = yes
    lm interval = 0
    max log size = 0
    log level = 3 auth:3 auth_audit:5 auth_audit_json:5 dsdb_json_audit:5 dsdb_password_json_audit:5 dsdb_group_json_audit:5 dsdb_transaction_json_audit:5
    debug class = yes

    ### Legacy auth ###
    lm announce = no 
    lanman auth = yes 
    #ntlm auth = yes
    ntlm auth = ntlmv1-permitted
    client lanman auth = yes 
    client ntlmv2 auth = yes 
    client min protocol = NT1
    server min protocol = NT1
    #allow nt4 crypto = yes
    #kerberos encryption types = legacy
    #client ipc min protocol = NT1
    #kdc force enable rc4 weak session keys = yes
    server reject md5 schannel:TESTEXPPC$ = no
    allow nt4 crypto:TESTEXPPC$ = yes
    #client signing = auto
    #server signing = auto
    #server schannel require seal:TESTEXPPC$ = no
    
[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[netlogon]
    path = /var/lib/samba/sysvol/teste.smb4.rede/scripts
    read only = No
[comp]
    path = /tmp/comp
    read only = no
    public = yes
    

The server's "/etc/resolv.conf" file:
domain teste.smb4.rede
search teste.smb4.rede
nameserver 10.1.1.7
nameserver 10.1.1.146


The server's "/etc/hosts" file:
127.0.0.1    localhost
10.1.1.7    servert.teste.smb4.rede    servert

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


The logs present in the Windows XP SP3 "NetSetup.log" file:
09/11 11:39:06 NetpDoDomainJoin
09/11 11:39:06 NetpMachineValidToJoin: 'TESTEXPPC'
09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0
09/11 11:39:06 NetpMachineValidToJoin: status: 0x0
09/11 11:39:06 NetpJoinDomain
09/11 11:39:06     Machine: TESTEXPPC
09/11 11:39:06     Domain: teste.smb4.rede
09/11 11:39:06     MachineAccountOU: (NULL)
09/11 11:39:06     Account: teste.smb4.rede\administrator
09/11 11:39:06     Options: 0x27
09/11 11:39:06     OS Version: 5.1
09/11 11:39:06     Build number: 2600
09/11 11:39:06     ServicePack: Service Pack 3
09/11 11:39:06 NetpValidateName: checking to see if 'teste.smb4.rede' is valid as type 3 name
09/11 11:39:06 NetpValidateName: 'teste.smb4.rede' is not a valid NetBIOS domain name: 0x7b
09/11 11:39:06 NetpCheckDomainNameIsValid [ Exists ] for 'teste.smb4.rede' returned 0x0
09/11 11:39:06 NetpValidateName: name 'teste.smb4.rede' is valid for type 3
09/11 11:39:06 NetpDsGetDcName: trying to find DC in domain 'teste.smb4.rede', flags: 0x1020
09/11 11:39:06 NetpDsGetDcName: found DC '\\servert.teste.smb4.rede' in the specified domain
09/11 11:39:06 NetpJoinDomain: status of connecting to dc '\\servert.teste.smb4.rede': 0x0
09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0
09/11 11:39:06 NetpGetDnsHostName: Read NV Hostname: testexppc
09/11 11:39:06 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: teste.smb4.rede
09/11 11:39:06 NetpLsaOpenSecret: status: 0xc0000034
09/11 11:39:06 NetpGetLsaPrimaryDomain: status: 0x0
09/11 11:39:06 NetpLsaOpenSecret: status: 0xc0000034
09/11 11:39:07 NetpManageMachineAccountWithSid: NetUserAdd on '\\servert.teste.smb4.rede' for 'TESTEXPPC$' failed: 0x8b0
09/11 11:39:07 NetpManageMachineAccountWithSid: status of attempting to set password on '\\servert.teste.smb4.rede' for 'TESTEXPPC$': 0x0
09/11 11:39:07 NetpJoinDomain: status of creating account: 0x0
09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on '\\servert.teste.smb4.rede': 0x54f
09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x54f
09/11 11:39:07 ldap_unbind status: 0x0
09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: 0x54f
09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier errors
09/11 11:39:07 NetpGetLsaPrimaryDomain: status: 0x0
09/11 11:39:07 NetpManageMachineAccountWithSid: status of disabling account 'TESTEXPPC$' on '\\servert.teste.smb4.rede': 0x0
09/11 11:39:07 NetpJoinDomain: rollback: status of deleting computer account: 0x0
09/11 11:39:07 NetpLsaOpenSecret: status: 0x0
09/11 11:39:07 NetpJoinDomain: rollback: status of deleting secret: 0x0
09/11 11:39:07 NetpJoinDomain: status of disconnecting from '\\servert.teste.smb4.rede': 0x0
09/11 11:39:07 NetpDoDomainJoin: status: 0x54f


Samba server logs during join attempt:
[2023/09/11 12:11:25.304407,  5, class=auth_audit] ../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
  Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Mon, 11 Sep 2023 12:11:25.304394 -03] Remote host [ipv4:10.2.2.122:55378] local host [ipv4:10.1.1.7:135]
[2023/09/11 12:11:25.325044,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for AS-REQ
[2023/09/11 12:11:25.325078,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Probing for TGS-REQ
[2023/09/11 12:11:25.325703,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] tixaddrs=TYPE_20:54455354455850504320202020202020
[2023/09/11 12:11:25.325728,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Not a FAST request
[2023/09/11 12:11:25.325742,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ Administrator at TESTE.SMB4.REDE from ipv4:10.2.2.122:58742 for krbtgt/TESTE.SMB4.REDE at TESTE.SMB4.REDE [renewable-ok, canonicalize, renewable, forwarded, forwardable]
[2023/09/11 12:11:25.329450,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair auth=1694445085
[2023/09/11 12:11:25.329470,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair start=1694445085
[2023/09/11 12:11:25.329476,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair end=1694481085
[2023/09/11 12:11:25.329481,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair renew=1695049885
[2023/09/11 12:11:25.329492,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ authtime: 2023-09-11T12:11:25 starttime: 2023-09-11T12:11:25 endtime: 2023-09-11T22:11:25 renew till: 2023-09-18T12:11:25
[2023/09/11 12:11:25.329501,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] canon_client_name=Administrator at TESTE.SMB4.REDE
[2023/09/11 12:11:25.329506,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_setkv_number(): setting kv pair pac_attributes=1
[2023/09/11 12:11:25.329631,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] etypes=18,-133,-128,3,1,24,-135
[2023/09/11 12:11:25.329642,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, -133, -128, 3, 1, 24, -135, using arcfour-hmac-md5/aes256-cts-hmac-sha1-96
[2023/09/11 12:11:25.329652,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] etype=23/18
[2023/09/11 12:11:25.329659,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwarded, forwardable
[2023/09/11 12:11:25.329665,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] flags=renewable-ok,canonicalize,renewable,forwarded,forwardable
[2023/09/11 12:11:25.329798,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.004772
[2023/09/11 12:11:25.329818,  3, class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ SUCCESS ipv4:10.2.2.122:58742 Administrator at TESTE.SMB4.REDE krbtgt/TESTE.SMB4.REDE at TESTE.SMB4.REDE etype=23/18 pac_attributes=1 canon_client_name=Administrator at TESTE.SMB4.REDE end=1694481085 auth=1694445085 etypes=18,-133,-128,3,1,24,-135 renew=1695049885 elapsed=0.004772 flags=renewable-ok,canonicalize,renewable,forwarded,forwardable start=1694445085 tixaddrs=TYPE_20:54455354455850504320202020202020
[2023/09/11 12:11:25.334025,  3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2023/09/11 12:11:25.337696,  3, class=ldb] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2023/09/11 12:11:25.343249,  3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'
[2023/09/11 12:11:25.343438,  3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2023/09/11 12:11:25.348151,  3, class=ldb] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of privilege.ldb
[2023/09/11 12:11:25.367180,  4, class=auth_audit] ../../auth/auth_log.c:752(log_successful_authz_event_human_readable)
  Successful AuthZ: [DCE/RPC,ncacn_np] user [TESTE]\[Administrator] [S-1-5-21-9500468976-950304483-95027178-500] at [Mon, 11 Sep 2023 12:11:25.367169 -03] Remote host [ipv4:10.2.2.122:60708] local host [ipv4:10.1.1.7:445]
  {"timestamp": "2023-09-11T12:11:25.433246-0300", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": "ipv4:10.2.2.122:60708", "performedAsSystem": false, "userSid": "S-1-5-21-9500468976-950304483-95027178-500", "dn": "CN=TESTEXPPC,CN=Computers,DC=teste,DC=smb4,DC=rede", "transactionId": "bb37fa00-00b2-46cc-b5f8-0c2f5c47659b", "sessionId": "4bf09255-fd12-4d2c-81df-10f7372a1b8f", "attributes": {"userAccountControl": {"actions": [{"action": "replace", "values": [{"value": "4098"}]}]}}}}
[2023/09/11 12:11:25.433326,  3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1717(descriptor_prepare_commit)
  descriptor_prepare_commit: changes: num_registrations=0
[2023/09/11 12:11:25.433334,  3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1719(descriptor_prepare_commit)
  descriptor_prepare_commit: changes: num_registered=0
[2023/09/11 12:11:25.433338,  3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1829(descriptor_prepare_commit)
  descriptor_prepare_commit: changes: num_toplevel=0
[2023/09/11 12:11:25.433342,  3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1850(descriptor_prepare_commit)
  descriptor_prepare_commit: changes: num_processed=0
[2023/09/11 12:11:25.433346,  3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1851(descriptor_prepare_commit)
  descriptor_prepare_commit: objects: num_processed=0
[2023/09/11 12:11:25.433349,  3] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1852(descriptor_prepare_commit)
  descriptor_prepare_commit: objects: num_skipped=0
[2023/09/11 12:11:25.449399,  3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2023/09/11 12:11:25.473967,  3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'

Only for additional info: I also configured a domain controller in NT4 mode using Samba version 4.17.10 and apparently everything still works (join and user authentication) as expected for Windows XP and other versions that i tested.
I searched for a few days before making this post to try to find something on the list that could help me but unfortunately I didn't find anything. I also checked that this problem was not related to bug 9959 (https://bugzilla.samba.org/show_bug.cgi?id=9959), because I saw that the Samba 4.17 code was recently updated to 4.17.11 because of this bug , but there is only a single object with "CN=System" in the directory service, I believe there is no relationship between the reported problems.
I also know about the fact that Windows XP is an obsolete system and should no longer be in use but unfortunately it is still used in some specific situations for some of the organizations that I provide services.
I am not a native English speaker, I apologize if I made any mistakes regarding the language when constructing this text.
My greetings to everyone.

More information about the samba mailing list