[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10

Andrew Bartlett abartlet at samba.org
Tue Sep 12 19:36:40 UTC 2023 

Thanks.  Can you please write up a wiki page with these details?
This does disable all AES use, it is unfortunate that you had to set
the supported enctypes = 4, there may be a better way to do this. 
Andrew Bartlett
On Tue, 2023-09-12 at 13:23 +0000, Paulo Cesar wrote:
>         Hello Andrew! Thank you for your collaboration.
> Today I carried out new experiments in a test environment and found
> that when using the following options in the smb.conf file it was
> possible to add Windows XP SP3 to the domain:
> kdc default domain supported enctypes = 4
> kdc force enable rc4 weak session keys = yes
> kdc supported enctypes = 4
> ntlm auth = yes
> client lanman auth = yes
> client ntlmv2 auth = yes
> client min protocol = NT1
> server min protocol = NT1
> allow nt4 crypto:TESTEXPPC$ = yes
> server reject md5 schannel:TESTEXPPC$ = no
> 
> When I change the options related to "kdc" beyond type 4 (RC4) the
> "internal error" appears again.
> After the machine joins the domain I can comment on the parameters
> related to the KDC and it is still possible to authenticate on the
> machine.
> I am also aware, as documented at "
> https://www.ietf.org/rfc/bcp/bcp218.html" that the RC4 encryption
> type used in Windows XP is weak and should no longer be in use.
> As for your suggestion of using Windows 2003 instead of Windows XP,
> unfortunately this is not possible in our situation due to issues
> related to software licensing. In any case, thank you for your
> consideration in paying attention to my problem.
> I will continue analyzing the situation here and evaluating how we
> can handle the Windows XP case without greatly weakening the security
> of the environments for which I provide support. If anyone on the
> list can help with suggestions I would be happy to receive them.
> I hope that my information in these posts can also be useful, in some
> way, to anyone interested.
> 
> 
> 
>         
>         
> 
>             
>                 
>                 
>                     Em segunda-feira, 11 de setembro de 2023 às
> 16:55:51 BRT, Andrew Bartlett via samba <samba at lists.samba.org>
> escreveu:
>                 
>                 
> 
>                 
> 
>                 On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via
> samba wrote:
> > I also know about the fact that Windows XP is an obsolete system
> and
> > should no longer be in use but unfortunately it is still used in
> some
> > specific situations for some of the organizations that I provide
> > services.
> 
> If I was in this situation, and Windows XP failed but Windows 2003
> still worked, I would try to use Windows 2003 for whatever the need
> is.
> 
> Hopefully they are compatible enough for whatever special use case
> you
> have.  
> 
> But in general, they are much the same codebase, but I wonder if
> possibly the server got a few more late patches.
> 
> In mentioning WinXP, I notice they are still issuing some security
> patches, like this one:
> 
> https://www.microsoft.com/en-us/download/details.aspx?id=55245
> 
> (Also for 2003)
> https://www.microsoft.com/en-us/download/details.aspx?id=55248
> 
> As to debugging, clearly the join fails at:
> 
> 09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on
> '\\servert.teste.smb4.rede': 0x54f
> 09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn
> failed: 0x54f
> 09/11 11:39:07 ldap_unbind status: 0x0
> 09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN:
> 0x54f
> 09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier
> errors
> 
> I would ensure the clocks are already in sync with NTP, then get a
> network trace taken from the server and turn up the Samba logs to
> 'log
> level = 10', with 'debug highres timestamp = yes' and look for the
> matching packet (a bind presumably) and anything samba indicates
> about
> the failure.
> 
> But this may be a case for a Samba commercial support provider, it
> looks pretty tricky.
> 
> Andrew,
> 
> -- 
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead                https://catalyst.net.nz/services/samba
> Catalyst.Net Ltd
> 
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
> 
> Samba Development and Support: https://catalyst.net.nz/services/samba
> 
> Catalyst IT - Expert Open Source Solutions
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>             
>         
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list