[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10

Wed Sep 13 10:10:22 UTC 2023

Op 13-09-2023 om 11:46 schreef Peter Milesson via samba:
>
>
> On 13.09.2023 10:45, Michael Tokarev via samba wrote:
>> 12.09.2023 22:36, Andrew Bartlett via samba:
>>> Thanks.  Can you please write up a wiki page with these details?
>>
>> Andrew, are you sure we wan this info easily findable on the wiki? :)
>> I mean, it is terrible, it really is.. I wonder if Microsoft allows
>> to join WinXP machines to the current AD domain.  The thing is that
>> whole thing should not be used in 2023+, period.  Yes, I understand
>> there might be various interesting use cases, but that often can be
>> done on a stand-alone WinXP machine, not joined to a domain, - so the
>> whole domain isn't crippled.
>>
>> It's interesting that Win2003 does not require all the same low-security
>> settings.
>>
>> BTW, Paolo, I'm curious, - which licensing concerns/issues do you have?
>> Microsoft does not sell these versions of windows anymore.  But granted,
>> I've no idea what actual terms applies to already sold products now, way
>> past end-of-life.
>>
>> Myself, I can't say I'm a "software pirate", but I do use many versions
>> of windows on my own home machine - to test how windows behaves in 
>> various
>> versions of QEMU and sometimes test them with samba too, - to ensure we
>> ship good samba or qemu able to run windows. I don't have licenses for
>> them, and I've no idea if such usage is legal or not (more likely not)..
>>
>>> This does disable all AES use, it is unfortunate that you had to set
>>> the supported enctypes = 4, there may be a better way to do this.
>> [...]
>>
>>
> Hi folks,
>
> I want to chime in here, as I was facing a similar problem recently.
>
> I had to setup a local file server for a machine group, where most of 
> the machines are using Windows NT4 as OS. The machines are incredibly 
> expensive, and replacing the control system on each one of them is not 
> an option. The machines sometimes need to connect on demand to 
> technical support over internet, and they need to get production data 
> from a local server (alternative is diskettes ;-) ). To the headache 
> is added the absence of any type of anti virus protection in the 
> control systems. Using some ancient Windows OS as a server was not an 
> option, as I haven't got the appropriate license for any suitable OS 
> (it's very expensive if you get caught, and you may face jail time), 
> and it still wouldn't be working on modern hardware, as there are no 
> drivers available.
>
> As the NT1 protocol is involved here, it was absolutely paramount to 
> isolate this group from any other part of the network. I setup an 
> isolated VLAN for the group with an internal firewall with no chance 
> to connect to anything inside the isolated VLAN. In that VLAN I setup 
> a Samba standalone server (Debian 4.18.5) on a tiny barebone PC. Works 
> like a charm.
>
> But if NT1 is removed from Samba, how to solve the problem? Run an 
> older Linux VM with a Samba version with NT1 under KVM. A modern 
> barebone PC with an intel CPU and VT-d is sufficient, future proof, 
> and cheap.

Running an older version of Samba would be sufficient. But perhaps in 10 
years time, you may not be able to compile that older Samba on your 
modern Linux and then KVM with an older Linux would still work.

The older it becomes the harder it will get to keep stuff running and 
the more security issues there will be. There is not much you can do 
about that...

>
> So by all means, the time is over ripe for flushing out NT1 from Samba 
> for good.
>
> I wish you all a nice day.
>
> Peter
>
>
>