[Samba] Wiki: NT4 PDC Quickstart / Samba->Win SysVol repl. workaround

Dale Schroeder dale at BriannasSaladDressing.com
Tue Apr 19 18:43:05 UTC 2016 

On 04/16/2016 2:11 PM, Marc Muehlfeld wrote:
> Hello,
>
> I published two new guides:
>
> * https://wiki.samba.org/index.php/Samba_NT4_PDC_quickstart
>    A documentation, how to set up Samba as an NT4 PDC. I called
>    it "Quickstart", because it covers only the basic stuff.
>
> *
> https://wiki.samba.org/index.php/Robocopy_based_SysVol_replication_workaround
>    For those of you having Samba DCs and Windows DCs in
>    their domain. This is a workaround for the missing
>    SysVol replication feature in a mixed environment.
>
>
> Regards,
> Marc

Marc,

Are any of the parameters mentioned under "Winbindd/Netlogon 
improvements" in the release notes for 4.2.0 (shown below) needed? It 
seems that some are, but maybe I'm reading too much into it.

Regardless, my Samba NT4 domain has not functioned since Debian moved 
from 4.1.17 to 4.3.3, and I have tried using the parameters shown in the 
release notes.

Has anyone gotten their NT4 domain to work with any version of Samba 
4.3.x?  If so, what did you do to make it work?

Thanks,
Dale

Winbindd/Netlogon improvements
==============================

The whole concept of maintaining the netlogon secure channel
to (other) domain controllers was rewritten in order to maintain
global state in a netlogon_creds_cli.tdb. This is the proper fix
for a large number of bugs:

   https://bugzilla.samba.org/show_bug.cgi?id=6563
   https://bugzilla.samba.org/show_bug.cgi?id=7944
   https://bugzilla.samba.org/show_bug.cgi?id=7945
   https://bugzilla.samba.org/show_bug.cgi?id=7568
   https://bugzilla.samba.org/show_bug.cgi?id=8599

In addition a strong session key is now required by default,
which means that communication to older servers or clients
might be rejected by default.

For the client side we have the following new options:
"require strong key" (yes by default), "reject md5 servers" (no by default).
E.g. for Samba 3.0.37 you need "require strong key = no" and
for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",

On the server side (as domain controller) we have the following new options:
"allow nt4 crypto" (no by default), "reject md5 client" (no by default).
E.g. in order to allow Samba < 3.0.27 or NT4 members to work
you need "allow nt4 crypto = yes"

More information about the samba-technical mailing list