[Samba] NT4 clients
ryandbair at gmail.com
Mon Jul 29 17:29:57 MDT 2013
Yes, AD has explicit support for pre-2000 clients.
WINS is alive and well and name resolution is working.
I really think the bogus TGS reply is messing things up, but I'd like to
have someone more knowledgeable confirm the behavior is incorrect.
On Mon, Jul 29, 2013 at 5:23 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com>wrote:
> I wouldn't have even guessed that NT4 would join a modern AD domain. It
> looks like MS did provide client software to join a Windows 2000 AD domain.
> Or does the NT4 machine think it is in an NT4 / Samba3 type domain?
> Presumably you can see the domain users in the local user manager program
> on the NT4 machine? And verify the security options.
> Do you have a a WINS server running? With XP/Windows 7 when you
> join an AD domain, the machine name usually gets set to a fully qualified
> domain name. e.g. mypc.mydomain.com. Does the host name of the NT4
> machine match the expected AD fully qualified domain name (does nslookup
> ip_address on the NT4 machine return the expected hostname? ) Are all
> machines in DNS? I think a hostname or dns mismatch could cause problems
> validating AD kerberos tickets.
> I am running Samba 3, not 4, but found that using a WINS server and making
> sure key systems were in DNS helped solve some issues.
> On 07/29/13 17:05, Ryan Bair wrote:
>> Oh, forgot to mention. Samba 4.0.7-4 Sernet packages running on CentOS
>> On Mon, Jul 29, 2013 at 5:00 PM, Ryan Bair <ryandbair at gmail.com> wrote:
>> I'm attempting to get an old NT4 client participating in a Samba4 domain.
>>> Users can logon to the machine locally and access network shares on other
>>> machines in the network. However, no one can access shares on the NT4
>>> machine using the machine name. Attempting this results in an error "The
>>> account is not authorized to log in from this station." Using the IP
>>> address does work however.
>>> The clients are configured to allow no smb signing and NTLMv1, I think I
>>> have all the security settings covered.
>>> I noticed while looking at wireshark though that the client is doing
>>> TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This
>>> very odd to me since there is no such SPN cifs/nt4test on the network.
>>> 'setspn -Q cifs/nt4test' confirms this.
>>> I've also noticed that the MS docs state:
>>> <94> Section 22.214.171.124:
>>> the server completes negotiation and returns the CAP_EXTENDED_SECURITY
>>> as not set, Windows-based SMB clients query the Key Distribution Center
>>> verify whether a service ticket is registered for the given security
>>> principal name (SPN)<http://msdn.microsoft.**com/en-us/library/54af12e1-
>>> If the query indicates that the SPN<http://msdn.microsoft.com/**
>>> registered with the
>>> then the SMB client terminates the connection and returns an
>>> implementation-specific security downgrade error to the caller.
>>> The client does have CAP_EXTENDED_SECURITY set and I'm guessing the
>>> TGS-REQ is how Windows is testing the presence of the SPN. Since the test
>>> is succeeding and the server doesn't advertise the extended security
>>> capability, Windows disconnects.
>>> Can someone confirm my hypothesis?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
More information about the samba