[Samba] Domain Upgrade
Ryan Bair
ryandbair at gmail.com
Thu Mar 27 06:03:43 MDT 2014
Hi Ray,
I've run into this issue as well. It seems to be caused by the Samba DC
telling clients that everyone on the domain supports extended security,
even when they do not (as is the case with NT4). This is done by the client
requesting a TGT from the DC for the server that it is connecting to. Samba
should not fulfill the request if the server does not support extended
security, but it does so anyway.
I filed a bug for this a while ago, but it hasn't seen any action. Due to
NT4 machines being so uncommon these days, I can't blame anyone for not
jumping on the bug. I haven't gone too far on it either as the machine in
question is supposed to be replaced "soon".
You can work around this bug in a few ways:
1. Connect via IP address.
2. Connect via a name that Samba doesn't know about. Adding an A record
that points directly to the NT4 machines static IP should do it.
3. Remove the NT4 machine from the domain AND delete the account from AD.
Hope that helps,
-Ryan
On Thu, Mar 27, 2014 at 3:35 AM, Raimund Waimann <edv at schaeferpal.de> wrote:
> Hi everyone,
>
> I got an old NT4 Domain Controller, which has to be upgraded to an AD DC.
> So I first migrated the WindowsNT PDC to a samba3 domain and did a
> classicupgrade with samba-tool.
>
> So far it seemed to work fine. I now have 2 samba4 AD DC running and the
> old Windows NT4 pdc and bdc.
> Users in my network can authentcate against the new dcs.
>
> But if a user, which authentcated against the ad is trying to connect to a
> windows NT4 (there are 2 more old servers running) share I keep getting an
> Error, that it isnt possible to authenticate from this Computer (exact
> message in german: "Mit diesem Konto kann man sich nicht von diesem
> Computer aus anmelden").
>
> Connections to all other shares on linux or windows 2003/2008 servers are
> possible, without any issues.
>
> Can anybody help me with this problem?
>
> Thx 4 your help
> Ray
>
> my smb.conf global section:
>
> ~# cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> workgroup = MYCOMPANY
> realm = mycompany.de
> netbios name = DC1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> log file = /var/log/samba/log.%m
> printing bsd
> printcap name = /dev/null
> allow nt4 crypto = yes
>
> Samba log shows:
>
> [2014/03/27 03:29:34.991086, 0] ../source4/dsdb/kcc/kcc_
> periodic.c:664(kccsrv_samba_kcc)
> Calling samba_kcc script
> [2014/03/27 03:34:35.105251, 0] ../source4/dsdb/kcc/kcc_
> periodic.c:664(kccsrv_samba_kcc)
> Calling samba_kcc script
> [2014/03/27 03:38:35.033117, 0] ../auth/ntlmssp/ntlmssp_sign.
> c:236(ntlmssp_check_packet)
> NTLMSSP NTLM2 packet check failed due to invalid signature!
> [2014/03/27 03:39:35.424572, 0] ../source4/dsdb/kcc/kcc_
> periodic.c:664(kccsrv_samba_kcc)
> Calling samba_kcc script
> [2014/03/27 03:44:35.538867, 0] ../source4/dsdb/kcc/kcc_
> periodic.c:664(kccsrv_samba_kcc)
> Calling samba_kcc script
> [2014/03/27 03:49:35.860879, 0] ../source4/dsdb/kcc/kcc_
> periodic.c:664(kccsrv_samba_kcc)
> Calling samba_kcc script
> [2014/03/27 03:52:21.201893, 0] ../auth/ntlmssp/ntlmssp_sign.
> c:236(ntlmssp_check_packet)
> NTLMSSP NTLM2 packet check failed due to invalid signature!
> [2014/03/27 03:54:35.974844, 0] ../source4/dsdb/kcc/kcc_
> periodic.c:664(kccsrv_samba_kcc)
> Calling samba_kcc script
> [2014/03/27 03:59:36.311689, 0] ../source4/dsdb/kcc/kcc_
> periodic.c:664(kccsrv_samba_kcc)
> Calling samba_kcc script
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list