[Samba] Domain Upgrade

Raimund Waimann edv at schaeferpal.de
Thu Mar 27 06:57:05 MDT 2014 

Hi Ryan,

that' s it.
It works fine by adding an additional DNS record with different name.
Thank you!

As one of the servers, whitch are affected is the one, providing the 
userprofiles (logon path) for every samba account, I do now have the 
problem to change this path in every user account (about 200) in the domain.
Is there a way to change this value by a regexp or something?
I' d like to avoid changing it manually on all 200 accounts.

- Ray


Am 27.03.2014 13:03, schrieb Ryan Bair:
> Hi Ray,
>
> I've run into this issue as well. It seems to be caused by the Samba 
> DC telling clients that everyone on the domain supports extended 
> security, even when they do not (as is the case with NT4). This is 
> done by the client requesting a TGT from the DC for the server that it 
> is connecting to. Samba should not fulfill the request if the server 
> does not support extended security, but it does so anyway.
>
> I filed a bug for this a while ago, but it hasn't seen any action. Due 
> to NT4 machines being so uncommon these days, I can't blame anyone for 
> not jumping on the bug. I haven't gone too far on it either as the 
> machine in question is supposed to be replaced "soon".
>
> You can work around this bug in a few ways:
> 1. Connect via IP address.
> 2. Connect via a name that Samba doesn't know about. Adding an A 
> record that points directly to the NT4 machines static IP should do it.
> 3. Remove the NT4 machine from the domain AND delete the account from AD.
>
> Hope that helps,
> -Ryan
>
>
> On Thu, Mar 27, 2014 at 3:35 AM, Raimund Waimann <edv at schaeferpal.de 
> <mailto:edv at schaeferpal.de>> wrote:
>
>     Hi everyone,
>
>     I got an old NT4 Domain Controller, which has to be upgraded to an
>     AD DC.
>     So I first migrated the WindowsNT PDC to a samba3 domain and did a
>     classicupgrade with samba-tool.
>
>     So far it seemed to work fine. I now have 2 samba4 AD DC running
>     and the old Windows NT4 pdc and bdc.
>     Users in my network can authentcate against the new dcs.
>
>     But if a user, which authentcated against the ad is trying to
>     connect to a windows NT4 (there are 2 more old servers running)
>     share I keep getting an Error, that  it isnt possible to
>     authenticate from this Computer (exact message in german: "Mit
>     diesem Konto kann man sich nicht von diesem Computer aus anmelden").
>
>     Connections to all other shares on linux or windows 2003/2008
>     servers are possible, without any issues.
>
>     Can anybody help me with this problem?
>
>     Thx 4 your help
>     Ray
>
>     my smb.conf global section:
>
>     ~# cat /usr/local/samba/etc/smb.conf
>     # Global parameters
>     [global]
>             workgroup = MYCOMPANY
>             realm = mycompany.de <http://mycompany.de>
>             netbios name = DC1
>             server role = active directory domain controller
>             idmap_ldb:use rfc2307 = yes
>             log file = /var/log/samba/log.%m
>             printing bsd
>             printcap name = /dev/null
>             allow nt4 crypto = yes
>
>     Samba log shows:
>
>     [2014/03/27 03:29:34.991086,  0]
>     ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>       Calling samba_kcc script
>     [2014/03/27 03:34:35.105251,  0]
>     ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>       Calling samba_kcc script
>     [2014/03/27 03:38:35.033117,  0]
>     ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>       NTLMSSP NTLM2 packet check failed due to invalid signature!
>     [2014/03/27 03:39:35.424572,  0]
>     ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>       Calling samba_kcc script
>     [2014/03/27 03:44:35.538867,  0]
>     ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>       Calling samba_kcc script
>     [2014/03/27 03:49:35.860879,  0]
>     ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>       Calling samba_kcc script
>     [2014/03/27 03:52:21.201893,  0]
>     ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>       NTLMSSP NTLM2 packet check failed due to invalid signature!
>     [2014/03/27 03:54:35.974844,  0]
>     ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>       Calling samba_kcc script
>     [2014/03/27 03:59:36.311689,  0]
>     ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>       Calling samba_kcc script
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list