[Samba] Domain Upgrade

Ryan Bair ryandbair at gmail.com
Fri Mar 28 15:40:16 MDT 2014


I'm glad to hear that worked for you.

I haven't done any scripting like that, but I would imagine one could
accomplish it either by script connecting to LDAP, using the Samba Python
bindings, or on a Windows host with powershell.

On Thu, Mar 27, 2014 at 8:57 AM, Raimund Waimann <edv at schaeferpal.de> wrote:

>  Hi Ryan,
>
> that' s it.
> It works fine by adding an additional DNS record with different name.
> Thank you!
>
> As one of the servers, whitch are affected is the one, providing the
> userprofiles (logon path) for every samba account, I do now have the
> problem to change this path in every user account (about 200) in the domain.
> Is there a way to change this value by a regexp or something?
> I' d like to avoid changing it manually on all 200 accounts.
>
> - Ray
>
> Am 27.03.2014 13:03, schrieb Ryan Bair:
>
>     Hi Ray,
>
>  I've run into this issue as well. It seems to be caused by the Samba DC
> telling clients that everyone on the domain supports extended security,
> even when they do not (as is the case with NT4). This is done by the client
> requesting a TGT from the DC for the server that it is connecting to. Samba
> should not fulfill the request if the server does not support extended
> security, but it does so anyway.
>
>  I filed a bug for this a while ago, but it hasn't seen any action. Due to
> NT4 machines being so uncommon these days, I can't blame anyone for not
> jumping on the bug. I haven't gone too far on it either as the machine in
> question is supposed to be replaced "soon".
>
>  You can work around this bug in a few ways:
>  1. Connect via IP address.
>  2. Connect via a name that Samba doesn't know about. Adding an A record
> that points directly to the NT4 machines static IP should do it.
>  3. Remove the NT4 machine from the domain AND delete the account from AD.
>
>  Hope that helps,
>  -Ryan
>
>
> On Thu, Mar 27, 2014 at 3:35 AM, Raimund Waimann <edv at schaeferpal.de>wrote:
>
>> Hi everyone,
>>
>> I got an old NT4 Domain Controller, which has to be upgraded to an AD DC.
>> So I first migrated the WindowsNT PDC to a samba3 domain and did a
>> classicupgrade with samba-tool.
>>
>> So far it seemed to work fine. I now have 2 samba4 AD DC running and the
>> old Windows NT4 pdc and bdc.
>> Users in my network can authentcate against the new dcs.
>>
>> But if a user, which authentcated against the ad is trying to connect to
>> a windows NT4 (there are 2 more old servers running) share I keep getting
>> an Error, that  it isnt possible to authenticate from this Computer (exact
>> message in german: "Mit diesem Konto kann man sich nicht von diesem
>> Computer aus anmelden").
>>
>> Connections to all other shares on linux or windows 2003/2008 servers are
>> possible, without any issues.
>>
>> Can anybody help me with this problem?
>>
>> Thx 4 your help
>> Ray
>>
>> my smb.conf global section:
>>
>> ~# cat /usr/local/samba/etc/smb.conf
>> # Global parameters
>> [global]
>>         workgroup = MYCOMPANY
>>         realm = mycompany.de
>>         netbios name = DC1
>>         server role = active directory domain controller
>>         idmap_ldb:use rfc2307 = yes
>>         log file = /var/log/samba/log.%m
>>         printing bsd
>>         printcap name = /dev/null
>>         allow nt4 crypto = yes
>>
>> Samba log shows:
>>
>> [2014/03/27 03:29:34.991086,  0]
>> ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>>   Calling samba_kcc script
>> [2014/03/27 03:34:35.105251,  0]
>> ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>>   Calling samba_kcc script
>> [2014/03/27 03:38:35.033117,  0]
>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>> [2014/03/27 03:39:35.424572,  0]
>> ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>>   Calling samba_kcc script
>> [2014/03/27 03:44:35.538867,  0]
>> ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>>   Calling samba_kcc script
>> [2014/03/27 03:49:35.860879,  0]
>> ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>>   Calling samba_kcc script
>> [2014/03/27 03:52:21.201893,  0]
>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
>>   NTLMSSP NTLM2 packet check failed due to invalid signature!
>> [2014/03/27 03:54:35.974844,  0]
>> ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>>   Calling samba_kcc script
>> [2014/03/27 03:59:36.311689,  0]
>> ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
>>   Calling samba_kcc script
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>


More information about the samba mailing list