[Samba] SMBx differences re Win10 in Samba4 NT4 DC

Mon Aug 31 23:30:29 UTC 2015

I wasn't trying to blame or suggest SAMBA should or shouldn't be able to do
it, I was just trying to understand more about the gap in SMB versions
between Windows 10 and Samba 4.

That said, your response got me to thinking, Rowland, and I came up with an
alternate if not ideal way of getting a Windows 10 Pro box to authenticate
to an NT4 SAMBA domain *without* changing the SERVER MAX PROTOCOL  = NT1.
In fact, I think this method would work for a "real" Windows NT4-style
domain as well.

Now, I will preface this by saying it is a stop-gap solution until I can
properly plan a full AD migration, and I wouldn't recommend this for a
regular configuration, but I've verified that it will work against a Samba4
NT domain:

Since I couldn't change the *server* SMB configuration without breaking
other devices that don't implement NT1, I did the reverse; I disabled SMB2
on the Windows 10 *client*. As described in
https://support.microsoft.com/en-us/kb/2696547, it's a matter of two
commands in an elevated command prompt:

sc config lanmanworkstation depend=bowser/mrxsmb10/nsi
sc config mrxsmb20 start=disabled

I then rebooted the Windows 10 box, logged in, and voila, the NETLOGON
share issue was gone, my domain logon script had run, my [HOMES] share had
processed, and I confirmed that I had authenticated to the Samba 4 DC.

Given that this was a client change, I strongly suspect this would work
against a "real" Windows NT4-style domain controller, but I don't have one
of those to validate the theory.

On Mon, Aug 31, 2015 at 12:57 PM, Rowland Penny-6 [via Samba] <
ml-node+s2283325n4690578h62 at n4.nabble.com> wrote:

> On 31/08/15 18:12, soonerdave wrote:
>
> > Given an existing NT4 Samba 4 DC, a recently upgraded Win10 machine can
> no
> > longer access NETLOGON to authenticate to the network. This lead to the
> > research revealing that my Samba4 PDC SMB.CONF must be changed to limit
> MAX
> > PROTOCOL = NT1 to avoid negotiating a version of SMB2 from Win10 that
> Samba4
> > can't resolve.
> >
> > Doing this broke authentication via other resources that no longer
> support
> > NT1, so am I correct in inferring that the only option at this point to
> get
> > Win10 domain logins with a later version of SMB (greater than NT1) is by
> > upgrading the domain to a full Samba AD DC?
> >
> > Lastly, could someone help me understand the subtlety between the
> dialect of
> > SMB2/SMB3 Samba supports versus the variety Win10 is trying to
> negotiate,
> > and why there is the disconnect? Put a different way, I don't understand
> > exactly why Win10/Samba can't negotiate down to an SMB level both can
> use
> > (well, one greater than NT1, I guess)
> >
> >
>
> I think you are asking the wrong people, Samba came up with a way to use
> a windows 10 machine with an NT4-style domain, if I understand it right,
> you cannot do this with a windows NT4 domain.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://samba.2283325.n4.nabble.com/SMBx-differences-re-Win10-in-Samba4-NT4-DC-tp4690575p4690578.html
> To unsubscribe from SMBx differences re Win10 in Samba4 NT4 DC, click here
> <http://samba.2283325.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4690575&code=c29vbmVyZGV3QGdtYWlsLmNvbXw0NjkwNTc1fC0yNTc0MjAxOQ==>
> .
> NAML
> <http://samba.2283325.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>

--
View this message in context: http://samba.2283325.n4.nabble.com/SMBx-differences-re-Win10-in-Samba4-NT4-DC-tp4690575p4690594.html
Sent from the Samba - General mailing list archive at Nabble.com.