[Samba] Problems in SAMBA 3.3 to 4.0 migration

soonerdave soonerdew at gmail.com
Thu Feb 19 23:06:31 MST 2015

***** SUCCESS *****

After nearly a week of wrangling with this annoying and frustrating issue,
I'm delighted to report that I finally have EVERYTHING working. I was on the
cusp of giving up, but some diligent reading, lots and lots of testing, and
some long evenings finally paid off.  I know this thread is kinda buried now
by virtue of its age, but I wanted to highlight the problems I had and offer
the solution in the event someone else comes along with similar issues:

1. Periodic message indicating machine credential failures on the PDC.

Thinking initially that a password change had taken place, and given that my
local profile is too huge to risk losing via a machine/domain rejoin, I took
the drastic step of actually dumping the hashes of my own laptop, and found
out they matched those stored in my PDC smbpasswd file. I then realize a
protocol issue had to be at hand. Turns out it was a really dumb one that's
been wrong a long time:

HKLM\System\CCS\Services\Netlogon\Parameters\RequireStrongKey was set to 0,
and should be 1.

After restarting NETLOGON, I was able to use the NLTEST tool to reset the
secure channel between the machine and the PDC, which causes the machine to
reauthenticate. Bingo. Problem solved.

2. Samba 3.6.24 PDC and Win7 clients cannot browse Samba 4.0 shares

This one was really giving me fits. It was a bugzilla log found at
https://bugzilla.samba.org/show_bug.cgi?id=10167 that finally turned on the
light: I had configured the Samba 4.1.0 box to turn on SMB encryption and
server signing, and given that Win7 and Samba 3.6.x can't go beyond SMB2,
any client browsing from those boxes back to the Samba 4.1 box was doomed.
Reset those two settings, and voila, everyone can now browse everyone else's

This also explained the 'service[IPC$] requires encryptionSMBtdis
ACCESS_DENIED' errors in my 4.1 logs - it was telling me precisely what was
wrong, and I didn't quite recognize it. 

3. NET RPC VAMPIRE failures - /probably/ resolved

I ended up manually copying my smbpasswd and /etc/group files, then manually
recreating the group maps because I couldn't get the vampire to work. Now
that connections both ways appear to be working, I strongly suspect that
this would, in fact, now work - but I don't want to risk upsetting the
applecart as it is by trying it now. I'm reasonably sure it would work now,

Bottom line - I've got a good BDC up and running in a VM now, and just some
minor tweaks are needed going forward. Thanks to all who at least read and
certainly to Rowland for the help. Hope I can return the favor sometime.


View this message in context: http://samba.2283325.n4.nabble.com/Problems-in-SAMBA-3-3-to-4-0-migration-tp4680653p4681192.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list