[Samba] Problems in SAMBA 3.3 to 4.0 migration

[Andrew Bartlett]

On Thu, 2015-02-19 at 22:06 -0800, soonerdave wrote:
> ***** SUCCESS *****
> 
> After nearly a week of wrangling with this annoying and frustrating issue,
> I'm delighted to report that I finally have EVERYTHING working. I was on the
> cusp of giving up, but some diligent reading, lots and lots of testing, and
> some long evenings finally paid off.  I know this thread is kinda buried now
> by virtue of its age, but I wanted to highlight the problems I had and offer
> the solution in the event someone else comes along with similar issues:
> 
> 1. Periodic message indicating machine credential failures on the PDC.
> 
> 
> Thinking initially that a password change had taken place, and given that my
> local profile is too huge to risk losing via a machine/domain rejoin, I took
> the drastic step of actually dumping the hashes of my own laptop, and found
> out they matched those stored in my PDC smbpasswd file. I then realize a
> protocol issue had to be at hand. Turns out it was a really dumb one that's
> been wrong a long time:
> 
> HKLM\System\CCS\Services\Netlogon\Parameters\RequireStrongKey was set to 0,
> and should be 1.
> 
> After restarting NETLOGON, I was able to use the NLTEST tool to reset the
> secure channel between the machine and the PDC, which causes the machine to
> reauthenticate. Bingo. Problem solved.

This is interesting.  We did upgrade the security requirements with
Samba 4.1 by default.  It is odd the RequreStrongKey actually forces
*down* what Windows will do.

> 2. Samba 3.6.24 PDC and Win7 clients cannot browse Samba 4.0 shares
> 
> 
> This one was really giving me fits. It was a bugzilla log found at
> https://bugzilla.samba.org/show_bug.cgi?id=10167 that finally turned on the
> light: I had configured the Samba 4.1.0 box to turn on SMB encryption and
> server signing, and given that Win7 and Samba 3.6.x can't go beyond SMB2,
> any client browsing from those boxes back to the Samba 4.1 box was doomed.
> Reset those two settings, and voila, everyone can now browse everyone else's
> shares!!!!
> 
> This also explained the 'service[IPC$] requires encryptionSMBtdis
> ACCESS_DENIED' errors in my 4.1 logs - it was telling me precisely what was
> wrong, and I didn't quite recognize it. 
> 
> 3. NET RPC VAMPIRE failures - /probably/ resolved
> 
> 
> I ended up manually copying my smbpasswd and /etc/group files, then manually
> recreating the group maps because I couldn't get the vampire to work. Now
> that connections both ways appear to be working, I strongly suspect that
> this would, in fact, now work - but I don't want to risk upsetting the
> applecart as it is by trying it now. I'm reasonably sure it would work now,
> however.
> 
> Bottom line - I've got a good BDC up and running in a VM now, and just some
> minor tweaks are needed going forward. Thanks to all who at least read and
> certainly to Rowland for the help. Hope I can return the favor sometime.

'net rpc vampire' will never work against a Samba DC.  We never
implemented a sever-side for the SamSync (NETLOGON replication between
and NT4-style PDC and BDC) protocol.  

This is different to AD replication which uses DRSUAPI, and that we do
implement client and server side.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba