[Samba] Problems in SAMBA 3.3 to 4.0 migration

soonerdave soonerdew at gmail.com
Sun Feb 22 17:41:58 MST 2015

>> After restarting NETLOGON, I was able to use the NLTEST tool to reset the 
>> secure channel between the machine and the PDC, which causes the machine
>> to 
>> reauthenticate. Bingo. Problem solved.

>This is interesting.  We did upgrade the security requirements with 
>Samba 4.1 by default.  It is odd the RequreStrongKey actually forces 
>*down* what Windows will do. 

I think this may have been a legacy setting from some early but errant "in
the wild" configuration information for Win7/Pro clients against a Samba
PDC. Now, I remember from my logs in all this always seeing my DC negotiate
a 128-bit key even with RSK=0 in Windows, but I wonder if Windows did it's
part of the authentication dance errantly /assuming/ the shorter key length
(even though 128-bit had supposedly been negotiated). Would at least explain
the authentication failure. I'm probably way the heck out there, totally off
base, but just speculating on the situation. That said, it appeared that
prior to my tinkering with the PDC for this project, machine account
passwords were routinely being changed without incident when I had RSK=0.
The LCT date for my own laptop was, IIRC, about 10 days ago, and this laptop
has been in my domain for nearly 3 years.

>'net rpc vampire' will never work against a Samba DC.  We never 
>implemented a sever-side for the SamSync (NETLOGON replication between 
>and NT4-style PDC and BDC) protocol.   

Argh!! Then that one is totally on me for not reading the documentation more

View this message in context: http://samba.2283325.n4.nabble.com/Problems-in-SAMBA-3-3-to-4-0-migration-tp4680653p4681257.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list