[Samba] Joining 4.2.2 Samba client to Samba3 PDC
David Morgan
dmorgan at westquad.med.harvard.edu
Thu Jun 11 15:37:09 MDT 2015
Hi,
Not sure of the etiquette of this, so apologies if this is frowned upon,
but a couple of months ago, this[1] question was asked.
I'm trying to join a Samba 4.2.2 server to a Samba 3.4.7 PDC (e.g. Think
NT4, not AD), which is also our OpenLDAP principal server. I'm failing
because, although my "net rpc join" command seems to succeed, and the
host entry is added to the directory, I keep getting messages such as
this in /var/log/samba/log.CLIENT_IP on my PDC/LDAP host:
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client CLIENT machine account CLIENT$
[2015/06/11 16:46:18, 0]
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client CLIENT machine account CLIENT$
and the user that I've added, fails to log in, with basically a
"permissions denied" error (I'm trying to log in from OS X 10.10.3).
This login attempt correlates with the two error lines above.
The PDC is running Ubuntu 10.04 (* * *looks away in embarrassment* * *)
and the client CLIENT[2] is Ubuntu Server 14.04. The sensible advice
might likely be: UPGRADE YOUR PDC HOST, DUMMY!, and I do intend to do
that, but if we could get this working it would be really neat-o keen,
and would buy us a bit of time. The motivation for this is to give our
OS X users the significant performance advantages that vfs_fruit has to
offer them (Thanks again, Ralph![3]). If the only solution is to
upgrade the PDC, that's ultimately fine, but that will of course take
more time.
If you've read this far, Thanks![4]
-DM
[1]
> Francesco Malvezzi francesco.malvezzi at unimore.it
> Tue Apr 14 00:41:15 MDT 2015
>
> hi all,
>
> my working samba-4.1.7 member of a samba3 domain (samba-3.5.3) failed
> while updating to samba-4.2.0. Users were no longer able to access
> shares because the trust account was broken.
>
> According to release notes (Winbindd/Netlogon improvements):
>
> For the client side we have the following new options:
> "require strong key" (yes by default), "reject md5 servers" (no by >
> default).
> E.g. for Samba 3.0.37 you need "require strong key = no" and
> for NT4 DCs you need "require strong key = no" and "client NTLMv2 > >
> auth = no",
>
> so in samba-4.2.0 member's smb.conf I put:
>
> require strong key = no
> client NTLMv2 auth = no
>
> but yet trust account wasn't able to authenticate on domain PDC.
>
> Which are the correct switches to allow a samba-4.2.0 member to join a
> samba3 PDC?
>
> thank you,
>
> Francesco
[2] Not his real name.
[3] Legally required statement.
[4] ...but you might need to get outside more. :-O
--
David S Morgan, Ph.D. david_morgan at hms.harvard.edu
Director http://wqcg.med.harvard.edu
West Quad Computing Group Office: 617-651-0259
Harvard Medical School
More information about the samba
mailing list