[Samba] Joining 4.2.2 Samba client to Samba3 PDC

Morgan, David S DAVID_MORGAN at hms.harvard.edu
Fri Jun 12 14:35:35 MDT 2015 

Thanks for the tips.  I didn't have any luck with the various
NT4-related options.  I didn't even have any luck by setting up a VM
with the latest Samba 4.2.2. stable backed by OpenLDAP as a PDC.  Oh
well, I guess I'll wait for another Samba release and see if things have
improved then.

Thanks,
David


On 06/12/2015 05:00 AM, L.P.H. van Belle wrote:
> Just a pointer.. 
>
> try with settings like : 
>
> client lanman auth = yes
> client NTLMv2 auth = no
> client plaintext auth = yes
>
> i dont know the exact setting are which you need, but look in the man of smb.conf
> man smb.conf search for NT4, you see more settings. 
>
> Greetz, 
>
> Louis 
>
>> -----Oorspronkelijk bericht-----
>> Van: dmorgan at westquad.med.harvard.edu 
>> [mailto:samba-bounces at lists.samba.org] Namens David Morgan
>> Verzonden: donderdag 11 juni 2015 23:37
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Joining 4.2.2 Samba client to Samba3 PDC
>>
>>
>> Hi,
>>
>> Not sure of the etiquette of this, so apologies if this is 
>> frowned upon, 
>> but a couple of months ago, this[1] question was asked.
>>
>> I'm trying to join a Samba 4.2.2 server to a Samba 3.4.7 PDC 
>> (e.g. Think 
>> NT4, not AD), which is also our OpenLDAP principal server.  
>> I'm failing 
>> because, although my "net rpc join" command seems to succeed, and the 
>> host entry is added to the directory, I keep getting messages such as 
>> this in /var/log/samba/log.CLIENT_IP on my PDC/LDAP host:
>>
>>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
>> Rejecting auth request from client CLIENT machine account CLIENT$
>> [2015/06/11 16:46:18,  0] 
>> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
>>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
>> Rejecting auth request from client CLIENT machine account CLIENT$
>>
>> and the user that I've added, fails to log in, with basically a 
>> "permissions denied" error (I'm trying to log in from OS X 10.10.3). 
>> This login attempt correlates with the two error lines above.
>>
>> The PDC is running Ubuntu 10.04 (* * *looks away in 
>> embarrassment* * *) 
>> and the client CLIENT[2] is Ubuntu Server 14.04.  The sensible advice 
>> might likely be: UPGRADE YOUR PDC HOST, DUMMY!, and I do intend to do 
>> that, but if we could get this working it would be really neat-o keen, 
>> and would buy us a bit of time.  The motivation for this is to 
>> give our 
>> OS X users the significant performance advantages that 
>> vfs_fruit has to 
>> offer them (Thanks again, Ralph![3]).  If the only solution is to 
>> upgrade the PDC, that's ultimately fine, but that will of course take 
>> more time.
>>
>> If you've read this far, Thanks![4]
>>
>> -DM
>>
>>
>> [1]
>>> Francesco Malvezzi francesco.malvezzi at unimore.it
>>> Tue Apr 14 00:41:15 MDT 2015
>>>
>>> hi all,
>>>
>>> my working samba-4.1.7 member of a samba3 domain 
>> (samba-3.5.3) failed
>>> while updating to samba-4.2.0. Users were no longer able to access
>>> shares because the trust account was broken.
>>>
>>> According to release notes (Winbindd/Netlogon improvements):
>>>
>>> For the client side we have the following new options:
>>> "require strong key" (yes by default), "reject md5 servers" 
>> (no by > 
>>> default).
>>> E.g. for Samba 3.0.37 you need "require strong key = no" and
>>> for NT4 DCs you need "require strong key = no" and "client 
>> NTLMv2 > > 
>>> auth = no",
>>>
>>> so in samba-4.2.0 member's smb.conf I put:
>>>
>>>  require strong key = no
>>>  client NTLMv2 auth = no
>>>
>>> but yet trust account wasn't able to authenticate on domain PDC.
>>>
>>> Which are the correct switches to allow a samba-4.2.0 
>> member to join a
>>> samba3 PDC?
>>>
>>> thank you,
>>>
>>> Francesco
>> [2] Not his real name.
>>
>> [3] Legally required statement.
>>
>> [4] ...but you might need to get outside more. :-O
>>
>> -- 
>> David S Morgan, Ph.D.			 david_morgan at hms.harvard.edu
>> Director				 http://wqcg.med.harvard.edu
>> West Quad Computing Group		 Office: 617-651-0259
>> Harvard Medical School
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>


-- 
David S Morgan, Ph.D.                david_morgan at hms.harvard.edu
Director                             http://wqcg.med.harvard.edu
West Quad Computing Group            Office: 617-651-0259
Harvard Medical School

More information about the samba mailing list