[Samba] problem with domain and samba3x
Rowland penny
rpenny at samba.org
Mon Jun 20 19:19:15 UTC 2016
On 20/06/16 19:53, Dale Schroeder wrote:
> On 06/17/2016 4:31 PM, peter lawrie wrote:
>> Hi all
>> About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1
>> server
>> with samba3x as domain members. There are no other servers on site.
>> Today, I had to visit to connect up a PC in a new location. As I would
>> normally do I checked for Centos updates and found 35 outstanding
>> including
>> samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common,
>> samba3x-doc,
>> samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind,
>> samba3x-winbind-devel
>>
>> Having completed the cabling I tried to log the PC in but received
>> 'trust
>> relationship between this workstation and primary domain failed'.
>> Several
>> times I removed it from the domain and added it back again - this
>> made no
>> difference. I noted the time on the PC was 7 minutes out from the
>> server,
>> so corrected that, removed from the domain, added it in again but had
>> the
>> same message.
>> Thinking it was just related to this PC, I left it configured as a
>> workgroup member, created a new local user to match the domain
>> username it
>> had been using and connected it to the server shares.
>>
>> Then I went to another PC which had an unrelated issue which needed
>> attention but when I tried to logon to the domain received the same
>> domain
>> trust failure message.
>> Only then did I suspect that the samba3x update may have been the
>> cause so
>> I removed it installed 3x 3.6.23-9 - now when I tried to login I get
>> "there
>> are no login servers available to service the login request"
>>
>> As other users were complaining about losing access to the server
>> shares, I
>> then had to visit every PC, remove each of them from the domain into a
>> workgroup, create a local user on each to match the samba username
>> and copy
>> the profile. Needless to say, a job which should have taken 1 to 2 hours
>> took 7.
>>
>> I still have no idea why the problem occurred, is there an issue with
>> the
>> latest samba update. All I could find online was that the update
>> related to
>> a fix for badlock vulnerability.
>> Peter Lawrie
> Peter,
>
> The badlock patches have been a big problem for Samba classic
> domains. Many have posted asking for help, but I have seen no
> solution presented on this list; i.e. the silence is deafening. It may
> be that NT4 classic domains will not work going forward.
>
> For example, refer to the post by Peter Tuharsky:
> http://www.spinics.net/lists/samba/msg134710.html
>
> In all actuality, Samba 4.3.x pre-badlock had already broken classic
> ldap domains.
I did some testing before the badlock patches and did manage to get an
ldap based NT4 PDC running and connected a Unix client to it, but this
was a test domain and it didn't use smbldap-tools.
I think one of the problems is that nobody has logged a bug report for
this problem, so nobody is looking in to it, another problem is that
windows is trying to deter the use of NT4-style domains, it is my
understanding that Win10 will not connect to one out-of-the-box. They
could (and probably will) make the use of NT4 domains impossible at any
time.
Rowland
>
> So, if anyone has a working Samba/openldap NT4 classic domain
> post-badlock patches, would you please share your config to help these
> people?
>
> And, if you have a working 4.3 or 4.4 classic domain config, please
> help me out.
>
> Thanks,
> Dale
>
>
>
More information about the samba
mailing list