[Samba] problem with domain and samba3x

Rowland penny rpenny at samba.org
Mon Jun 20 19:19:15 UTC 2016 

On 20/06/16 19:53, Dale Schroeder wrote:
> On 06/17/2016 4:31 PM, peter lawrie wrote:
>> Hi all
>> About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 
>> server
>> with samba3x as domain members.  There are no other servers on site.
>> Today, I had to visit to connect up a PC in a new location. As I would
>> normally do I checked for Centos updates and found 35 outstanding 
>> including
>> samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common, 
>> samba3x-doc,
>> samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind, 
>> samba3x-winbind-devel
>>
>> Having completed the cabling I tried to log the PC in but received 
>> 'trust
>> relationship between this workstation and primary domain failed'. 
>> Several
>> times I removed it from the domain and added it back again - this 
>> made no
>> difference. I noted the time on the PC was 7 minutes out from the 
>> server,
>> so corrected that, removed from the domain, added it in again but had 
>> the
>> same message.
>> Thinking it was just related to this PC, I left it configured as a
>> workgroup member, created a new local user to match the domain 
>> username it
>> had been using and connected it to the server shares.
>>
>> Then I went to another PC which had an unrelated issue which needed
>> attention but when I tried to logon to the domain received the same 
>> domain
>> trust failure message.
>> Only then did I suspect that the samba3x update may have been the 
>> cause so
>> I removed it installed 3x 3.6.23-9 - now when I tried to login I get 
>> "there
>> are no login servers available to service the login request"
>>
>> As other users were complaining about losing access to the server 
>> shares, I
>> then had to visit every PC, remove each of them from the domain into a
>> workgroup, create a local user on each to match the samba username 
>> and copy
>> the profile. Needless to say, a job which should have taken 1 to 2 hours
>> took 7.
>>
>> I still have no idea why the problem occurred, is there an issue with 
>> the
>> latest samba update. All I could find online was that the update 
>> related to
>> a fix for badlock vulnerability.
>> Peter Lawrie
> Peter,
>
> The badlock patches have been a big problem for Samba classic 
> domains.  Many have posted asking for help, but I have seen no 
> solution presented on this list; i.e. the silence is deafening. It may 
> be that NT4 classic domains will not work going forward.
>
> For example, refer to the post by Peter Tuharsky: 
> http://www.spinics.net/lists/samba/msg134710.html
>
> In all actuality, Samba 4.3.x pre-badlock had already broken classic 
> ldap domains.

I did some testing before the badlock patches and did manage to get an 
ldap based NT4 PDC running and connected a Unix client to it, but this 
was a test domain and it didn't use smbldap-tools.

I think one of the problems is that nobody has logged a bug report for 
this problem, so nobody is looking in to it, another problem is that 
windows is trying to deter the use of NT4-style domains, it is my 
understanding that Win10 will not connect to one out-of-the-box. They 
could (and probably will) make the use of NT4 domains impossible at any 
time.

Rowland

>
> So, if anyone has a working Samba/openldap NT4 classic domain 
> post-badlock patches, would you please share your config to help these 
> people?
>
> And, if you have a working 4.3 or 4.4 classic domain config, please 
> help me out.
>
> Thanks,
> Dale
>
>
>

More information about the samba mailing list