[Samba] Samba 4.3.9 member server problem in classic domain

Fri May 27 16:57:07 UTC 2016

I have a Fedora Core 23 Linux machine configured as a samba member of a 
"classic" domain.  The DC's Samba 3.6.25 NOT patched for badlock.       
Since upgrading to Samba 4.3.8 and (I think from 4.3.6 or 4.3.4)  , 
domain users can no longer access resources.     (upgraded to 4.3.9, 
same problem)   Since I had to roll back my Synology appliance to a 
previous OS, and reviewing other posts, I am quite certain this is due 
to the BADLOCK patch.

The BADLOCK patch seems to make signing the default behavior unless 
explicitly disabled.

 From a linux client

linuxclient-> smbclient -L stoic -U "MYDOMAIN\myname"
Enter MYDOMAIN\myname's password:
session setup failed: NT_STATUS_LOGON_FAILURE
linuxclient-> s

[root at memberserver1 ~]# smbd -V
Version 4.3.8
[root at memberserver1 ~]#

[root at memberserver1 ~]# net rpc testjoin
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
smb_signing_good: BAD SIG: seq 1
Join to 'MYDOMAIN' is OK
[root at memberserver1 ~]#

I updated smb.conf with

     client signing = disabled
     client ipc signing = disabled

[root at memberserver1 ~]# net rpc testjoin
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
Join to 'MYDOMAIN' is OK
[root at memberserver1 ~]#

But client logins still fail.

Setting "server signing = disabled" in smb.conf didn't seem to help 
either.     Guessing the issue is with schannel changes.

I can and prob will just downgrade to an 4.3.4 since I kept the 
RPM's.      The bigger issue is that at some point I will upgrade my 
domain controllers.   So far it seems that patched member servers will 
not work with unpatched domain controllers,  but I don't know  if the 
reverse is true.         I suspect I will have problems if there is any 
mismatch.

So far, my Windows clients  (Windows 7, 10 , 2008) are completely 
patched and have not had issues.

Thanks