[Samba] [Solved?] Problem since upgrade to 4.5.1

L.P.H. van Belle belle at bazuin.nl
Tue Nov 22 08:19:25 UTC 2016

Hai John, 


Thanks for the info. 

And i know you dont have TS servers, you told that already 3x times in previous emails. ;-) 

Yes, i did send a link with TS in it, but thats just because the info is good.


I think its a combination of, not using SSL/TLS and new restrictions from MS, 

and as mathias already said, these days everything relies on kerberos, 

which relies on SPN's, and which need an A and PTR ( and SPN) to function correctly. 

Windows 7/2008(r2) support extended protection for IWA, 

which includes support for CBT, which is enabled by default 


This is an easy thing to try. 

Just open an .RDP file, and edit it with notepad. 


And play with these settings

authentication level:i:0

negotiate security layer:i:1


and here is the info related 


and GPO part : Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\ 


Should help you to fix this without change samba defaults.


And... you know RDP just simulates the terminal services of Remote Administration Mode. 
The only difference is there is no client-server environment. 











> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens John Gardeniers

> via samba

> Verzonden: maandag 21 november 2016 21:26

> Aan: samba at lists.samba.org

> Onderwerp: Re: [Samba] [Solved?] Problem since upgrade to 4.5.1


> Hi Louis,


> On 21/11/16 21:53, L.P.H. van Belle via samba wrote:

> > Hai John,

> >

> > I saw that this was resolved.

> >

> > Just interested, are you using SSL/TLS with samba on you servers,

> No.

> > and do you have you publish the AD DC/CA Root to your computers?

> No, unless that's handled automatically by Samba.

> > Did you look here in GPO :

> >

> > Computer Configuration -> Administrative Templates -> System ->

> Credentials Delegation.

> >

> > Before lowering samba security settings.

> No, nor is it relevant to the problem.

> > Some good info here to read into.

> >

> >

> https://blogs.technet.microsoft.com/enterprisemobility/2008/07/21/configur

> ing-terminal-servers-for-server-authentication-to-prevent-man-in-the-

> middle-attacks/

> Why do people assume that we are using Terminal Servers just because we

> are using RDP? We aren't. The target machines are workstations.


> regards,

> John


> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list