[Samba] [Solved?] Problem since upgrade to 4.5.1

Tue Nov 22 12:04:15 UTC 2016

On 22/11/16 08:19, L.P.H. van Belle via samba wrote:
> Hai John,
>
>   
>
> Thanks for the info.
>
> And i know you dont have TS servers, you told that already 3x times in previous emails. ;-)
>
> Yes, i did send a link with TS in it, but thats just because the info is good.
>
>   
>
> I think its a combination of, not using SSL/TLS and new restrictions from MS,
>
> and as mathias already said, these days everything relies on kerberos,
>
> which relies on SPN's, and which need an A and PTR ( and SPN) to function correctly.
>
> Windows 7/2008(r2) support extended protection for IWA,
>
> which includes support for CBT, which is enabled by default
>
>   
>
> This is an easy thing to try.
>
> Just open an .RDP file, and edit it with notepad.
>
>   
>
> And play with these settings
>
> authentication level:i:0
>
> negotiate security layer:i:1
>
>   
>
> and here is the info related
>
> https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx
>
> and GPO part : Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\
>
>   
>
> Should help you to fix this without change samba defaults.
>
>   
>
> And... you know RDP just simulates the terminal services of Remote Administration Mode.
> The only difference is there is no client-server environment.
>
>
>

I'm with the OP though in finding this odd. He didn't change any part of 
his Windows environment and yet a subset of his machines seemingly won't 
accept an RDP connection by name, replying with a cryptic error. 
However, RDP works perfectly to an IP address, and to name and IP from 
Linux!

If ntlm auth = yes is required with Samba 4.5.x, then surely without it, 
none of the connections should have worked.

I have a Samba 4.5.1 lab set up, and I can happily RDP to all my Win 7 
machines by name without having to add the "ntlm auth" parameter. I can 
also RDP to XP VMs (the OP does not have any) even though they have no 
SPN for Terminal Services.

Something just doesn't add up here.

Alex

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).