[Samba] [Solved?] Problem since upgrade to 4.5.1

Tue Nov 22 12:15:47 UTC 2016

Ok so if i understand right.. 

The production environment is running 4.5.1 ( and needs the "ntlm auth"  ) 
The test environment als running 4.5.1, and this works without the ntlm auth
Thats strange yes.

About the production env., clean install of 4.5.1 of upgraded from? 

About this. 
>and yet a subset of his machines seemingly won't
> accept an RDP connection by name, replying with a cryptic error.
So not all pc's but a selection of pc's. 
Imaged pc's ? all pc's syspreped? 

Can you check if the working pc's include the windows uptional updates? 

And do you have any event id in a failing windows pc? can you post it? 

What happens if you get a "not working" pc, remove it from the production env and add it to the test even. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex Crow via
> samba
> Verzonden: dinsdag 22 november 2016 13:04
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [Solved?] Problem since upgrade to 4.5.1
> 
> On 22/11/16 08:19, L.P.H. van Belle via samba wrote:
> > Hai John,
> >
> >
> >
> > Thanks for the info.
> >
> > And i know you dont have TS servers, you told that already 3x times in
> previous emails. ;-)
> >
> > Yes, i did send a link with TS in it, but thats just because the info is
> good.
> >
> >
> >
> > I think its a combination of, not using SSL/TLS and new restrictions
> from MS,
> >
> > and as mathias already said, these days everything relies on kerberos,
> >
> > which relies on SPN's, and which need an A and PTR ( and SPN) to
> function correctly.
> >
> > Windows 7/2008(r2) support extended protection for IWA,
> >
> > which includes support for CBT, which is enabled by default
> >
> >
> >
> > This is an easy thing to try.
> >
> > Just open an .RDP file, and edit it with notepad.
> >
> >
> >
> > And play with these settings
> >
> > authentication level:i:0
> >
> > negotiate security layer:i:1
> >
> >
> >
> > and here is the info related
> >
> > https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx
> >
> > and GPO part : Computer Configuration\Policies\Administrative
> Templates\Windows Components\Remote Desktop Services\
> >
> >
> >
> > Should help you to fix this without change samba defaults.
> >
> >
> >
> > And... you know RDP just simulates the terminal services of Remote
> Administration Mode.
> > The only difference is there is no client-server environment.
> >
> >
> >
> 
> I'm with the OP though in finding this odd. He didn't change any part of
> his Windows environment and yet a subset of his machines seemingly won't
> accept an RDP connection by name, replying with a cryptic error.
> However, RDP works perfectly to an IP address, and to name and IP from
> Linux!
> 
> If ntlm auth = yes is required with Samba 4.5.x, then surely without it,
> none of the connections should have worked.
> 
> I have a Samba 4.5.1 lab set up, and I can happily RDP to all my Win 7
> machines by name without having to add the "ntlm auth" parameter. I can
> also RDP to XP VMs (the OP does not have any) even though they have no
> SPN for Terminal Services.
> 
> Something just doesn't add up here.
> 
> Alex
> 
> 
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
> advice.
> The information provided is correct to our knowledge & belief and must not
> be used as a substitute for obtaining tax, regulatory, investment, legal
> or
> any other appropriate advice.
> 
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
> 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba