[Samba] SOLVED(aproximative?): Difficulties with Windows XP: failed to find cifs/fileserver.y.z at Y.Z in keytab (arcfour-hmac-md5)

Rowland Penny rpenny at samba.org
Tue Jan 17 11:24:28 UTC 2017 

On Tue, 17 Jan 2017 03:03:28 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:

> Samba - General mailing list wrote
> 
> Rowland, thank you
> 
> Please note the comments starting with two '#'. They give info about
> erroneous behavior I encontered.
> 
> The manual says that "domain master = auto" means "NO", if "domain
> logons = NO" and this is default.
> Please note also the behavior of "hosts allow ... except" on the AD-DC
> 
> here it comes...
> 
> root at hg-dc1:/etc/samba# cat smb.conf
> ## Global parameters
> [global]
>         workgroup = HUMGEN
>         realm = HUMGEN.0ZONE
>         netbios name = HG-DC1
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc
> #dnsupdate
> ## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone
> ## and contains all I have, inclusive printer and lab devices, which
> are not in the domain
> ## all dns tests are positive and all clients get DNS
> 
>         idmap_ldb:use rfc2307 = yes
>         dns-nameservers 127.0.0.1
> 
>         tls enabled  = yes
>         tls keyfile  = tls/myKey.pem
>         tls certfile = tls/myCert.pem
>         tls cafile   = 
> 
> ## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
> ## even if I've already set the IP of the wins server to the AD-DC in
> numerical form
> ## Error is, that no SRV record could be found for the domain. BUT
> nslookup shows manually all needed
> ## After the join, WindowsXP seems to stay joined and allow further
> login ## EVEN if I take these configs back
> #domain logons = yes
> #domain master = yes
> #local master = yes
> 
> ## hosts allow on AD-DC breaks everything. 
> ## No more wbinfo on the DC, no more id or getent passwd on the domain
> member
> ## BUG?
> #hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123
> 
> ## don't show the shares
> browseable = no
> 
> map to guest = never
> 
> ## allow no local caching of data on the client
> csc policy = disable
> 
> hide unreadable = yes
> hide dot files = no
> 
> ## new session kills possible old connection from the same IP. Avoids
> lock on files by old connections
> reset on zero vc = yes
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/humgen.0zone/scripts
>         read only = Yes
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> <<<<< smb.conf AD-DC END
> 
> And now as a side note and deja vu for me, look what I wrote in the
> old smb.conf (still working since 2009) for a NT-domain wth
> Samba/smbd version 3.4.0 :)
> 
> ## samba accepts no new computer in the domain if this
> ## browse options equals NO ?!
> preferred master = yes
> local master = yes
> domain master = yes
> 
> Regards
> rawi

OK, first question, are you using BIND9_DLZ on the DC ?

Rowland

More information about the samba mailing list