[Samba] SOLVED(aproximative?): Difficulties with Windows XP: failed to find cifs/fileserver.y.z at Y.Z in keytab (arcfour-hmac-md5)

rawi only4com at web.de
Tue Jan 17 11:32:46 UTC 2017


Samba - General mailing list wrote
> On Tue, 17 Jan 2017 03:03:28 -0800 (PST)
> rawi via samba <

> samba at .samba

> > wrote:
> 
>> Samba - General mailing list wrote
>> 
>> Rowland, thank you
>> 
>> Please note the comments starting with two '#'. They give info about
>> erroneous behavior I encontered.
>> 
>> The manual says that "domain master = auto" means "NO", if "domain
>> logons = NO" and this is default.
>> Please note also the behavior of "hosts allow ... except" on the AD-DC
>> 
>> here it comes...
>> 
>> root at hg-dc1:/etc/samba# cat smb.conf
>> ## Global parameters
>> [global]
>>         workgroup = HUMGEN
>>         realm = HUMGEN.0ZONE
>>         netbios name = HG-DC1
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc
>> #dnsupdate
>> ## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone
>> ## and contains all I have, inclusive printer and lab devices, which
>> are not in the domain
>> ## all dns tests are positive and all clients get DNS
>> 
>>         idmap_ldb:use rfc2307 = yes
>>         dns-nameservers 127.0.0.1
>> 
>>         tls enabled  = yes
>>         tls keyfile  = tls/myKey.pem
>>         tls certfile = tls/myCert.pem
>>         tls cafile   = 
>> 
>> ## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
>> ## even if I've already set the IP of the wins server to the AD-DC in
>> numerical form
>> ## Error is, that no SRV record could be found for the domain. BUT
>> nslookup shows manually all needed
>> ## After the join, WindowsXP seems to stay joined and allow further
>> login ## EVEN if I take these configs back
>> #domain logons = yes
>> #domain master = yes
>> #local master = yes
>> 
>> ## hosts allow on AD-DC breaks everything. 
>> ## No more wbinfo on the DC, no more id or getent passwd on the domain
>> member
>> ## BUG?
>> #hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123
>> 
>> ## don't show the shares
>> browseable = no
>> 
>> map to guest = never
>> 
>> ## allow no local caching of data on the client
>> csc policy = disable
>> 
>> hide unreadable = yes
>> hide dot files = no
>> 
>> ## new session kills possible old connection from the same IP. Avoids
>> lock on files by old connections
>> reset on zero vc = yes
>> 
>> [netlogon]
>>         path = /var/lib/samba/sysvol/humgen.0zone/scripts
>>         read only = Yes
>> 
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>> 
>> <<<<< smb.conf AD-DC END
>> 
>> And now as a side note and deja vu for me, look what I wrote in the
>> old smb.conf (still working since 2009) for a NT-domain wth
>> Samba/smbd version 3.4.0 :)
>> 
>> ## samba accepts no new computer in the domain if this
>> ## browse options equals NO ?!
>> preferred master = yes
>> local master = yes
>> domain master = yes
>> 
>> Regards
>> rawi
> 
> OK, first question, are you using BIND9_DLZ on the DC ?
> 
> Rowland

NO BIND9_DLZ, no dns updates.

As mentioned (commented) in the confiig: all dns comes from bind9 from
static zones containing all I have and supplementary all records samba AD-DC
would need (SOA for _msdcs and it's objects etc.).

The newer Windows Versions (7 and 8.1) are doing perfectly.

rawi



--
View this message in context: http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713552.html
Sent from the Samba - General mailing list archive at Nabble.com.



More information about the samba mailing list