[Samba] samba 4.4.14 breaks classic domain
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Jun 22 12:54:47 UTC 2017
Setting my domain controllers to use SMB2 breaks windows domain
authentication for Windows clients. I don't know why. The clients
in question are Windows 7 and Windows 2008 R2.
Once I set the domain controllers and problem member server to
server max protocol = NT1
server min protocol = NT1
client max protocol = NT1
client min protocol = NT1
the domain join problem went away.
I don't know what would happen if I had the member servers use
server max protocol = SMB2
server min protocol = NT1
Presumably that would not affect authentication from windows clients.
On 06/21/17 14:57, Gaiseric Vandal wrote:
> Good catch. I had set server max protocol to NT1 after upgrading from
> samba 3.x to 4.x . Some windows clients had problems with SMB2 and
> file shares (tho this should not really be an issue with the domain
> controllers.)
>
>
>
>
> I have now set the dc's to
>
> server max protocol = SMB2
> server min protocol = NT1
>
>
> and the client machine to be
>
> client max protocol = SMB2
> client min protocol = NT1
>
>
> But it doesn't fix the problem. I don't thin kthe
>
>
> The machine in question is not used heavily so it is possible there
> was some issue prior to the latest patch.
>
> Setting a 4.4.13 version machine to use NT1 and SMB2 as the min and
> max protocols for client and server does not seem to cause a problems
> with validating the domain membership.
>
>
>
> I had compiled samba 4.5.1 some months ago in an alternate directory,
> and it also fails with "net join" (although it may be picking up
> library files that were updated with the system update.)
>
> I may try rolling back the OS patches.
>
>
>
>
> On 06/21/17 12:18, Rowland Penny via samba wrote:
>> On Wed, 21 Jun 2017 11:55:47 -0400
>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>
>>> I increased the logging to 10 on the problem member server. Didn't
>>> see anything of interest.
>>>
>>> I did a packet capture on the PDC while typing " net rpc testjoin"
>>> from both the problem member server (4.4.14) and a working member
>>> server (4.4.13)
>>>
>>> e.g
>>>
>>> SMB: ----- SMB Header -----
>>> SMB:
>>> SMB: CLIENT REQUEST
>>> SMB: Command code = 0x72
>>> SMB: Command name = SMBnegprot
>>> SMB:
>>> SMB: SMB Status:
>>> SMB: - Error class = No error
>>> SMB: - Error code = No error
>>> SMB:
>>> SMB: Header:
>>> SMB: - Tree ID (TID) = 0x0000
>>> SMB: - Process ID (PID) = 0xfffe
>>> SMB: - User ID (UID) = 0x0000
>>> SMB: - Multiplex ID (MID) = 0x0000
>>> SMB: - Flags summary = 0x18
>>> SMB: - Flags2 summary = 0xc843
>>> SMB:
>>> SMB: ByteCount = 49
>>> SMB: Dialect String = NT LANMAN 1.0
>>> SMB: Dialect String = NT LM 0.12
>>> SMB: Dialect String = SMB 2.002
>>> SMB: Dialect String = SMB 2.???
>>> SMB:
>>>
>>>
>>>
>>> On the working member server, the packet capture included a lot of
>>> "SMB" traffic. With the problem server, all the "SMB" packets were
>>> empty.
>>>
>>> e.g.
>>>
>>> SMB: ----- SMB: -----
>>> SMB:
>>> SMB: ""
>>> SMB:
>>>
>>>
>>>
>>>
>>> Both machines are configured for a max protocol of SMB2. The problem
>>> machine is also configured for a min protocol of SMB2.
>>>
>>>
>>> testparm -v
>>>
>>> client ipc max protocol = default
>>> client max protocol = SMB2
>>> server max protocol = SMB2
>>>
>>> client ipc min protocol = SMB2
>>> client min protocol = SMB2
>>> server min protocol = SMB2
>>>
>>> On the PDC, the log file for IP_ADDRESS_OF_PROBLEM_SERVER shows
>>>
>>>
>>> Non-SMB packet of length 182. Terminating server
>>>
>>>
>> I wonder if this has anything to do with the same reason that you have
>> to set 'server max protocol = NT1' in smb.conf on the PDC if using
>> Win10 clients, see here for more info:
>>
>> https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request
>>
>>
>> Rowland
>>
>
More information about the samba
mailing list