[Samba] Win7 client error after classicupgrade from S3 to S4

Lorenzo Milesi maxxer at yetopen.it
Thu Apr 25 15:33:22 UTC 2019 

Hi. 
We're trying to upgrade an old NT domain to AD. It's our second upgrade, and while the first was successfull this one has raised some issues for existing Windows 7 clients.
If we disconnect the computer from the domain and join it back to the new S4 AD it works. Existing clients throws this error in Samba:

Kerberos: AS-REQ b1rd42nbtmp648$@NT4DOMAIN from ipv4:10.0.0.42:49472 for krbt gt/NT4DOMAIN at NT4DOMAIN 
[2019/04/24 17:05:24.127751, 3] ../source4/auth/kerberos/krb5_init_context.c:80 (smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 
[2019/04/24 17:05:24.127768, 3] ../source4/auth/kerberos/krb5_init_context.c:80 (smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- b1rd42nbtmp648$@NT4DOMAIN 
[2019/04/24 17:05:24.127777, 3] ../source4/auth/kerberos/krb5_init_context.c:80 (smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- b1rd42nbtmp648$@NT4DOMAIN 
[2019/04/24 17:05:24.127799, 3] ../source4/auth/kerberos/krb5_init_context.c:80 (smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- b1rd42nbtmp648$@NT4DOMAIN (enctype arc four-hmac-md5) error Decrypt integrity check failed 
[2019/04/24 17:05:24.127865, 5] ../source4/dsdb/common/util.c:5158(dsdb_update_ bad_pwd_count) Not updating badPwdCount on CN=b1rd42nbtmp648,CN=Computers,DC=samba,DC=newdomain,DC=lan after wrong password 
[2019/04/24 17:05:24.127877, 3] ../source4/auth/kerberos/krb5_init_context.c:80 (smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA -- b1rd42nbtmp648$@NT4DOMAIN 
[2019/04/24 17:05:24.128238, 3] ../source4/smbd/service_stream.c:66(stream_term:


We've searched for similar errors but I found we should reset user password, but this is a machine account.
Can I solve without rejoining all W7 machines?
Thanks


krb5.conf:
[libdefaults]
        default_realm = SAMBA.NEWDOMAIN.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        SAMBA.NEWDOMAIN.LAN =  {
        kdc = 10.0.0.7
        admin_server = 10.0.0.7
        }

smb.conf:
[global]
        workgroup = NT4DOMAIN
        realm = samba.newdomain.lan
        netbios name = SERVERX7
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        interfaces = 127.0.0.1 10.0.0.7
        log level = 4
        winbind nss info = rfc2307
        idmap config NT4DOMAIN:backend = ad
        idmap config NT4DOMAIN:schema_mode = rfc2307
        idmap config NT4DOMAIN:range = 10000-999999
        winbind enum users = yes
        winbind enum groups = yes
        logon home = \\%N\%U
        logon path = \\%N\profiles\%U
        vfs object = acl_xattr
        map acl inherit = yes
        store dos attributes = yes


-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.it

YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.

More information about the samba mailing list