[Samba] Win7 client error after classicupgrade from S3 to S4

Rowland Penny rpenny at samba.org
Thu Apr 25 16:02:24 UTC 2019 

On Thu, 25 Apr 2019 17:33:22 +0200 (CEST)
Lorenzo Milesi via samba <samba at lists.samba.org> wrote:

> Hi. 
> We're trying to upgrade an old NT domain to AD. It's our second
> upgrade, and while the first was successfull this one has raised some
> issues for existing Windows 7 clients. If we disconnect the computer
> from the domain and join it back to the new S4 AD it works. Existing
> clients throws this error in Samba:
> 
> Kerberos: AS-REQ b1rd42nbtmp648$@NT4DOMAIN from ipv4:10.0.0.42:49472
> for krbt gt/NT4DOMAIN at NT4DOMAIN [2019/04/24 17:05:24.127751,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Client sent patypes:
> encrypted-timestamp, 128 [2019/04/24 17:05:24.127768,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data --
> b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.127777,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data --
> b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.127799,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA --
> b1rd42nbtmp648$@NT4DOMAIN (enctype arc four-hmac-md5) error Decrypt
> integrity check failed [2019/04/24 17:05:24.127865,
> 5] ../source4/dsdb/common/util.c:5158(dsdb_update_ bad_pwd_count) Not
> updating badPwdCount on
> CN=b1rd42nbtmp648,CN=Computers,DC=samba,DC=newdomain,DC=lan after
> wrong password [2019/04/24 17:05:24.127877,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA --
> b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.128238,
> 3] ../source4/smbd/service_stream.c:66(stream_term:
> 
> 
> We've searched for similar errors but I found we should reset user
> password, but this is a machine account. Can I solve without
> rejoining all W7 machines? Thanks
> 
> 
> krb5.conf:
> [libdefaults]
>         default_realm = SAMBA.NEWDOMAIN.LAN
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> [realms]
>         SAMBA.NEWDOMAIN.LAN =  {
>         kdc = 10.0.0.7
>         admin_server = 10.0.0.7
>         }
> 
> smb.conf:
> [global]
>         workgroup = NT4DOMAIN
>         realm = samba.newdomain.lan
>         netbios name = SERVERX7
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         interfaces = 127.0.0.1 10.0.0.7
>         log level = 4

It was going so well, a Samba AD DC using Bind9 as the dns server, then
you went and added the lines below.

>         winbind nss info = rfc2307
>         idmap config NT4DOMAIN:backend = ad
>         idmap config NT4DOMAIN:schema_mode = rfc2307
>         idmap config NT4DOMAIN:range = 10000-999999

You definitely need to remove the 4 lines above, they have no place in
an AD DC smb.conf.

>         winbind enum users = yes
>         winbind enum groups = yes

Whilst you can have have the two lines above, they are not recommended.

>         logon home = \\%N\%U
>         logon path = \\%N\profiles\%U
>         vfs object = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes

Another five lines that have no place in an AD DC smb.conf, the 'vfs
object' line especially.
 
Rowland

More information about the samba mailing list