[Samba] Win7 client error after classicupgrade from S3 to S4
Rowland Penny
rpenny at samba.org
Thu Apr 25 16:02:24 UTC 2019
On Thu, 25 Apr 2019 17:33:22 +0200 (CEST)
Lorenzo Milesi via samba <samba at lists.samba.org> wrote:
> Hi.
> We're trying to upgrade an old NT domain to AD. It's our second
> upgrade, and while the first was successfull this one has raised some
> issues for existing Windows 7 clients. If we disconnect the computer
> from the domain and join it back to the new S4 AD it works. Existing
> clients throws this error in Samba:
>
> Kerberos: AS-REQ b1rd42nbtmp648$@NT4DOMAIN from ipv4:10.0.0.42:49472
> for krbt gt/NT4DOMAIN at NT4DOMAIN [2019/04/24 17:05:24.127751,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Client sent patypes:
> encrypted-timestamp, 128 [2019/04/24 17:05:24.127768,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data --
> b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.127777,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data --
> b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.127799,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA --
> b1rd42nbtmp648$@NT4DOMAIN (enctype arc four-hmac-md5) error Decrypt
> integrity check failed [2019/04/24 17:05:24.127865,
> 5] ../source4/dsdb/common/util.c:5158(dsdb_update_ bad_pwd_count) Not
> updating badPwdCount on
> CN=b1rd42nbtmp648,CN=Computers,DC=samba,DC=newdomain,DC=lan after
> wrong password [2019/04/24 17:05:24.127877,
> 3] ../source4/auth/kerberos/krb5_init_context.c:80
> (smb_krb5_debug_wrapper) Kerberos: Failed to decrypt PA-DATA --
> b1rd42nbtmp648$@NT4DOMAIN [2019/04/24 17:05:24.128238,
> 3] ../source4/smbd/service_stream.c:66(stream_term:
>
>
> We've searched for similar errors but I found we should reset user
> password, but this is a machine account. Can I solve without
> rejoining all W7 machines? Thanks
>
>
> krb5.conf:
> [libdefaults]
> default_realm = SAMBA.NEWDOMAIN.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> SAMBA.NEWDOMAIN.LAN = {
> kdc = 10.0.0.7
> admin_server = 10.0.0.7
> }
>
> smb.conf:
> [global]
> workgroup = NT4DOMAIN
> realm = samba.newdomain.lan
> netbios name = SERVERX7
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> interfaces = 127.0.0.1 10.0.0.7
> log level = 4
It was going so well, a Samba AD DC using Bind9 as the dns server, then
you went and added the lines below.
> winbind nss info = rfc2307
> idmap config NT4DOMAIN:backend = ad
> idmap config NT4DOMAIN:schema_mode = rfc2307
> idmap config NT4DOMAIN:range = 10000-999999
You definitely need to remove the 4 lines above, they have no place in
an AD DC smb.conf.
> winbind enum users = yes
> winbind enum groups = yes
Whilst you can have have the two lines above, they are not recommended.
> logon home = \\%N\%U
> logon path = \\%N\profiles\%U
> vfs object = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
Another five lines that have no place in an AD DC smb.conf, the 'vfs
object' line especially.
Rowland
More information about the samba
mailing list