[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10

Tue Sep 12 13:23:25 UTC 2023

 Hello Andrew! Thank you for your collaboration.
Today I carried out new experiments in a test environment and found that when using the following options in the smb.conf file it was possible to add Windows XP SP3 to the domain:
kdc default domain supported enctypes = 4
kdc force enable rc4 weak session keys = yes
kdc supported enctypes = 4
ntlm auth = yes
client lanman auth = yes
client ntlmv2 auth = yes
client min protocol = NT1
server min protocol = NT1
allow nt4 crypto:TESTEXPPC$ = yes
server reject md5 schannel:TESTEXPPC$ = no

When I change the options related to "kdc" beyond type 4 (RC4) the "internal error" appears again.
After the machine joins the domain I can comment on the parameters related to the KDC and it is still possible to authenticate on the machine.
I am also aware, as documented at "https://www.ietf.org/rfc/bcp/bcp218.html" that the RC4 encryption type used in Windows XP is weak and should no longer be in use.
As for your suggestion of using Windows 2003 instead of Windows XP, unfortunately this is not possible in our situation due to issues related to software licensing. In any case, thank you for your consideration in paying attention to my problem.
I will continue analyzing the situation here and evaluating how we can handle the Windows XP case without greatly weakening the security of the environments for which I provide support. If anyone on the list can help with suggestions I would be happy to receive them.
I hope that my information in these posts can also be useful, in some way, to anyone interested.

    Em segunda-feira, 11 de setembro de 2023 às 16:55:51 BRT, Andrew Bartlett via samba <samba at lists.samba.org> escreveu:  

 On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via samba wrote:
> I also know about the fact that Windows XP is an obsolete system and
> should no longer be in use but unfortunately it is still used in some
> specific situations for some of the organizations that I provide
> services.

If I was in this situation, and Windows XP failed but Windows 2003
still worked, I would try to use Windows 2003 for whatever the need is.

Hopefully they are compatible enough for whatever special use case you
have.  

But in general, they are much the same codebase, but I wonder if
possibly the server got a few more late patches.

In mentioning WinXP, I notice they are still issuing some security
patches, like this one:

https://www.microsoft.com/en-us/download/details.aspx?id=55245

(Also for 2003)
https://www.microsoft.com/en-us/download/details.aspx?id=55248

As to debugging, clearly the join fails at:

09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on '\\servert.teste.smb4.rede': 0x54f
09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x54f
09/11 11:39:07 ldap_unbind status: 0x0
09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: 0x54f
09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier errors

I would ensure the clocks are already in sync with NTP, then get a
network trace taken from the server and turn up the Samba logs to 'log
level = 10', with 'debug highres timestamp = yes' and look for the
matching packet (a bind presumably) and anything samba indicates about
the failure.

But this may be a case for a Samba commercial support provider, it
looks pretty tricky.

Andrew,

-- 
Andrew Bartlett (he/him)      https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba