[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10

Peter Milesson miles at atmos.eu
Wed Sep 13 09:46:57 UTC 2023

On 13.09.2023 10:45, Michael Tokarev via samba wrote:
> 12.09.2023 22:36, Andrew Bartlett via samba:
>> Thanks.  Can you please write up a wiki page with these details?
> Andrew, are you sure we wan this info easily findable on the wiki? :)
> I mean, it is terrible, it really is.. I wonder if Microsoft allows
> to join WinXP machines to the current AD domain.  The thing is that
> whole thing should not be used in 2023+, period.  Yes, I understand
> there might be various interesting use cases, but that often can be
> done on a stand-alone WinXP machine, not joined to a domain, - so the
> whole domain isn't crippled.
> It's interesting that Win2003 does not require all the same low-security
> settings.
> BTW, Paolo, I'm curious, - which licensing concerns/issues do you have?
> Microsoft does not sell these versions of windows anymore.  But granted,
> I've no idea what actual terms applies to already sold products now, way
> past end-of-life.
> Myself, I can't say I'm a "software pirate", but I do use many versions
> of windows on my own home machine - to test how windows behaves in 
> various
> versions of QEMU and sometimes test them with samba too, - to ensure we
> ship good samba or qemu able to run windows. I don't have licenses for
> them, and I've no idea if such usage is legal or not (more likely not)..
>> This does disable all AES use, it is unfortunate that you had to set
>> the supported enctypes = 4, there may be a better way to do this.
> [...]
Hi folks,

I want to chime in here, as I was facing a similar problem recently.

I had to setup a local file server for a machine group, where most of 
the machines are using Windows NT4 as OS. The machines are incredibly 
expensive, and replacing the control system on each one of them is not 
an option. The machines sometimes need to connect on demand to technical 
support over internet, and they need to get production data from a local 
server (alternative is diskettes ;-) ). To the headache is added the 
absence of any type of anti virus protection in the control systems. 
Using some ancient Windows OS as a server was not an option, as I 
haven't got the appropriate license for any suitable OS (it's very 
expensive if you get caught, and you may face jail time), and it still 
wouldn't be working on modern hardware, as there are no drivers available.

As the NT1 protocol is involved here, it was absolutely paramount to 
isolate this group from any other part of the network. I setup an 
isolated VLAN for the group with an internal firewall with no chance to 
connect to anything inside the isolated VLAN. In that VLAN I setup a 
Samba standalone server (Debian 4.18.5) on a tiny barebone PC. Works 
like a charm.

But if NT1 is removed from Samba, how to solve the problem? Run an older 
Linux VM with a Samba version with NT1 under KVM. A modern barebone PC 
with an intel CPU and VT-d is sufficient, future proof, and cheap.

So by all means, the time is over ripe for flushing out NT1 from Samba 
for good.

I wish you all a nice day.


More information about the samba mailing list