Results 1 to 6 of 6

Thread: Can't join Windows XP-SP3 to samba PDC (rpc - no AD)

  1. #1
    Join Date
    Dec 2016
    Location
    Somewhere in Italy
    Posts
    76

    Default Can't join Windows XP-SP3 to samba PDC (rpc - no AD)

    Hi,
    I've an openSuse 13.1 server with Samba 4.2.5 working as PDC Domain with a network share. With Win XP-SP3 correctly joined I can access to the network share. Also with other openSuse clients I can access to the share (using smb4k).

    Now I've installed (fresh installation) Leap 42.3 and I've some issues with Samba. I configured samba in the same way as oss13.1 (same IP, same domain name, same netbios name - obviously Leap 42.3 & oss13.1 don't run together). I've also created a Samba root account (root) and a Samba user (max) : both existing in /etc/passwd file
    I tried to connect the Win XP (it's a vmware virtual machine) used on oss13.1 but it does not work.
    I removed the joined domain from Win xp e tied to rejoined it (after rebooting the virtual machine) but it does not work.
    I tried with a different Win XP (also a virtual machine) never joined before to any domain but still does not work.
    I also added manually machine-names to Linux user and to tdb but again does not work.
    Connection to the network share from opensuse client works with old server (13.1) and new server (42.3) without changing anything (i.e. using the same samba user).
    Now I've finished all ideas / tests.

    Some hints for reading my outputs :
    Domain name (oss13.1 & Leap42.3) : DOMIMAS
    Host name / netbios name (oss13.1 & Leap 42.3) : imassrv
    Network share (oss13.1 & Leap 42.3) : r
    Machine name Win XP (a copy of working vm used with oss13.1 and joined to domain with oss13.1) : XPSP3-DOMINIO$
    Machine name Win XP (a new vm never joined to any domain) : XPSP3-BASE-M$


    Output of smb.conf:
    Code:
    # smb.conf is the main Samba configuration file. You find a full commented
    # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
    # samba-doc package is installed.
    [global]
        workgroup = DOMIMAS
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = Yes
        domain master = Yes
        security = user
        wins support = No
        local master = Yes
        os level = 65
        preferred master = Yes
        wins server = 
    [homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
    [profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
    [users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
    [groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
    [printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
    [print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775
    
    [netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = root
    
    [r]
        comment = Disco di Rete
        inherit acls = No
        path = /storage/disco_r
        read only = No
        create mask = 0666
        directory mask = 0777
    Output of log.smbd
    Code:
    [2017/08/23 18:40:41.256575,  0] ../lib/util/become_daemon.c:124(daemon_ready)
      STATUS=daemon 'smbd' finished starting up and ready to serve connections
    [2017/08/23 18:42:35.625471,  0] ../source3/rpc_server/netlogon/srv_netlog_nt.c:963(_netr_ServerAuthenticate3)
      _netr_ServerAuthenticate: no challenge sent to client XPSP3-BASE-M
    [2017/08/23 18:43:55.358474,  0] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1008(_netr_ServerAuthenticate3)
      _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client XPSP3-DOMINIO machine account XPSP3-DOMINIO$
    I get 'no challenge sent to ...' when I try to join the samba PDC with the machine XPSP3-BASE-M (never connected to domain)
    I get 'Rejecting auth request from client ...' when Win-XP reachs the logon mask with previously machine joined to domain

    Output of log.nmbd
    Code:
    [2017/08/23 18:40:45.683462,  0] ../lib/util/become_daemon.c:124(daemon_ready)
      STATUS=daemon 'nmbd' finished starting up and ready to serve connections
    [2017/08/23 18:40:45.684969,  0] ../source3/nmbd/nmbd_logonnames.c:162(add_logon_names)
      add_domain_logon_names:
      Attempting to become logon server for workgroup DOMIMAS on subnet 192.168.125.5
    [2017/08/23 18:40:45.685911,  0] ../source3/nmbd/nmbd_logonnames.c:162(add_logon_names)
      add_domain_logon_names:
      Attempting to become logon server for workgroup DOMIMAS on subnet 192.168.149.1
    [2017/08/23 18:40:45.686285,  0] ../source3/nmbd/nmbd_logonnames.c:162(add_logon_names)
      add_domain_logon_names:
      Attempting to become logon server for workgroup DOMIMAS on subnet 192.168.204.1
    [2017/08/23 18:40:45.687289,  0] ../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
      become_domain_master_browser_bcast:
      Attempting to become domain master browser on workgroup DOMIMAS on subnet 192.168.125.5
    [2017/08/23 18:40:45.687522,  0] ../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
      become_domain_master_browser_bcast: querying subnet 192.168.125.5 for domain master browser on workgroup DOMIMAS
    [2017/08/23 18:40:45.687703,  0] ../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
      become_domain_master_browser_bcast:
      Attempting to become domain master browser on workgroup DOMIMAS on subnet 192.168.149.1
    [2017/08/23 18:40:45.687801,  0] ../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
      become_domain_master_browser_bcast: querying subnet 192.168.149.1 for domain master browser on workgroup DOMIMAS
    [2017/08/23 18:40:45.687912,  0] ../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
      become_domain_master_browser_bcast:
      Attempting to become domain master browser on workgroup DOMIMAS on subnet 192.168.204.1
    [2017/08/23 18:40:45.688008,  0] ../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
      become_domain_master_browser_bcast: querying subnet 192.168.204.1 for domain master browser on workgroup DOMIMAS
    [2017/08/23 18:40:49.708406,  0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success)
      become_logon_server_success: Samba is now a logon server for workgroup DOMIMAS on subnet 192.168.125.5
    [2017/08/23 18:40:49.708659,  0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success)
      become_logon_server_success: Samba is now a logon server for workgroup DOMIMAS on subnet 192.168.149.1
    [2017/08/23 18:40:49.708811,  0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success)
      become_logon_server_success: Samba is now a logon server for workgroup DOMIMAS on subnet 192.168.204.1
    [2017/08/23 18:40:53.721208,  0] ../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
      *****
      
      Samba server IMASSRV is now a domain master browser for workgroup DOMIMAS on subnet 192.168.125.5
      
      *****
    [2017/08/23 18:40:53.721489,  0] ../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
      *****
      
      Samba server IMASSRV is now a domain master browser for workgroup DOMIMAS on subnet 192.168.149.1
      
      *****
    [2017/08/23 18:40:53.721653,  0] ../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
      *****
      
      Samba server IMASSRV is now a domain master browser for workgroup DOMIMAS on subnet 192.168.204.1
      
      *****
    [2017/08/23 18:41:08.751368,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
      *****
      
      Samba name server IMASSRV is now a local master browser for workgroup DOMIMAS on subnet 192.168.125.5
      
      *****
    [2017/08/23 18:41:08.751680,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
      *****
      
      Samba name server IMASSRV is now a local master browser for workgroup DOMIMAS on subnet 192.168.149.1
      
      *****
    [2017/08/23 18:41:08.751888,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
      *****
      
      Samba name server IMASSRV is now a local master browser for workgroup DOMIMAS on subnet 192.168.204.1
      
      *****
    Thanks to whom will be reply.

  2. #2
    Join Date
    Dec 2016
    Location
    Somewhere in Italy
    Posts
    76

    Default Re: Can't join Windows XP-SP3 to samba PDC (rpc - no AD)

    I forgot to say that firewall is not running and apparmor is not installed on oss131.1 and is not enabled on leap42.3 ...

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Can't join Windows XP-SP3 to samba PDC (rpc - no AD)

    I wouldn't know about your specific problem, but I can offer some of my SOP to avoid similar problems when migrating between AD Domains.

    You need to first understand that typically all machines communicate with each other (including security) by random number strings often described as MachineIDs and UIDs. Each time you create a new Domain, a new User or whatever, a new random number is generated specifically for that machine or user. The friendly names you use to identify a Domain, User, Machine or whatever are merely mappings to these identifiers, so the consequence is that unless you can preserve the numbers from the first time they're created your names are actually mapping to completely different objects.

    So, you have a few choices...
    You can upgrade your original DC.
    You can build a new DC and add it to your your existing Domain, then retire your old DC if you wish.

    or,
    You can build a completely new Domain like you described and re-build everything from scratch.

    There are a variety of techniques you can use to help each of the above options... like copy an entire machine so you have a working exact copy to test and upgrade without endangering your original, you can do a P2V converting to virtual machines to enjoy the benefits of virtualization(eg snapshots, disposability, cloning, backup/restore options, more)

    And, finally my cardinal rule.
    If you're not preserving your original Domain(or replacing a machine), never re-use a name of any sort. Especially when you're talking about network security, old name mappings in both client and server machines will almost certainly survive (unless you wipe every single machine in your network and start over, but what's the point in that?), and those old mappings will bite you unexpectedly for years. So, avoid those altogether by implementing a completely new naming scheme throughout.

    Only you can determine which of the above choices is the easiest or preferred path.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4
    Join Date
    Dec 2016
    Location
    Somewhere in Italy
    Posts
    76

    Default Re: Can't join Windows XP-SP3 to samba PDC (rpc - no AD)

    Ciao tsu2, thank for your reply and for giving me some useful info ....
    I did not try to use another domain name but I tried to use a different XP machine never connected to domain so I thing the result should be the same.

    At the end my question is :
    If I don't make any mistake (or forget something) why am I unable to have a working Leap 42.3 / Samba domain / Windows XP ?
    Is there someone who knows if something has been changed from oss13.1/Samba 4.2.4 and Leap 42.3/Samba 4.6.5 (maybe samba default protocol)?

  5. #5
    Join Date
    Dec 2016
    Location
    Somewhere in Italy
    Posts
    76

    Default [SOLVED] Re: Can't join Windows XP-SP3 to samba PDC (rpc - no AD)

    At the end I found the issue. I read all the change logs from Samba 4.2 to Samba 4.6 and compared line by line (most significant parameters) the outputs of testparm -vs (oss13.1 against Leap42.3)

    Since Samba 4.5.0 has been changed the default value of ntlm auth to No : setting it to Yes solved my problem.

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Can't join Windows XP-SP3 to samba PDC (rpc - no AD)

    Congrats on finding your problem and recognizing that a client machine that was never a part of the Domain would not be subject to the issues I described...

    But, IMO the changed setting is likely unintentional, so
    I'd strongly suggest and ask you to submit this issue as a <bug> (not a feature request) to https://bugzilla.opensuse.org.

    I find it kind of hard to believe that anyone setting up a SAMBA Server/Domain would ever want ntlm support disabled.

    EDIT:
    Um, I had a change of mind. Apparently this setting enables NTLMv1 which is now widely known to be vulnerable to hacking so it should <never> be used.
    Of course, the problem is that WinXP only supports NTLMv1

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •