Can't join Windows XP-SP3 to samba PDC (rpc - no AD)

Hi,
I’ve an openSuse 13.1 server with Samba 4.2.5 working as PDC Domain with a network share. With Win XP-SP3 correctly joined I can access to the network share. Also with other openSuse clients I can access to the share (using smb4k).

Now I’ve installed (fresh installation) Leap 42.3 and I’ve some issues with Samba. I configured samba in the same way as oss13.1 (same IP, same domain name, same netbios name - obviously Leap 42.3 & oss13.1 don’t run together). I’ve also created a Samba root account (root) and a Samba user (max) : both existing in /etc/passwd file
I tried to connect the Win XP (it’s a vmware virtual machine) used on oss13.1 but it does not work.
I removed the joined domain from Win xp e tied to rejoined it (after rebooting the virtual machine) but it does not work.
I tried with a different Win XP (also a virtual machine) never joined before to any domain but still does not work.
I also added manually machine-names to Linux user and to tdb but again does not work.
Connection to the network share from opensuse client works with old server (13.1) and new server (42.3) without changing anything (i.e. using the same samba user).
Now I’ve finished all ideas / tests.

Some hints for reading my outputs :
Domain name (oss13.1 & Leap42.3) : DOMIMAS
Host name / netbios name (oss13.1 & Leap 42.3) : imassrv
Network share (oss13.1 & Leap 42.3) : r
Machine name Win XP (a copy of working vm used with oss13.1 and joined to domain with oss13.1) : XPSP3-DOMINIO$
Machine name Win XP (a new vm never joined to any domain) : XPSP3-BASE-M$

Output of smb.conf:

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
    workgroup = DOMIMAS
    passdb backend = tdbsam
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    usershare allow guests = No
    add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
    domain logons = Yes
    domain master = Yes
    security = user
    wins support = No
    local master = Yes
    os level = 65
    preferred master = Yes
    wins server = 
[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes
[profiles]
    comment = Network Profiles Service
    path = %H
    read only = No
    store dos attributes = Yes
    create mask = 0600
    directory mask = 0700
[users]
    comment = All users
    path = /home
    read only = No
    inherit acls = Yes
    veto files = /aquota.user/groups/shares/
[groups]
    comment = All groups
    path = /home/groups
    read only = No
    inherit acls = Yes
[printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    create mask = 0600
    browseable = No
[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin root
    force group = ntadmin
    create mask = 0664
    directory mask = 0775

[netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    write list = root

[r]
    comment = Disco di Rete
    inherit acls = No
    path = /storage/disco_r
    read only = No
    create mask = 0666
    directory mask = 0777

Output of log.smbd

[2017/08/23 18:40:41.256575,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2017/08/23 18:42:35.625471,  0] ../source3/rpc_server/netlogon/srv_netlog_nt.c:963(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client XPSP3-BASE-M
[2017/08/23 18:43:55.358474,  0] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1008(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client XPSP3-DOMINIO machine account XPSP3-DOMINIO$

I get ‘no challenge sent to …’ when I try to join the samba PDC with the machine XPSP3-BASE-M (never connected to domain)
I get ‘Rejecting auth request from client …’ when Win-XP reachs the logon mask with previously machine joined to domain

Output of log.nmbd

[2017/08/23 18:40:45.683462,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'nmbd' finished starting up and ready to serve connections
[2017/08/23 18:40:45.684969,  0] ../source3/nmbd/nmbd_logonnames.c:162(add_logon_names)
  add_domain_logon_names:
  Attempting to become logon server for workgroup DOMIMAS on subnet 192.168.125.5
[2017/08/23 18:40:45.685911,  0] ../source3/nmbd/nmbd_logonnames.c:162(add_logon_names)
  add_domain_logon_names:
  Attempting to become logon server for workgroup DOMIMAS on subnet 192.168.149.1
[2017/08/23 18:40:45.686285,  0] ../source3/nmbd/nmbd_logonnames.c:162(add_logon_names)
  add_domain_logon_names:
  Attempting to become logon server for workgroup DOMIMAS on subnet 192.168.204.1
[2017/08/23 18:40:45.687289,  0] ../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
  become_domain_master_browser_bcast:
  Attempting to become domain master browser on workgroup DOMIMAS on subnet 192.168.125.5
[2017/08/23 18:40:45.687522,  0] ../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
  become_domain_master_browser_bcast: querying subnet 192.168.125.5 for domain master browser on workgroup DOMIMAS
[2017/08/23 18:40:45.687703,  0] ../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
  become_domain_master_browser_bcast:
  Attempting to become domain master browser on workgroup DOMIMAS on subnet 192.168.149.1
[2017/08/23 18:40:45.687801,  0] ../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
  become_domain_master_browser_bcast: querying subnet 192.168.149.1 for domain master browser on workgroup DOMIMAS
[2017/08/23 18:40:45.687912,  0] ../source3/nmbd/nmbd_become_dmb.c:294(become_domain_master_browser_bcast)
  become_domain_master_browser_bcast:
  Attempting to become domain master browser on workgroup DOMIMAS on subnet 192.168.204.1
[2017/08/23 18:40:45.688008,  0] ../source3/nmbd/nmbd_become_dmb.c:307(become_domain_master_browser_bcast)
  become_domain_master_browser_bcast: querying subnet 192.168.204.1 for domain master browser on workgroup DOMIMAS
[2017/08/23 18:40:49.708406,  0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success)
  become_logon_server_success: Samba is now a logon server for workgroup DOMIMAS on subnet 192.168.125.5
[2017/08/23 18:40:49.708659,  0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success)
  become_logon_server_success: Samba is now a logon server for workgroup DOMIMAS on subnet 192.168.149.1
[2017/08/23 18:40:49.708811,  0] ../source3/nmbd/nmbd_logonnames.c:123(become_logon_server_success)
  become_logon_server_success: Samba is now a logon server for workgroup DOMIMAS on subnet 192.168.204.1
[2017/08/23 18:40:53.721208,  0] ../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
  *****
  
  Samba server IMASSRV is now a domain master browser for workgroup DOMIMAS on subnet 192.168.125.5
  
  *****
[2017/08/23 18:40:53.721489,  0] ../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
  *****
  
  Samba server IMASSRV is now a domain master browser for workgroup DOMIMAS on subnet 192.168.149.1
  
  *****
[2017/08/23 18:40:53.721653,  0] ../source3/nmbd/nmbd_become_dmb.c:112(become_domain_master_stage2)
  *****
  
  Samba server IMASSRV is now a domain master browser for workgroup DOMIMAS on subnet 192.168.204.1
  
  *****
[2017/08/23 18:41:08.751368,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****
  
  Samba name server IMASSRV is now a local master browser for workgroup DOMIMAS on subnet 192.168.125.5
  
  *****
[2017/08/23 18:41:08.751680,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****
  
  Samba name server IMASSRV is now a local master browser for workgroup DOMIMAS on subnet 192.168.149.1
  
  *****
[2017/08/23 18:41:08.751888,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****
  
  Samba name server IMASSRV is now a local master browser for workgroup DOMIMAS on subnet 192.168.204.1
  
  *****

Thanks to whom will be reply.

I forgot to say that firewall is not running and apparmor is not installed on oss131.1 and is not enabled on leap42.3 …

I wouldn’t know about your specific problem, but I can offer some of my SOP to avoid similar problems when migrating between AD Domains.

You need to first understand that typically all machines communicate with each other (including security) by random number strings often described as MachineIDs and UIDs. Each time you create a new Domain, a new User or whatever, a new random number is generated specifically for that machine or user. The friendly names you use to identify a Domain, User, Machine or whatever are merely mappings to these identifiers, so the consequence is that unless you can preserve the numbers from the first time they’re created your names are actually mapping to completely different objects.

So, you have a few choices…
You can upgrade your original DC.
You can build a new DC and add it to your your existing Domain, then retire your old DC if you wish.

or,
You can build a completely new Domain like you described and re-build everything from scratch.

There are a variety of techniques you can use to help each of the above options… like copy an entire machine so you have a working exact copy to test and upgrade without endangering your original, you can do a P2V converting to virtual machines to enjoy the benefits of virtualization(eg snapshots, disposability, cloning, backup/restore options, more)

And, finally my cardinal rule.
If you’re not preserving your original Domain(or replacing a machine), never re-use a name of any sort. Especially when you’re talking about network security, old name mappings in both client and server machines will almost certainly survive (unless you wipe every single machine in your network and start over, but what’s the point in that?), and those old mappings will bite you unexpectedly for years. So, avoid those altogether by implementing a completely new naming scheme throughout.

Only you can determine which of the above choices is the easiest or preferred path.

TSU

Ciao tsu2, thank for your reply and for giving me some useful info …
I did not try to use another domain name but I tried to use a different XP machine never connected to domain so I thing the result should be the same.

At the end my question is :
If I don’t make any mistake (or forget something) why am I unable to have a working Leap 42.3 / Samba domain / Windows XP ?
Is there someone who knows if something has been changed from oss13.1/Samba 4.2.4 and Leap 42.3/Samba 4.6.5 (maybe samba default protocol)?

At the end I found the issue. I read all the change logs from Samba 4.2 to Samba 4.6 and compared line by line (most significant parameters) the outputs of testparm -vs (oss13.1 against Leap42.3)

Since Samba 4.5.0 has been changed the default value of ntlm auth to No : setting it to Yes solved my problem.

Congrats on finding your problem and recognizing that a client machine that was never a part of the Domain would not be subject to the issues I described…

But, IMO the changed setting is likely unintentional, so
I’d strongly suggest and ask you to submit this issue as a <bug> (not a feature request) to https://bugzilla.opensuse.org.

I find it kind of hard to believe that anyone setting up a SAMBA Server/Domain would ever want ntlm support disabled.

EDIT:
Um, I had a change of mind. Apparently this setting enables NTLMv1 which is now widely known to be vulnerable to hacking so it should <never> be used.
Of course, the problem is that WinXP only supports NTLMv1

TSU