Web lists-archives.com

Re: [Samba] samba 4.4.14 breaks classic domain

Setting my domain controllers to use SMB2 breaks windows domain authentication for Windows clients. I don't know why. The clients in question are Windows 7 and Windows 2008 R2.

Once I set the domain controllers and problem member server to

        server max protocol = NT1
        server min protocol = NT1
        client max protocol = NT1
        client min protocol = NT1

the domain join problem went away.

I don't know what would happen if I had the member servers use

        server max protocol = SMB2
        server min protocol = NT1

Presumably that would not affect authentication from windows clients.

On 06/21/17 14:57, Gaiseric Vandal wrote:
Good catch. I had set server max protocol to NT1 after upgrading from samba 3.x to 4.x . Some windows clients had problems with SMB2 and file shares (tho this should not really be an issue with the domain controllers.)

I have now set the dc's to

        server max protocol = SMB2
        server min protocol = NT1

and the client machine to be

        client max protocol = SMB2
        client min protocol = NT1

But it doesn't fix the problem.      I don't thin kthe

The machine in question is not used heavily so it is possible there was some issue prior to the latest patch.

Setting a 4.4.13 version machine to use NT1 and SMB2 as the min and max protocols for client and server does not seem to cause a problems with validating the domain membership.

I had compiled samba 4.5.1 some months ago in an alternate directory, and it also fails with "net join" (although it may be picking up library files that were updated with the system update.)

I may try rolling back the OS patches.

On 06/21/17 12:18, Rowland Penny via samba wrote:
On Wed, 21 Jun 2017 11:55:47 -0400
Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx> wrote:

I increased the logging to 10 on the problem member server.  Didn't
see anything of interest.

I did a packet capture on the PDC while typing " net rpc testjoin"
from both the problem member server (4.4.14) and a working member
server (4.4.13)


         SMB:  ----- SMB Header -----
         SMB:  Command code = 0x72
         SMB:  Command name =  SMBnegprot
         SMB:  SMB Status:
         SMB:     - Error class = No error
         SMB:     - Error code = No error
         SMB:  Header:
         SMB:     - Tree ID      (TID) = 0x0000
         SMB:     - Process ID   (PID) = 0xfffe
         SMB:     - User ID      (UID) = 0x0000
         SMB:     - Multiplex ID (MID) = 0x0000
         SMB:     - Flags summary = 0x18
         SMB:     - Flags2 summary = 0xc843
         SMB:  ByteCount = 49
         SMB:  Dialect String = NT LANMAN 1.0
         SMB:  Dialect String = NT LM 0.12
         SMB:  Dialect String = SMB 2.002
         SMB:  Dialect String = SMB 2.???

On the working member server, the packet capture included a lot of
"SMB" traffic.  With the problem server,  all the "SMB" packets were


         SMB:  ----- SMB:   -----
         SMB:  ""

Both machines are configured for a max protocol of SMB2.  The problem
machine is also configured for a  min protocol of SMB2.

testparm -v

          client ipc max protocol = default
          client max protocol = SMB2
          server max protocol = SMB2

         client ipc min protocol = SMB2
          client min protocol = SMB2
          server min protocol = SMB2

On the PDC, the log file for IP_ADDRESS_OF_PROBLEM_SERVER shows

          Non-SMB packet of length 182. Terminating server

I wonder if this has anything to do with the same reason that you have
to set 'server max protocol = NT1' in smb.conf on the PDC if using
Win10 clients, see here for more info:



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba