Web lists-archives.com

Re: [Samba] Problem to join a windows XP




If you have had more attempts, then i suggest, remove the computer from domain. 
Reboot it.

Now first try this:  change the workgroup name of the XP pc to the same name as defined in smb.conf  (VIDROESTE) 
Reboot the XP pc. 
Wait 5 min. 

Now go join the domain, and did that work? ( old trick, works sometimes. ) 
I suggest try it since its an easy one to try out. 

An other thing to check, open CMD: 
ipconfig /all
Is the dns-suffix the same as the search in /etc/resolv.conf ? 
Is helps if it is. ( and imo, should be if you in the same lan.


If its not working, remove the xp pc again from the domain.
Clean up dns (a/ptr) 
Clean up AD, remove old pc names. 

Read this one.
https://www.thomaskay.me/samba-interoperability-with-windows-operating-systems-greater-than-xp/ 
Try these settings and try to join, if that does not work, add the parameters below to smb.conf 

   lm announce = no 
   lanman auth = no 
   ntlm auth = no 
   client lanman auth = no 
   client ntlmv2 auth = yes 

This should keep samba secure and allows XP clients, but remember, this maybe work for XP but might give problem for Win10. 
Please keep in mind, i dont recommend this at all. 

And note: I DONT RECOMMEND THIS! 
I think pretty clear.. 

Its more cost efficient to upgrade XP/buy a cheap win10 pro licence. 
Search for second hand or imported licences, its a pain for MS, but its legal in EU. 
Tip, gamekeydiscounter around 10 euro per w10pro lic, remember LEGAL in EU. 
Check your country if its legal there also. 

Greetz, 

Louis






> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Rogerio Bettini via samba
> Verzonden: woensdag 24 april 2019 13:37
> Aan: samba@xxxxxxxxxxxxxxx; Rowland Penny
> Onderwerp: Re: [Samba] Problem to join a windows XP
> 
> Rowland, it was a typo. Sorry, I paste the smb.conf twice.
> I changed the smb.conf as you proposed, so: dns forwarder 
> removed - yes it's in named.conf, and ntlm auth / lanman auth 
>  removed.
> I also checked the NTLMv2 configuration in windows XP.
> But the error is still there.
> 
> I guess it's MIT as saw this in log:
>   /usr/lib/mit/sbin/krb5kdc:   kerberos: 10
> But how can I confirm which kerberos I'm using ?
> 
> The log generated with "log level = 10" is too large to post 
> here, but I can see and can't understand why the machine 
> account has the property ACB_DISABLED = 1 - that part of log is below:
> [2019/04/24 08:21:29.617310,  6, pid=3872, effective(0, 0), 
> real(0, 0)] ../lib/util/util_ldb.c:60(gendb_search_v)
>   gendb_search_v: 
> CN=VMXPZERO,CN=Computers,DC=vidroeste,DC=ind NULL -> 1
> [2019/04/24 08:21:29.617337,  1, pid=3872, effective(0, 0), 
> real(0, 0)] ../librpc/ndr/ndr.c:468(ndr_print_function_debug)
>        samr_QueryUserInfo: struct samr_QueryUserInfo
>           out: struct samr_QueryUserInfo
>               info                     : *
>                   info                     : *
>                       info                     : union 
> samr_UserInfo(case 16)
>                       info16: struct samr_UserInfo16
>                           acct_flags               : 0x00000085 (133)
>                                  1: ACB_DISABLED
>                                  0: ACB_HOMDIRREQ
>                                  1: ACB_PWNOTREQ
>                                  0: ACB_TEMPDUP
>                                  0: ACB_NORMAL
>                                  0: ACB_MNS
>                                  0: ACB_DOMTRUST
>                                  1: ACB_WSTRUST
>                                  0: ACB_SVRTRUST
>                                  0: ACB_PWNOEXP
>                                  0: ACB_AUTOLOCK
>                                  0: ACB_ENC_TXT_PWD_ALLOWED
>                                  0: ACB_SMARTCARD_REQUIRED
>                                  0: ACB_TRUSTED_FOR_DELEGATION
>                                  0: ACB_NOT_DELEGATED
>                                  0: ACB_USE_DES_KEY_ONLY
>                                  0: ACB_DONT_REQUIRE_PREAUTH
>                                  0: ACB_PW_EXPIRED
>                                  0: 
> ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
>                                  0: ACB_NO_AUTH_DATA_REQD
>                                  0: ACB_PARTIAL_SECRETS_ACCOUNT
>                                  0: ACB_USE_AES_KEYS
>               result                   : NT_STATUS_OK
> 
> 
> 
> 
> 
> ________________________________
> De: samba <samba-bounces@xxxxxxxxxxxxxxx> em nome de Rowland 
> Penny via samba <samba@xxxxxxxxxxxxxxx>
> Enviado: terça-feira, 23 de abril de 2019 20:23
> Para: samba@xxxxxxxxxxxxxxx
> Assunto: Re: [Samba] Problem to join a windows XP
> 
> On Tue, 23 Apr 2019 19:27:21 +0000
> Rogerio Bettini via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > Hi,
> > I'm not able to join a windows XP machine in samba AD DC. This XP
> > machine is a VM. No problems when joining Windows 10 
> machines to this
> > DC.
> >
> > On XP machine, after inserting the Administrator 
> username\password to
> > join the domain, the error message is - error while attempting to
> > join the domain "VIDROESTE.IND": Internal error. I can see that the
> > XP machine account was created in AD but it is disabled. In this AD
> > account, there is no information at the "DNS name" property.
> >
> > All the tests suggested in wiki where successfully executed
> > 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> _Directory_Domain_Controller#Verifying_DNS
> >
> >
> > For samba AD-DC, I'm using:
> > - OpenSuSE Leap 15.0
> > - no AppArmor or SELinux active
> > - Samba version is Version
> > 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64
> > - using Bind9
> >
> > Does someone passed on something similar? Thanks in advance.
> >
> > My smb.conf is below.
> > # Global parameters
> > [global]
> > dns forwarder = 8.8.8.8 8.8.4.4
> > bind interfaces only = Yes
> > interfaces = eth0
> > netbios name = DC1
> > realm = VIDROESTE.IND
> > server string = Suse Leap 15.0
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE
> > idmap_ldb:use rfc2307 = yes
> > # Global parameters
> > [global]
> > dns forwarder = 8.8.8.8 8.8.4.4
> > bind interfaces only = Yes
> > interfaces = eth0
> > netbios name = DC1
> > realm = VIDROESTE.IND
> > server string = Suse Leap 15.0
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE
> > idmap_ldb:use rfc2307 = yes
> >
> > #To windows XP
> > ntlm auth = yes
> > lanman auth = yes
> > #log level = 10
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/vidroeste.ind/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No ntlm auth = yes
> > lanman auth = yes
> > #log level = 10
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/vidroeste.ind/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> 
> Unless that is the biggest typo I have seen, you have 
> everything twice,
> can I suggest you ensure your smb.conf is just this:
> 
> [global]
> bind interfaces only = Yes
> interfaces = eth0
> netbios name = DC1
> realm = VIDROESTE.IND
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = VIDROESTE
> idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> path = /var/lib/samba/sysvol/vidroeste.ind/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> 
> Check that you have your forwarders set in your named.conf files (they
> are in your smb.conf at the moment, where they will do nothing)
> 
> Next turn your attention to the XP machine and make it use NTLMv2, see
> here:
> 
> https://support.symantec.com/en_US/article.HOWTO54187.html
> 
> Finally, I do not know what kerberos your SUSE packages are using, so
> you need to find out. If it is MIT, then I would suggest you 
> stop using
> them, using MIT is experimental and shouldn't be used in production.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba