Paulo Cesar
2023-Sep-12 13:23 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
Hello Andrew! Thank you for your collaboration. Today I carried out new experiments in a test environment and found that when using the following options in the smb.conf file it was possible to add Windows XP SP3 to the domain: kdc default domain supported enctypes = 4 kdc force enable rc4 weak session keys = yes kdc supported enctypes = 4 ntlm auth = yes client lanman auth = yes client ntlmv2 auth = yes client min protocol = NT1 server min protocol = NT1 allow nt4 crypto:TESTEXPPC$ = yes server reject md5 schannel:TESTEXPPC$ = no When I change the options related to "kdc" beyond type 4 (RC4) the "internal error" appears again. After the machine joins the domain I can comment on the parameters related to the KDC and it is still possible to authenticate on the machine. I am also aware, as documented at "https://www.ietf.org/rfc/bcp/bcp218.html" that the RC4 encryption type used in Windows XP is weak and should no longer be in use. As for your suggestion of using Windows 2003 instead of Windows XP, unfortunately this is not possible in our situation due to issues related to software licensing. In any case, thank you for your consideration in paying attention to my problem. I will continue analyzing the situation here and evaluating how we can handle the Windows XP case without greatly weakening the security of the environments for which I provide support. If anyone on the list can help with suggestions I would be happy to receive them. I hope that my information in these posts can also be useful, in some way, to anyone interested. Em segunda-feira, 11 de setembro de 2023 ?s 16:55:51 BRT, Andrew Bartlett via samba <samba at lists.samba.org> escreveu: On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via samba wrote:> I also know about the fact that Windows XP is an obsolete system and > should no longer be in use but unfortunately it is still used in some > specific situations for some of the organizations that I provide > services.If I was in this situation, and Windows XP failed but Windows 2003 still worked, I would try to use Windows 2003 for whatever the need is. Hopefully they are compatible enough for whatever special use case you have.? But in general, they are much the same codebase, but I wonder if possibly the server got a few more late patches. In mentioning WinXP, I notice they are still issuing some security patches, like this one: https://www.microsoft.com/en-us/download/details.aspx?id=55245 (Also for 2003) https://www.microsoft.com/en-us/download/details.aspx?id=55248 As to debugging, clearly the join fails at: 09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on '\\servert.teste.smb4.rede': 0x54f 09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x54f 09/11 11:39:07 ldap_unbind status: 0x0 09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: 0x54f 09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier errors I would ensure the clocks are already in sync with NTP, then get a network trace taken from the server and turn up the Samba logs to 'log level = 10', with 'debug highres timestamp = yes' and look for the matching packet (a bind presumably) and anything samba indicates about the failure. But this may be a case for a Samba commercial support provider, it looks pretty tricky. Andrew, -- Andrew Bartlett (he/him)? ? ? https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead? ? ? ? ? ? ? ? https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2023-Sep-12 19:36 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
Thanks. Can you please write up a wiki page with these details? This does disable all AES use, it is unfortunate that you had to set the supported enctypes = 4, there may be a better way to do this. Andrew Bartlett On Tue, 2023-09-12 at 13:23 +0000, Paulo Cesar wrote:> Hello Andrew! Thank you for your collaboration. > Today I carried out new experiments in a test environment and found > that when using the following options in the smb.conf file it was > possible to add Windows XP SP3 to the domain: > kdc default domain supported enctypes = 4 > kdc force enable rc4 weak session keys = yes > kdc supported enctypes = 4 > ntlm auth = yes > client lanman auth = yes > client ntlmv2 auth = yes > client min protocol = NT1 > server min protocol = NT1 > allow nt4 crypto:TESTEXPPC$ = yes > server reject md5 schannel:TESTEXPPC$ = no > > When I change the options related to "kdc" beyond type 4 (RC4) the > "internal error" appears again. > After the machine joins the domain I can comment on the parameters > related to the KDC and it is still possible to authenticate on the > machine. > I am also aware, as documented at " > https://www.ietf.org/rfc/bcp/bcp218.html" that the RC4 encryption > type used in Windows XP is weak and should no longer be in use. > As for your suggestion of using Windows 2003 instead of Windows XP, > unfortunately this is not possible in our situation due to issues > related to software licensing. In any case, thank you for your > consideration in paying attention to my problem. > I will continue analyzing the situation here and evaluating how we > can handle the Windows XP case without greatly weakening the security > of the environments for which I provide support. If anyone on the > list can help with suggestions I would be happy to receive them. > I hope that my information in these posts can also be useful, in some > way, to anyone interested. > > > > > > > > > > Em segunda-feira, 11 de setembro de 2023 ?s > 16:55:51 BRT, Andrew Bartlett via samba <samba at lists.samba.org> > escreveu: > > > > > > On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via > samba wrote: > > I also know about the fact that Windows XP is an obsolete system > and > > should no longer be in use but unfortunately it is still used in > some > > specific situations for some of the organizations that I provide > > services. > > If I was in this situation, and Windows XP failed but Windows 2003 > still worked, I would try to use Windows 2003 for whatever the need > is. > > Hopefully they are compatible enough for whatever special use case > you > have. > > But in general, they are much the same codebase, but I wonder if > possibly the server got a few more late patches. > > In mentioning WinXP, I notice they are still issuing some security > patches, like this one: > > https://www.microsoft.com/en-us/download/details.aspx?id=55245 > > (Also for 2003) > https://www.microsoft.com/en-us/download/details.aspx?id=55248 > > As to debugging, clearly the join fails at: > > 09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on > '\\servert.teste.smb4.rede': 0x54f > 09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn > failed: 0x54f > 09/11 11:39:07 ldap_unbind status: 0x0 > 09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: > 0x54f > 09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier > errors > > I would ensure the clocks are already in sync with NTP, then get a > network trace taken from the server and turn up the Samba logs to > 'log > level = 10', with 'debug highres timestamp = yes' and look for the > matching packet (a bind presumably) and anything samba indicates > about > the failure. > > But this may be a case for a Samba commercial support provider, it > looks pretty tricky. > > Andrew, > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead https://catalyst.net.nz/services/samba > Catalyst.Net Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group > company > > Samba Development and Support: https://catalyst.net.nz/services/samba > > Catalyst IT - Expert Open Source Solutions > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions