samba - Sep 2023 - Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10

Hello Andrew! Thank you for your collaboration.
Today I carried out new experiments in a test environment and found that when
using the following options in the smb.conf file it was possible to add Windows
XP SP3 to the domain:
kdc default domain supported enctypes = 4
kdc force enable rc4 weak session keys = yes
kdc supported enctypes = 4
ntlm auth = yes
client lanman auth = yes
client ntlmv2 auth = yes
client min protocol = NT1
server min protocol = NT1
allow nt4 crypto:TESTEXPPC$ = yes
server reject md5 schannel:TESTEXPPC$ = no

When I change the options related to "kdc" beyond type 4 (RC4) the
"internal error" appears again.
After the machine joins the domain I can comment on the parameters related to
the KDC and it is still possible to authenticate on the machine.
I am also aware, as documented at
"https://www.ietf.org/rfc/bcp/bcp218.html" that the RC4 encryption
type used in Windows XP is weak and should no longer be in use.
As for your suggestion of using Windows 2003 instead of Windows XP,
unfortunately this is not possible in our situation due to issues related to
software licensing. In any case, thank you for your consideration in paying
attention to my problem.
I will continue analyzing the situation here and evaluating how we can handle
the Windows XP case without greatly weakening the security of the environments
for which I provide support. If anyone on the list can help with suggestions I
would be happy to receive them.
I hope that my information in these posts can also be useful, in some way, to
anyone interested.

    Em segunda-feira, 11 de setembro de 2023 ?s 16:55:51 BRT, Andrew Bartlett
via samba <samba at lists.samba.org> escreveu:
 
 On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via samba
wrote:
> I also know about the fact that Windows XP is an obsolete system and
> should no longer be in use but unfortunately it is still used in some
> specific situations for some of the organizations that I provide
> services.
If I was in this situation, and Windows XP failed but Windows 2003
still worked, I would try to use Windows 2003 for whatever the need is.

Hopefully they are compatible enough for whatever special use case you
have.? 

But in general, they are much the same codebase, but I wonder if
possibly the server got a few more late patches.

In mentioning WinXP, I notice they are still issuing some security
patches, like this one:

https://www.microsoft.com/en-us/download/details.aspx?id=55245

(Also for 2003)
https://www.microsoft.com/en-us/download/details.aspx?id=55248

As to debugging, clearly the join fails at:

09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on
'\\servert.teste.smb4.rede': 0x54f
09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x54f
09/11 11:39:07 ldap_unbind status: 0x0
09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: 0x54f
09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier errors

I would ensure the clocks are already in sync with NTP, then get a
network trace taken from the server and turn up the Samba logs to 'log
level = 10', with 'debug highres timestamp = yes' and look for the
matching packet (a bind presumably) and anything samba indicates about
the failure.

But this may be a case for a Samba commercial support provider, it
looks pretty tricky.

Andrew,

-- 
Andrew Bartlett (he/him)? ? ? https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead? ? ? ? ? ? ? ? https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions


-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

Thanks.  Can you please write up a wiki page with these details?
This does disable all AES use, it is unfortunate that you had to set
the supported enctypes = 4, there may be a better way to do this. 
Andrew Bartlett
On Tue, 2023-09-12 at 13:23 +0000, Paulo Cesar wrote:
>         Hello Andrew! Thank you for your collaboration.
> Today I carried out new experiments in a test environment and found
> that when using the following options in the smb.conf file it was
> possible to add Windows XP SP3 to the domain:
> kdc default domain supported enctypes = 4
> kdc force enable rc4 weak session keys = yes
> kdc supported enctypes = 4
> ntlm auth = yes
> client lanman auth = yes
> client ntlmv2 auth = yes
> client min protocol = NT1
> server min protocol = NT1
> allow nt4 crypto:TESTEXPPC$ = yes
> server reject md5 schannel:TESTEXPPC$ = no
> 
> When I change the options related to "kdc" beyond type 4 (RC4)
the
> "internal error" appears again.
> After the machine joins the domain I can comment on the parameters
> related to the KDC and it is still possible to authenticate on the
> machine.
> I am also aware, as documented at "
> https://www.ietf.org/rfc/bcp/bcp218.html" that the RC4 encryption
> type used in Windows XP is weak and should no longer be in use.
> As for your suggestion of using Windows 2003 instead of Windows XP,
> unfortunately this is not possible in our situation due to issues
> related to software licensing. In any case, thank you for your
> consideration in paying attention to my problem.
> I will continue analyzing the situation here and evaluating how we
> can handle the Windows XP case without greatly weakening the security
> of the environments for which I provide support. If anyone on the
> list can help with suggestions I would be happy to receive them.
> I hope that my information in these posts can also be useful, in some
> way, to anyone interested.
> 
> 
> 
>         
>         
> 
>             
>                 
>                 
>                     Em segunda-feira, 11 de setembro de 2023 ?s
> 16:55:51 BRT, Andrew Bartlett via samba <samba at lists.samba.org>
> escreveu:
>                 
>                 
> 
>                 
> 
>                 On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via
> samba wrote:
> > I also know about the fact that Windows XP is an obsolete system
> and
> > should no longer be in use but unfortunately it is still used in
> some
> > specific situations for some of the organizations that I provide
> > services.
> 
> If I was in this situation, and Windows XP failed but Windows 2003
> still worked, I would try to use Windows 2003 for whatever the need
> is.
> 
> Hopefully they are compatible enough for whatever special use case
> you
> have.  
> 
> But in general, they are much the same codebase, but I wonder if
> possibly the server got a few more late patches.
> 
> In mentioning WinXP, I notice they are still issuing some security
> patches, like this one:
> 
> https://www.microsoft.com/en-us/download/details.aspx?id=55245
> 
> (Also for 2003)
> https://www.microsoft.com/en-us/download/details.aspx?id=55248
> 
> As to debugging, clearly the join fails at:
> 
> 09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on
> '\\servert.teste.smb4.rede': 0x54f
> 09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn
> failed: 0x54f
> 09/11 11:39:07 ldap_unbind status: 0x0
> 09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN:
> 0x54f
> 09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier
> errors
> 
> I would ensure the clocks are already in sync with NTP, then get a
> network trace taken from the server and turn up the Samba logs to
> 'log
> level = 10', with 'debug highres timestamp = yes' and look for
the
> matching packet (a bind presumably) and anything samba indicates
> about
> the failure.
> 
> But this may be a case for a Samba commercial support provider, it
> looks pretty tricky.
> 
> Andrew,
> 
> -- 
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead                https://catalyst.net.nz/services/samba
> Catalyst.Net Ltd
> 
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
> 
> Samba Development and Support: https://catalyst.net.nz/services/samba
> 
> Catalyst IT - Expert Open Source Solutions
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>             
>         
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead               
https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions