Andrew Bartlett
2023-Sep-12 19:36 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
Thanks. Can you please write up a wiki page with these details? This does disable all AES use, it is unfortunate that you had to set the supported enctypes = 4, there may be a better way to do this. Andrew Bartlett On Tue, 2023-09-12 at 13:23 +0000, Paulo Cesar wrote:> Hello Andrew! Thank you for your collaboration. > Today I carried out new experiments in a test environment and found > that when using the following options in the smb.conf file it was > possible to add Windows XP SP3 to the domain: > kdc default domain supported enctypes = 4 > kdc force enable rc4 weak session keys = yes > kdc supported enctypes = 4 > ntlm auth = yes > client lanman auth = yes > client ntlmv2 auth = yes > client min protocol = NT1 > server min protocol = NT1 > allow nt4 crypto:TESTEXPPC$ = yes > server reject md5 schannel:TESTEXPPC$ = no > > When I change the options related to "kdc" beyond type 4 (RC4) the > "internal error" appears again. > After the machine joins the domain I can comment on the parameters > related to the KDC and it is still possible to authenticate on the > machine. > I am also aware, as documented at " > https://www.ietf.org/rfc/bcp/bcp218.html" that the RC4 encryption > type used in Windows XP is weak and should no longer be in use. > As for your suggestion of using Windows 2003 instead of Windows XP, > unfortunately this is not possible in our situation due to issues > related to software licensing. In any case, thank you for your > consideration in paying attention to my problem. > I will continue analyzing the situation here and evaluating how we > can handle the Windows XP case without greatly weakening the security > of the environments for which I provide support. If anyone on the > list can help with suggestions I would be happy to receive them. > I hope that my information in these posts can also be useful, in some > way, to anyone interested. > > > > > > > > > > Em segunda-feira, 11 de setembro de 2023 ?s > 16:55:51 BRT, Andrew Bartlett via samba <samba at lists.samba.org> > escreveu: > > > > > > On Mon, 2023-09-11 at 17:10 +0000, Paulo Cesar via > samba wrote: > > I also know about the fact that Windows XP is an obsolete system > and > > should no longer be in use but unfortunately it is still used in > some > > specific situations for some of the organizations that I provide > > services. > > If I was in this situation, and Windows XP failed but Windows 2003 > still worked, I would try to use Windows 2003 for whatever the need > is. > > Hopefully they are compatible enough for whatever special use case > you > have. > > But in general, they are much the same codebase, but I wonder if > possibly the server got a few more late patches. > > In mentioning WinXP, I notice they are still issuing some security > patches, like this one: > > https://www.microsoft.com/en-us/download/details.aspx?id=55245 > > (Also for 2003) > https://www.microsoft.com/en-us/download/details.aspx?id=55248 > > As to debugging, clearly the join fails at: > > 09/11 11:39:07 NetpGetComputerObjectDn: Unable to bind to DS on > '\\servert.teste.smb4.rede': 0x54f > 09/11 11:39:07 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn > failed: 0x54f > 09/11 11:39:07 ldap_unbind status: 0x0 > 09/11 11:39:07 NetpJoinDomain: status of setting DnsHostName and SPN: > 0x54f > 09/11 11:39:07 NetpJoinDomain: initiaing a rollback due to earlier > errors > > I would ensure the clocks are already in sync with NTP, then get a > network trace taken from the server and turn up the Samba logs to > 'log > level = 10', with 'debug highres timestamp = yes' and look for the > matching packet (a bind presumably) and anything samba indicates > about > the failure. > > But this may be a case for a Samba commercial support provider, it > looks pretty tricky. > > Andrew, > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead https://catalyst.net.nz/services/samba > Catalyst.Net Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group > company > > Samba Development and Support: https://catalyst.net.nz/services/samba > > Catalyst IT - Expert Open Source Solutions > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Michael Tokarev
2023-Sep-13 08:45 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
12.09.2023 22:36, Andrew Bartlett via samba:> Thanks. Can you please write up a wiki page with these details?Andrew, are you sure we wan this info easily findable on the wiki? :) I mean, it is terrible, it really is.. I wonder if Microsoft allows to join WinXP machines to the current AD domain. The thing is that whole thing should not be used in 2023+, period. Yes, I understand there might be various interesting use cases, but that often can be done on a stand-alone WinXP machine, not joined to a domain, - so the whole domain isn't crippled. It's interesting that Win2003 does not require all the same low-security settings. BTW, Paolo, I'm curious, - which licensing concerns/issues do you have? Microsoft does not sell these versions of windows anymore. But granted, I've no idea what actual terms applies to already sold products now, way past end-of-life. Myself, I can't say I'm a "software pirate", but I do use many versions of windows on my own home machine - to test how windows behaves in various versions of QEMU and sometimes test them with samba too, - to ensure we ship good samba or qemu able to run windows. I don't have licenses for them, and I've no idea if such usage is legal or not (more likely not)..> This does disable all AES use, it is unfortunate that you had to set > the supported enctypes = 4, there may be a better way to do this.[...]