Michael Tokarev
2023-Sep-13 08:45 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
12.09.2023 22:36, Andrew Bartlett via samba:> Thanks. Can you please write up a wiki page with these details?Andrew, are you sure we wan this info easily findable on the wiki? :) I mean, it is terrible, it really is.. I wonder if Microsoft allows to join WinXP machines to the current AD domain. The thing is that whole thing should not be used in 2023+, period. Yes, I understand there might be various interesting use cases, but that often can be done on a stand-alone WinXP machine, not joined to a domain, - so the whole domain isn't crippled. It's interesting that Win2003 does not require all the same low-security settings. BTW, Paolo, I'm curious, - which licensing concerns/issues do you have? Microsoft does not sell these versions of windows anymore. But granted, I've no idea what actual terms applies to already sold products now, way past end-of-life. Myself, I can't say I'm a "software pirate", but I do use many versions of windows on my own home machine - to test how windows behaves in various versions of QEMU and sometimes test them with samba too, - to ensure we ship good samba or qemu able to run windows. I don't have licenses for them, and I've no idea if such usage is legal or not (more likely not)..> This does disable all AES use, it is unfortunate that you had to set > the supported enctypes = 4, there may be a better way to do this.[...]
Rowland Penny
2023-Sep-13 09:11 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
On Wed, 13 Sep 2023 11:45:10 +0300 Michael Tokarev via samba <samba at lists.samba.org> wrote:> 12.09.2023 22:36, Andrew Bartlett via samba: > > Thanks. Can you please write up a wiki page with these details? > > Andrew, are you sure we wan this info easily findable on the wiki? :) > I mean, it is terrible, it really is.. I wonder if Microsoft allows > to join WinXP machines to the current AD domain. The thing is that > whole thing should not be used in 2023+, period. Yes, I understand > there might be various interesting use cases, but that often can be > done on a stand-alone WinXP machine, not joined to a domain, - so the > whole domain isn't crippled.Hello Michael, I feel the same as yourself, I just wish that XP would go away. The problem is that there are very expensive pieces of equipment out there that use an embedded version of XP and these will not go away. There are ways around them, such as 'sandboxing' them. What I think the whole 'embedded' thing has shown, is that you really shouldn't buy any expensive equipment that has a computer that cannot be updated/upgraded easily. Rowland> > It's interesting that Win2003 does not require all the same > low-security settings. > > BTW, Paolo, I'm curious, - which licensing concerns/issues do you > have? Microsoft does not sell these versions of windows anymore. But > granted, I've no idea what actual terms applies to already sold > products now, way past end-of-life. > > Myself, I can't say I'm a "software pirate", but I do use many > versions of windows on my own home machine - to test how windows > behaves in various versions of QEMU and sometimes test them with > samba too, - to ensure we ship good samba or qemu able to run > windows. I don't have licenses for them, and I've no idea if such > usage is legal or not (more likely not).. > > > This does disable all AES use, it is unfortunate that you had to set > > the supported enctypes = 4, there may be a better way to do this. > [...] > >
Peter Milesson
2023-Sep-13 09:46 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
On 13.09.2023 10:45, Michael Tokarev via samba wrote:> 12.09.2023 22:36, Andrew Bartlett via samba: >> Thanks.? Can you please write up a wiki page with these details? > > Andrew, are you sure we wan this info easily findable on the wiki? :) > I mean, it is terrible, it really is.. I wonder if Microsoft allows > to join WinXP machines to the current AD domain.? The thing is that > whole thing should not be used in 2023+, period.? Yes, I understand > there might be various interesting use cases, but that often can be > done on a stand-alone WinXP machine, not joined to a domain, - so the > whole domain isn't crippled. > > It's interesting that Win2003 does not require all the same low-security > settings. > > BTW, Paolo, I'm curious, - which licensing concerns/issues do you have? > Microsoft does not sell these versions of windows anymore.? But granted, > I've no idea what actual terms applies to already sold products now, way > past end-of-life. > > Myself, I can't say I'm a "software pirate", but I do use many versions > of windows on my own home machine - to test how windows behaves in > various > versions of QEMU and sometimes test them with samba too, - to ensure we > ship good samba or qemu able to run windows. I don't have licenses for > them, and I've no idea if such usage is legal or not (more likely not).. > >> This does disable all AES use, it is unfortunate that you had to set >> the supported enctypes = 4, there may be a better way to do this. > [...] > >Hi folks, I want to chime in here, as I was facing a similar problem recently. I had to setup a local file server for a machine group, where most of the machines are using Windows NT4 as OS. The machines are incredibly expensive, and replacing the control system on each one of them is not an option. The machines sometimes need to connect on demand to technical support over internet, and they need to get production data from a local server (alternative is diskettes ;-) ). To the headache is added the absence of any type of anti virus protection in the control systems. Using some ancient Windows OS as a server was not an option, as I haven't got the appropriate license for any suitable OS (it's very expensive if you get caught, and you may face jail time), and it still wouldn't be working on modern hardware, as there are no drivers available. As the NT1 protocol is involved here, it was absolutely paramount to isolate this group from any other part of the network. I setup an isolated VLAN for the group with an internal firewall with no chance to connect to anything inside the isolated VLAN. In that VLAN I setup a Samba standalone server (Debian 4.18.5) on a tiny barebone PC. Works like a charm. But if NT1 is removed from Samba, how to solve the problem? Run an older Linux VM with a Samba version with NT1 under KVM. A modern barebone PC with an intel CPU and VT-d is sufficient, future proof, and cheap. So by all means, the time is over ripe for flushing out NT1 from Samba for good. I wish you all a nice day. Peter
Andrew Bartlett
2023-Sep-13 22:13 UTC
[Samba] Windows XP SP3 cannot join to the Samba AD domain on Debian 11 4.17.10
On Wed, 2023-09-13 at 11:45 +0300, Michael Tokarev wrote:> 12.09.2023 22:36, Andrew Bartlett via samba: > > Thanks. Can you please write up a wiki page with these details? > > Andrew, are you sure we wan this info easily findable on the wiki? :)Yes, I do. We put back support in winbindd for working with an NT4 DC recently. Samba keeps options around - off, but around - for a lot of old OSs. I only just removed some, but not all LanMan authentication support, and mostly because it made disabling storing the NT hash a pain to describe. Where folks need to have Samba behave in a particular way, I would rather users share that knowledge than have to work it out by hand. It also means we can avoid them turning off even more security than required, as they try every option. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions