Hi, Not sure of the etiquette of this, so apologies if this is frowned upon, but a couple of months ago, this[1] question was asked. I'm trying to join a Samba 4.2.2 server to a Samba 3.4.7 PDC (e.g. Think NT4, not AD), which is also our OpenLDAP principal server. I'm failing because, although my "net rpc join" command seems to succeed, and the host entry is added to the directory, I keep getting messages such as this in /var/log/samba/log.CLIENT_IP on my PDC/LDAP host: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENT machine account CLIENT$ [2015/06/11 16:46:18, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENT machine account CLIENT$ and the user that I've added, fails to log in, with basically a "permissions denied" error (I'm trying to log in from OS X 10.10.3). This login attempt correlates with the two error lines above. The PDC is running Ubuntu 10.04 (* * *looks away in embarrassment* * *) and the client CLIENT[2] is Ubuntu Server 14.04. The sensible advice might likely be: UPGRADE YOUR PDC HOST, DUMMY!, and I do intend to do that, but if we could get this working it would be really neat-o keen, and would buy us a bit of time. The motivation for this is to give our OS X users the significant performance advantages that vfs_fruit has to offer them (Thanks again, Ralph![3]). If the only solution is to upgrade the PDC, that's ultimately fine, but that will of course take more time. If you've read this far, Thanks![4] -DM [1] > Francesco Malvezzi francesco.malvezzi at unimore.it > Tue Apr 14 00:41:15 MDT 2015 > > hi all, > > my working samba-4.1.7 member of a samba3 domain (samba-3.5.3) failed > while updating to samba-4.2.0. Users were no longer able to access > shares because the trust account was broken. > > According to release notes (Winbindd/Netlogon improvements): > > For the client side we have the following new options: > "require strong key" (yes by default), "reject md5 servers" (no by > > default). > E.g. for Samba 3.0.37 you need "require strong key = no" and > for NT4 DCs you need "require strong key = no" and "client NTLMv2 > > > auth = no", > > so in samba-4.2.0 member's smb.conf I put: > > require strong key = no > client NTLMv2 auth = no > > but yet trust account wasn't able to authenticate on domain PDC. > > Which are the correct switches to allow a samba-4.2.0 member to join a > samba3 PDC? > > thank you, > > Francesco [2] Not his real name. [3] Legally required statement. [4] ...but you might need to get outside more. :-O -- David S Morgan, Ph.D. david_morgan at hms.harvard.edu Director http://wqcg.med.harvard.edu West Quad Computing Group Office: 617-651-0259 Harvard Medical School
joseph-andre Guaragna
2015-Jun-12 08:43 UTC
[Samba] Joining 4.2.2 Samba client to Samba3 PDC
HI David, We encountered this kind of issue with to server running with different samba version and solve the problem by ass you said update the oldest one to a "closer version". Hope it helped; Meilleures salutations / Best regards, Joseph-Andr? GUARAGNA ing?nieur Syst?me et R?seau / Network and System engineer RD MACHINES-OUTILS 77, all?e de l'Industrie F-74130 CONTAMINE SUR ARVE Tel : +33 (0) 4 50 03 90 77 - Fax :+33 (0) 4 50 03 66 79 www.rdmo.com / www.rdmo-spare-parts.com 2015-06-11 23:37 GMT+02:00 David Morgan <dmorgan at westquad.med.harvard.edu>:> > Hi, > > Not sure of the etiquette of this, so apologies if this is frowned upon, but > a couple of months ago, this[1] question was asked. > > I'm trying to join a Samba 4.2.2 server to a Samba 3.4.7 PDC (e.g. Think > NT4, not AD), which is also our OpenLDAP principal server. I'm failing > because, although my "net rpc join" command seems to succeed, and the host > entry is added to the directory, I keep getting messages such as this in > /var/log/samba/log.CLIENT_IP on my PDC/LDAP host: > > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client CLIENT machine account CLIENT$ > [2015/06/11 16:46:18, 0] > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client CLIENT machine account CLIENT$ > > and the user that I've added, fails to log in, with basically a "permissions > denied" error (I'm trying to log in from OS X 10.10.3). This login attempt > correlates with the two error lines above. > > The PDC is running Ubuntu 10.04 (* * *looks away in embarrassment* * *) and > the client CLIENT[2] is Ubuntu Server 14.04. The sensible advice might > likely be: UPGRADE YOUR PDC HOST, DUMMY!, and I do intend to do that, but if > we could get this working it would be really neat-o keen, and would buy us a > bit of time. The motivation for this is to give our OS X users the > significant performance advantages that vfs_fruit has to offer them (Thanks > again, Ralph![3]). If the only solution is to upgrade the PDC, that's > ultimately fine, but that will of course take more time. > > If you've read this far, Thanks![4] > > -DM > > > [1] >> Francesco Malvezzi francesco.malvezzi at unimore.it >> Tue Apr 14 00:41:15 MDT 2015 >> >> hi all, >> >> my working samba-4.1.7 member of a samba3 domain (samba-3.5.3) failed >> while updating to samba-4.2.0. Users were no longer able to access >> shares because the trust account was broken. >> >> According to release notes (Winbindd/Netlogon improvements): >> >> For the client side we have the following new options: >> "require strong key" (yes by default), "reject md5 servers" (no by > > >> default). >> E.g. for Samba 3.0.37 you need "require strong key = no" and >> for NT4 DCs you need "require strong key = no" and "client NTLMv2 > > > >> auth = no", >> >> so in samba-4.2.0 member's smb.conf I put: >> >> require strong key = no >> client NTLMv2 auth = no >> >> but yet trust account wasn't able to authenticate on domain PDC. >> >> Which are the correct switches to allow a samba-4.2.0 member to join a >> samba3 PDC? >> >> thank you, >> >> Francesco > > [2] Not his real name. > > [3] Legally required statement. > > [4] ...but you might need to get outside more. :-O > > -- > David S Morgan, Ph.D. david_morgan at hms.harvard.edu > Director http://wqcg.med.harvard.edu > West Quad Computing Group Office: 617-651-0259 > Harvard Medical School > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Just a pointer.. try with settings like : client lanman auth = yes client NTLMv2 auth = no client plaintext auth = yes i dont know the exact setting are which you need, but look in the man of smb.conf man smb.conf search for NT4, you see more settings. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: dmorgan at westquad.med.harvard.edu >[mailto:samba-bounces at lists.samba.org] Namens David Morgan >Verzonden: donderdag 11 juni 2015 23:37 >Aan: samba at lists.samba.org >Onderwerp: [Samba] Joining 4.2.2 Samba client to Samba3 PDC > > >Hi, > >Not sure of the etiquette of this, so apologies if this is >frowned upon, >but a couple of months ago, this[1] question was asked. > >I'm trying to join a Samba 4.2.2 server to a Samba 3.4.7 PDC >(e.g. Think >NT4, not AD), which is also our OpenLDAP principal server. >I'm failing >because, although my "net rpc join" command seems to succeed, and the >host entry is added to the directory, I keep getting messages such as >this in /var/log/samba/log.CLIENT_IP on my PDC/LDAP host: > > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. >Rejecting auth request from client CLIENT machine account CLIENT$ >[2015/06/11 16:46:18, 0] >rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. >Rejecting auth request from client CLIENT machine account CLIENT$ > >and the user that I've added, fails to log in, with basically a >"permissions denied" error (I'm trying to log in from OS X 10.10.3). >This login attempt correlates with the two error lines above. > >The PDC is running Ubuntu 10.04 (* * *looks away in >embarrassment* * *) >and the client CLIENT[2] is Ubuntu Server 14.04. The sensible advice >might likely be: UPGRADE YOUR PDC HOST, DUMMY!, and I do intend to do >that, but if we could get this working it would be really neat-o keen, >and would buy us a bit of time. The motivation for this is to >give our >OS X users the significant performance advantages that >vfs_fruit has to >offer them (Thanks again, Ralph![3]). If the only solution is to >upgrade the PDC, that's ultimately fine, but that will of course take >more time. > >If you've read this far, Thanks![4] > >-DM > > >[1] > > Francesco Malvezzi francesco.malvezzi at unimore.it > > Tue Apr 14 00:41:15 MDT 2015 > > > > hi all, > > > > my working samba-4.1.7 member of a samba3 domain >(samba-3.5.3) failed > > while updating to samba-4.2.0. Users were no longer able to access > > shares because the trust account was broken. > > > > According to release notes (Winbindd/Netlogon improvements): > > > > For the client side we have the following new options: > > "require strong key" (yes by default), "reject md5 servers" >(no by > > > default). > > E.g. for Samba 3.0.37 you need "require strong key = no" and > > for NT4 DCs you need "require strong key = no" and "client >NTLMv2 > > > > auth = no", > > > > so in samba-4.2.0 member's smb.conf I put: > > > > require strong key = no > > client NTLMv2 auth = no > > > > but yet trust account wasn't able to authenticate on domain PDC. > > > > Which are the correct switches to allow a samba-4.2.0 >member to join a > > samba3 PDC? > > > > thank you, > > > > Francesco > >[2] Not his real name. > >[3] Legally required statement. > >[4] ...but you might need to get outside more. :-O > >-- >David S Morgan, Ph.D. david_morgan at hms.harvard.edu >Director http://wqcg.med.harvard.edu >West Quad Computing Group Office: 617-651-0259 >Harvard Medical School >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Thanks for the tips. I didn't have any luck with the various NT4-related options. I didn't even have any luck by setting up a VM with the latest Samba 4.2.2. stable backed by OpenLDAP as a PDC. Oh well, I guess I'll wait for another Samba release and see if things have improved then. Thanks, David On 06/12/2015 05:00 AM, L.P.H. van Belle wrote:> Just a pointer.. > > try with settings like : > > client lanman auth = yes > client NTLMv2 auth = no > client plaintext auth = yes > > i dont know the exact setting are which you need, but look in the man of smb.conf > man smb.conf search for NT4, you see more settings. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: dmorgan at westquad.med.harvard.edu >> [mailto:samba-bounces at lists.samba.org] Namens David Morgan >> Verzonden: donderdag 11 juni 2015 23:37 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Joining 4.2.2 Samba client to Samba3 PDC >> >> >> Hi, >> >> Not sure of the etiquette of this, so apologies if this is >> frowned upon, >> but a couple of months ago, this[1] question was asked. >> >> I'm trying to join a Samba 4.2.2 server to a Samba 3.4.7 PDC >> (e.g. Think >> NT4, not AD), which is also our OpenLDAP principal server. >> I'm failing >> because, although my "net rpc join" command seems to succeed, and the >> host entry is added to the directory, I keep getting messages such as >> this in /var/log/samba/log.CLIENT_IP on my PDC/LDAP host: >> >> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. >> Rejecting auth request from client CLIENT machine account CLIENT$ >> [2015/06/11 16:46:18, 0] >> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) >> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. >> Rejecting auth request from client CLIENT machine account CLIENT$ >> >> and the user that I've added, fails to log in, with basically a >> "permissions denied" error (I'm trying to log in from OS X 10.10.3). >> This login attempt correlates with the two error lines above. >> >> The PDC is running Ubuntu 10.04 (* * *looks away in >> embarrassment* * *) >> and the client CLIENT[2] is Ubuntu Server 14.04. The sensible advice >> might likely be: UPGRADE YOUR PDC HOST, DUMMY!, and I do intend to do >> that, but if we could get this working it would be really neat-o keen, >> and would buy us a bit of time. The motivation for this is to >> give our >> OS X users the significant performance advantages that >> vfs_fruit has to >> offer them (Thanks again, Ralph![3]). If the only solution is to >> upgrade the PDC, that's ultimately fine, but that will of course take >> more time. >> >> If you've read this far, Thanks![4] >> >> -DM >> >> >> [1] >>> Francesco Malvezzi francesco.malvezzi at unimore.it >>> Tue Apr 14 00:41:15 MDT 2015 >>> >>> hi all, >>> >>> my working samba-4.1.7 member of a samba3 domain >> (samba-3.5.3) failed >>> while updating to samba-4.2.0. Users were no longer able to access >>> shares because the trust account was broken. >>> >>> According to release notes (Winbindd/Netlogon improvements): >>> >>> For the client side we have the following new options: >>> "require strong key" (yes by default), "reject md5 servers" >> (no by > >>> default). >>> E.g. for Samba 3.0.37 you need "require strong key = no" and >>> for NT4 DCs you need "require strong key = no" and "client >> NTLMv2 > > >>> auth = no", >>> >>> so in samba-4.2.0 member's smb.conf I put: >>> >>> require strong key = no >>> client NTLMv2 auth = no >>> >>> but yet trust account wasn't able to authenticate on domain PDC. >>> >>> Which are the correct switches to allow a samba-4.2.0 >> member to join a >>> samba3 PDC? >>> >>> thank you, >>> >>> Francesco >> [2] Not his real name. >> >> [3] Legally required statement. >> >> [4] ...but you might need to get outside more. :-O >> >> -- >> David S Morgan, Ph.D. david_morgan at hms.harvard.edu >> Director http://wqcg.med.harvard.edu >> West Quad Computing Group Office: 617-651-0259 >> Harvard Medical School >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>-- David S Morgan, Ph.D. david_morgan at hms.harvard.edu Director http://wqcg.med.harvard.edu West Quad Computing Group Office: 617-651-0259 Harvard Medical School