I'm seeing these problems with a samba-4.5.x that I wish to be a member of a samba-3.6.x PDC (NT4 style domain controller). ==========================net rpc join -S PDC ... smb_signing_good: BAD SIG: seq 1 Failed to join domain: failed to lookup DC info for domain 'EXAMPLE' over rpc: Access denied ====================================================net rpc info ... smb_signing_good: BAD SIG: seq 1 Could not connect to server PDC Connection failed: NT_STATUS_ACCESS_DENIED ========================== Please advise. Thank you! Chris
My guess is that the samba 3.6.x machine is not patched for BADLOCK vulnerabilities and the 4.5.x machine is. Since Samba 3.6.x is no longer being updated, you have to apply the patch to you existing install (depending on the OS.) It may be easier to just upgrade to samba 4.x. With Samba 4.x " the latest updates will have the patch included. http://badlock.org/ For Solaris 11 users, Oracle does provide an OS patch that can be installed to patch Samba 3.x. On 11/01/16 10:16, Sonic via samba wrote:> I'm seeing these problems with a samba-4.5.x that I wish to be a > member of a samba-3.6.x PDC (NT4 style domain controller). > ==========================> net rpc join -S PDC > ... > smb_signing_good: BAD SIG: seq 1 > Failed to join domain: failed to lookup DC info for domain 'EXAMPLE' > over rpc: Access denied > ==========================> ==========================> net rpc info > ... > smb_signing_good: BAD SIG: seq 1 > Could not connect to server PDC > Connection failed: NT_STATUS_ACCESS_DENIED > ==========================> > Please advise. > > Thank you! > > Chris >
On Tue, Nov 1, 2016 at 12:03 PM, Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> My guess is that the samba 3.6.x machine is not patched for BADLOCK > vulnerabilities and the 4.5.x machine is.If I patch or upgrade the Samba 3 PDC will an NT4 domain member still remain a member and authenticate with it?
On Tue, Nov 1, 2016 at 12:03 PM, Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> My guess is that the samba 3.6.x machine is not patched for BADLOCK > vulnerabilities and the 4.5.x machine is.Though it was odd that a patched Win7 system works but not a Samba 4 system. However, after placing these statements in the smb.conf Samba 4 could join the old Samba 3 domain! ===========================client ipc signing = No client signing = No server signing = No ===========================It's probably the 'client signing = No' that solved the issue but I haven't yet verified. Chris