Hai John, I saw that this was resolved. Just interested, are you using SSL/TLS with samba on you servers, and do you have you publish the AD DC/CA Root to your computers? Did you look here in GPO : Computer Configuration -> Administrative Templates -> System -> Credentials Delegation. Before lowering samba security settings. Some good info here to read into. https://blogs.technet.microsoft.com/enterprisemobility/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks/ and some extra good info. Single Sign-On for Terminal Services http://technet.microsoft.com/en-us/library/cc772108(v=WS.10).aspx and here SSO in RDP. https://technet.microsoft.com/en-us/library/cc742808.aspx Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens John Gardeniers> via samba> Verzonden: maandag 21 november 2016 1:22> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] [Solved?] Problem since upgrade to 4.5.1>> Hi Rowland,>> Thanks for the suggestion. So far, since adding 'ntlm auth' to smb.conf> on the DCs we are no longer having this problem. Only time will tell if> it stays working but at least I'm no longer getting complaints from the> users.>> regards,> John>>> On 21/11/16 10:00, Rowland Penny via samba wrote:> > On Mon, 21 Nov 2016 09:31:28 +1100> > John Gardeniers via samba <samba at lists.samba.org> wrote:> >> >> Hi Rowland,> >>> >> I Upgraded from Samba 4.4.2 and we have tried the FQDN without> >> success.> >>> >> regards,> >> John> >>> >>> >> On 21/11/16 08:02, Rowland Penny via samba wrote:> >>> On Mon, 21 Nov 2016 07:42:30 +1100> >>> John Gardeniers via samba <samba at lists.samba.org> wrote:> >>>> >>>> Hi Louis,> >>>>> >>>> While it wasn't spelled out, it was firmly implied in my previous> >>>> message that this problem appeared only after the Samba upgrade.> >>>> Nothing else has changed that might impact RDP. There has been no> >>>> change to machine names, IP addresses (we use DHCP reservations) or> >>>> DNS entries. If a dash in the computer's name or DNS entry is> >>>> behind this issue then it's clearly a rather serious bug in Samba.> >>>>> >>>> regards,> >>>> John> >>>>> >>>>> >>> It might help if you told us what version you upgraded from.> >>>> >>> I think there have been problems with windows machine now requiring> >>> the FQDN instead of the short hostname, so this 'may' be your> >>> problem, note I say 'may'.> >>>> >>> Rowland> >>>> >>> > About the only change real change was 'ntlm auth', try setting this to> > 'ntlm auth = yes' in smb.conf. I don't think it should affect your> > problem, but as I said, it is the only real change.> >> > Rowland> >>>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
Hi Louis, On 21/11/16 21:53, L.P.H. van Belle via samba wrote:> Hai John, > > I saw that this was resolved. > > Just interested, are you using SSL/TLS with samba on you servers,No.> and do you have you publish the AD DC/CA Root to your computers?No, unless that's handled automatically by Samba.> Did you look here in GPO : > > Computer Configuration -> Administrative Templates -> System -> Credentials Delegation. > > Before lowering samba security settings.No, nor is it relevant to the problem.> Some good info here to read into. > > https://blogs.technet.microsoft.com/enterprisemobility/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks/Why do people assume that we are using Terminal Servers just because we are using RDP? We aren't. The target machines are workstations. regards, John
Hai John, Thanks for the info. And i know you dont have TS servers, you told that already 3x times in previous emails. ;-) Yes, i did send a link with TS in it, but thats just because the info is good. I think its a combination of, not using SSL/TLS and new restrictions from MS, and as mathias already said, these days everything relies on kerberos, which relies on SPN's, and which need an A and PTR ( and SPN) to function correctly. Windows 7/2008(r2) support extended protection for IWA, which includes support for CBT, which is enabled by default This is an easy thing to try. Just open an .RDP file, and edit it with notepad. And play with these settings authentication level:i:0 negotiate security layer:i:1 and here is the info related https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx and GPO part : Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\ Should help you to fix this without change samba defaults. And... you know RDP just simulates the terminal services of Remote Administration Mode. The only difference is there is no client-server environment. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens John Gardeniers> via samba> Verzonden: maandag 21 november 2016 21:26> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] [Solved?] Problem since upgrade to 4.5.1>> Hi Louis,>> On 21/11/16 21:53, L.P.H. van Belle via samba wrote:> > Hai John,> >> > I saw that this was resolved.> >> > Just interested, are you using SSL/TLS with samba on you servers,> No.> > and do you have you publish the AD DC/CA Root to your computers?> No, unless that's handled automatically by Samba.> > Did you look here in GPO :> >> > Computer Configuration -> Administrative Templates -> System ->> Credentials Delegation.> >> > Before lowering samba security settings.> No, nor is it relevant to the problem.> > Some good info here to read into.> >> >> https://blogs.technet.microsoft.com/enterprisemobility/2008/07/21/configur> ing-terminal-servers-for-server-authentication-to-prevent-man-in-the-> middle-attacks/> Why do people assume that we are using Terminal Servers just because we> are using RDP? We aren't. The target machines are workstations.>> regards,> John>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
On 22/11/16 08:19, L.P.H. van Belle via samba wrote:> Hai John, > > > > Thanks for the info. > > And i know you dont have TS servers, you told that already 3x times in previous emails. ;-) > > Yes, i did send a link with TS in it, but thats just because the info is good. > > > > I think its a combination of, not using SSL/TLS and new restrictions from MS, > > and as mathias already said, these days everything relies on kerberos, > > which relies on SPN's, and which need an A and PTR ( and SPN) to function correctly. > > Windows 7/2008(r2) support extended protection for IWA, > > which includes support for CBT, which is enabled by default > > > > This is an easy thing to try. > > Just open an .RDP file, and edit it with notepad. > > > > And play with these settings > > authentication level:i:0 > > negotiate security layer:i:1 > > > > and here is the info related > > https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx > > and GPO part : Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\ > > > > Should help you to fix this without change samba defaults. > > > > And... you know RDP just simulates the terminal services of Remote Administration Mode. > The only difference is there is no client-server environment. > > >I'm with the OP though in finding this odd. He didn't change any part of his Windows environment and yet a subset of his machines seemingly won't accept an RDP connection by name, replying with a cryptic error. However, RDP works perfectly to an IP address, and to name and IP from Linux! If ntlm auth = yes is required with Samba 4.5.x, then surely without it, none of the connections should have worked. I have a Samba 4.5.1 lab set up, and I can happily RDP to all my Win 7 machines by name without having to add the "ntlm auth" parameter. I can also RDP to XP VMs (the OP does not have any) even though they have no SPN for Terminal Services. Something just doesn't add up here. Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
Ok so if i understand right.. The production environment is running 4.5.1 ( and needs the "ntlm auth" ) The test environment als running 4.5.1, and this works without the ntlm auth Thats strange yes. About the production env., clean install of 4.5.1 of upgraded from? About this.>and yet a subset of his machines seemingly won't > accept an RDP connection by name, replying with a cryptic error.So not all pc's but a selection of pc's. Imaged pc's ? all pc's syspreped? Can you check if the working pc's include the windows uptional updates? And do you have any event id in a failing windows pc? can you post it? What happens if you get a "not working" pc, remove it from the production env and add it to the test even. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex Crow via > samba > Verzonden: dinsdag 22 november 2016 13:04 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [Solved?] Problem since upgrade to 4.5.1 > > On 22/11/16 08:19, L.P.H. van Belle via samba wrote: > > Hai John, > > > > > > > > Thanks for the info. > > > > And i know you dont have TS servers, you told that already 3x times in > previous emails. ;-) > > > > Yes, i did send a link with TS in it, but thats just because the info is > good. > > > > > > > > I think its a combination of, not using SSL/TLS and new restrictions > from MS, > > > > and as mathias already said, these days everything relies on kerberos, > > > > which relies on SPN's, and which need an A and PTR ( and SPN) to > function correctly. > > > > Windows 7/2008(r2) support extended protection for IWA, > > > > which includes support for CBT, which is enabled by default > > > > > > > > This is an easy thing to try. > > > > Just open an .RDP file, and edit it with notepad. > > > > > > > > And play with these settings > > > > authentication level:i:0 > > > > negotiate security layer:i:1 > > > > > > > > and here is the info related > > > > https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx > > > > and GPO part : Computer Configuration\Policies\Administrative > Templates\Windows Components\Remote Desktop Services\ > > > > > > > > Should help you to fix this without change samba defaults. > > > > > > > > And... you know RDP just simulates the terminal services of Remote > Administration Mode. > > The only difference is there is no client-server environment. > > > > > > > > I'm with the OP though in finding this odd. He didn't change any part of > his Windows environment and yet a subset of his machines seemingly won't > accept an RDP connection by name, replying with a cryptic error. > However, RDP works perfectly to an IP address, and to name and IP from > Linux! > > If ntlm auth = yes is required with Samba 4.5.x, then surely without it, > none of the connections should have worked. > > I have a Samba 4.5.1 lab set up, and I can happily RDP to all my Win 7 > machines by name without having to add the "ntlm auth" parameter. I can > also RDP to XP VMs (the OP does not have any) even though they have no > SPN for Terminal Services. > > Something just doesn't add up here. > > Alex > > > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > This email is not intended to, nor should it be taken to, constitute > advice. > The information provided is correct to our knowledge & belief and must not > be used as a substitute for obtaining tax, regulatory, investment, legal > or > any other appropriate advice. > > "Transact" is operated by Integrated Financial Arrangements Ltd. > 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 > 5300. > (Registered office: as above; Registered in England and Wales under > number: 3727592). Authorised and regulated by the Financial Conduct > Authority (entered on the Financial Services Register; no. 190856). > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba