Rowland, it was a typo. Sorry, I paste the smb.conf twice.
I changed the smb.conf as you proposed, so: dns forwarder removed - yes it's
in named.conf, and ntlm auth / lanman auth removed.
I also checked the NTLMv2 configuration in windows XP.
But the error is still there.
I guess it's MIT as saw this in log:
/usr/lib/mit/sbin/krb5kdc: kerberos: 10
But how can I confirm which kerberos I'm using ?
The log generated with "log level = 10" is too large to post here, but
I can see and can't understand why the machine account has the property
ACB_DISABLED = 1 - that part of log is below:
[2019/04/24 08:21:29.617310, 6, pid=3872, effective(0, 0), real(0, 0)]
../lib/util/util_ldb.c:60(gendb_search_v)
gendb_search_v: CN=VMXPZERO,CN=Computers,DC=vidroeste,DC=ind NULL -> 1
[2019/04/24 08:21:29.617337, 1, pid=3872, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:468(ndr_print_function_debug)
samr_QueryUserInfo: struct samr_QueryUserInfo
out: struct samr_QueryUserInfo
info : *
info : *
info : union samr_UserInfo(case 16)
info16: struct samr_UserInfo16
acct_flags : 0x00000085 (133)
1: ACB_DISABLED
0: ACB_HOMDIRREQ
1: ACB_PWNOTREQ
0: ACB_TEMPDUP
0: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
1: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
0: ACB_NO_AUTH_DATA_REQD
0: ACB_PARTIAL_SECRETS_ACCOUNT
0: ACB_USE_AES_KEYS
result : NT_STATUS_OK
________________________________
De: samba <samba-bounces at lists.samba.org> em nome de Rowland Penny via
samba <samba at lists.samba.org>
Enviado: terça-feira, 23 de abril de 2019 20:23
Para: samba at lists.samba.org
Assunto: Re: [Samba] Problem to join a windows XP
On Tue, 23 Apr 2019 19:27:21 +0000
Rogerio Bettini via samba <samba at lists.samba.org> wrote:
> Hi,
> I'm not able to join a windows XP machine in samba AD DC. This XP
> machine is a VM. No problems when joining Windows 10 machines to this
> DC.
>
> On XP machine, after inserting the Administrator username\password to
> join the domain, the error message is - error while attempting to
> join the domain "VIDROESTE.IND": Internal error. I can see that
the
> XP machine account was created in AD but it is disabled. In this AD
> account, there is no information at the "DNS name" property.
>
> All the tests suggested in wiki where successfully executed
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS
>
>
> For samba AD-DC, I'm using:
> - OpenSuSE Leap 15.0
> - no AppArmor or SELinux active
> - Samba version is Version
> 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64
> - using Bind9
>
> Does someone passed on something similar? Thanks in advance.
>
> My smb.conf is below.
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8 8.8.4.4
> bind interfaces only = Yes
> interfaces = eth0
> netbios name = DC1
> realm = VIDROESTE.IND
> server string = Suse Leap 15.0
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE
> idmap_ldb:use rfc2307 = yes
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8 8.8.4.4
> bind interfaces only = Yes
> interfaces = eth0
> netbios name = DC1
> realm = VIDROESTE.IND
> server string = Suse Leap 15.0
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE
> idmap_ldb:use rfc2307 = yes
>
> #To windows XP
> ntlm auth = yes
> lanman auth = yes
> #log level = 10
>
> [netlogon]
> path = /var/lib/samba/sysvol/vidroeste.ind/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No ntlm auth = yes
> lanman auth = yes
> #log level = 10
>
> [netlogon]
> path = /var/lib/samba/sysvol/vidroeste.ind/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
Unless that is the biggest typo I have seen, you have everything twice,
can I suggest you ensure your smb.conf is just this:
[global]
bind interfaces only = Yes
interfaces = eth0
netbios name = DC1
realm = VIDROESTE.IND
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = VIDROESTE
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/vidroeste.ind/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Check that you have your forwarders set in your named.conf files (they
are in your smb.conf at the moment, where they will do nothing)
Next turn your attention to the XP machine and make it use NTLMv2, see
here:
https://support.symantec.com/en_US/article.HOWTO54187.html
Finally, I do not know what kerberos your SUSE packages are using, so
you need to find out. If it is MIT, then I would suggest you stop using
them, using MIT is experimental and shouldn't be used in production.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba