On Wed, 2012-11-21 at 09:58 +0100, odix wrote: > Dear all, > > after upgrading an existing NT4 domain, via "injecting" a samba3 LDAP > BDC to vampire security database, classicupgrade with samba-tool ... > everything seems to work like expecting, except the mentioned windows > 2000 terminal server, see excerpt from log.samba file: > > ... > [2012/11/18 13:09:26, 0] ../source4/smbd/server.c:475(binary_smbd_main) > samba: using 'standard' process model > [2012/11/18 14:56:10, 0] > ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) > Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error > in module acl: insufficient access rights (50) > [2012/11/18 14:56:19, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > NTLMSSP NTLM2 packet check failed due to invalid signature! > [2012/11/18 15:04:41, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > NTLMSSP NTLM2 packet check failed due to invalid signature! > [2012/11/18 15:07:05, 0]
I think this is a red herring (perhaps due to issues only found with Windows 2000). > ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) > Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error > in module acl: Constraint violation (19) This is probably a real bug - we have a bug listed for this, but the fix was invasive and not finished, so we had to leave it aside for 4.0. > [2012/11/18 15:59:47, 0] > ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) > ../source4/rpc_server/handles.c:102: Attempt to use invalid sid > S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7 > [2012/11/18 15:59:47, 0] > ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) > ../source4/rpc_server/handles.c:102: Attempt to use invalid sid > S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7 > [2012/11/18 15:59:47, 0] > ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) > ... > > also failed to update dns entry: > Nov 18 17:52:56 sambadc named[752]: client 192.168.12.34#57038: > request has invalid signature: TSIG 1236950581266-2 > (w2000\$\@XXX.LAN): tsig verify failure (BADSIG) We would need to get the full details of why this failed. If you switch (temporarily) to the internal DNS server, we might be able to give a better error. However, many crypto and Kerberos things were 'not quite right' in Windows 2000, and were made more standards-compliant or interoperable in later versions, so I'm not totally surprised. > I would suggest that it has something todo with the default setting of > RequireSignOrSeal or RequireStrongKey which defaults to 0 in windows > 2000 afaik, but I'm not sure. Any other suggestions ? No, I don't think it is related to either of these. Frankly, Windows 2000 is very, very old (as I'm sure you know), and it's not something we test often, and while we fix bugs when we have them supported, it is very much a reactionary support modal. For both of these, a manual update would probably be the best - manually set the SPNs to whatever it wants them set to, and manually set the DNS entries. I'm sorry that I don't have any other magic answers. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
