OK. I got all excited and ran the test against a 2008 DC this morning.
After allowing NT4 crypto through group policy, it worked seamlessly.
Here's what I saw through wireshark:
1. same old failed extended security negotiation ..
2. Win7 sends DC TGS-REQ for cifs/nt4test
3. DC replies KRB-ERROR:
Hi Andrew,
To clarify, it is the Win7 client sending the TGS request to the DC and the
DC responds positively. I now have a more complete understanding of what's
going on:
1. Win7 initiates a session with NT4. Nothing interesting.
2. Win7 sends the negotiate protocol response. Of note, we state
On Tue, 2013-07-30 at 05:33 -0400, Ryan Bair wrote:
Hi Andrew,
To clarify, it is the Win7 client sending the TGS request to the DC
and the DC responds positively. I now have a more complete
understanding of what's going on:
1. Win7 initiates a session with NT4. Nothing interesting.
For what it is worth - it looks like NT4 does NOT use kerberos even
with the Active Directory client installed.
http://www.petri.co.il/dsclient_for_win98_nt.htm#
Windows 2003 Active Directory had some compatibility with NT4 domain
controllers. I don't think Samba 4 does.Your best
I've noticed that Win2k+ clients have filled in their servicePrincipalName
attribute in AD. I know that the cifs SPN is implicit, but are you certain
the host SPN is also implicit? If cifs was only meant to be implicit off of
the host (and the host not implicit itself), that could be a way to
Understood. The machine I'm trying to connect is just a member, not a DC.
This is something which was well supported in earlier versions of Windows
with AD (NT4 didn't die overnight), and reportedly still works in 2012.
I'm not expecting any Kerberos to come out of NT4, nor do I see any.
The
On Tue, 2013-07-30 at 21:25 -0400, Ryan Bair wrote:
Understood. The machine I'm trying to connect is just a member, not a
DC. This is something which was well supported in earlier versions of
Windows with AD (NT4 didn't die overnight), and reportedly still works
in 2012. I'm not expecting any
Sorry Andrew, that message was intended towards Gaiseric's comment.
I will try to get you a trace against Windows 2008, but it may take me a
while to get a test environment set up for that. I've also noticed that
this happens as far back as Windows 2000 clients, so not isolated to Win7.
On Tue,
Last bit of info.
This article, http://support.microsoft.com/kb/258503, indicates that
Windows should indeed be setting up its own default SPNs (host and machine
name).
http://support.microsoft.com/kb/320187 states that the pre-Windows 2000
checkbox is ADUC assigns the machine password based on
I'm attempting to get an old NT4 client participating in a Samba4 domain.
Users can logon to the machine locally and access network shares on other
machines in the network. However, no one can access shares on the NT4
machine using the machine name. Attempting this results in an error The
account
Oh, forgot to mention. Samba 4.0.7-4 Sernet packages running on CentOS 6.4.
On Mon, Jul 29, 2013 at 5:00 PM, Ryan Bair ryandb...@gmail.com wrote:
I'm attempting to get an old NT4 client participating in a Samba4 domain.
Users can logon to the machine locally and access network shares on other
I wouldn't have even guessed that NT4 would join a modern AD domain.
It looks like MS did provide client software to join a Windows 2000 AD
domain.Or does the NT4 machine think it is in an NT4 / Samba3 type
domain?
Presumably you can see the domain users in the local user manager
Yes, AD has explicit support for pre-2000 clients.
WINS is alive and well and name resolution is working.
I really think the bogus TGS reply is messing things up, but I'd like to
have someone more knowledgeable confirm the behavior is incorrect.
On Mon, Jul 29, 2013 at 5:23 PM, Gaiseric
On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote:
Yes, AD has explicit support for pre-2000 clients.
WINS is alive and well and name resolution is working.
I really think the bogus TGS reply is messing things up, but I'd like to
have someone more knowledgeable confirm the behavior is
14 matches
Mail list logo
