Bug 1568207
| Summary: | Windows 2016 Clients have to use SMB1 to communicate with a RHEL 7 NT-Style Domain Controller, won't work with SMB 2 or 3 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Josip Vilicic <jvilicic> | ||||
| Component: | samba | Assignee: | Andreas Schneider <asn> | ||||
| Status: | CLOSED CANTFIX | QA Contact: | qe-baseos-daemons | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | asn, gdeschner, jarrpa, mmuehlfe | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-17 07:16:43 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1422810 [details]
Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20
1) Windows system: hostname "win2016-test" and IP 156.24.44.39
2) RHEL7 Samba/LDAP: hostname "ldap7.aurlott.lott" and IP 156.24.44.70
3) Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20
> In RHEL 6 NT-style DCs, SMB2 and SMB3 get negotiated Samba 3.6.23 in RHEL 6 does *not* support SMB3 and SMB2 support is experimental and turned off by default! So RHEL6 uses SMB1 only. However that SMB1 is required is documented here: https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10_and_Windows_Server_2016:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request Don't blame Samba that MS removes support for NT4-style domain controllers. |
Description of problem: Windows 2016 Clients have to use SMB1 to communicate with a RHEL 7 NT-Style Domain Controller, won't work with SMB 2 or 3 Version-Release number of selected component (if applicable): kernel-3.10.0-514.16.1.el7.x86_64 Thu May 25 20:58:54 2017 samba-4.7.1-6.el7.x86_64 Wed Apr 11 17:25:44 2018 samba-winbind-4.7.1-6.el7.x86_64 Wed Apr 11 17:25:43 2018 smbldap-tools-0.9.11-6.el7.noarch Wed Nov 29 10:16:03 2017 How reproducible: Consistent -- all Windows 2016 Clients *ONLY* join to RHEL 7 NT-Style DC if SMB1 is enabled Steps to Reproduce: 1) set up RHEL 7 NT-style DC 2) try to get a Windows 2016 Clients to join to domain Actual results: Windows 2016 Client won't join if the "server min protocol" is "SMB2". They will only join if it is "NT1" or "SMB1" Expected results: "SMB2" and "SMB3" being negotiated with Windows 2016 Clients. In RHEL 6 NT-style DCs, SMB2 and SMB3 get negotiated Additional info: 1) Unsure if the behavior we're seeing is related to this upstream bug that's been fixed: "Bug 12585 - NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE mismatch for DCERPC_NCA_S_FAULT_INVALID_TAG" https://bugzilla.samba.org/show_bug.cgi?id=12585 2) From attached log files: a) Windows system: hostname "win2016-test" and IP 156.24.44.39 b) RHEL7 Samba/LDAP: hostname "ldap7.aurlott.lott" and IP 156.24.44.70 c) Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20 3) Non-working /etc/samba/smb.conf when "SMB2" is specified as the "min" protocol: [global] add group script = /usr/sbin/smbldap-groupadd -p "%g" add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" add user script = /usr/sbin/smbldap-useradd -m "%u" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" bind interfaces only = Yes client ipc signing = if_required client signing = required delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" delete user script = /usr/sbin/smbldap-userdel "%u" disable spoolss = Yes domain logons = Yes domain master = Yes log level = 10 interfaces = eth0 127.0.0.1 eno16780032 lo ldap admin dn = cn=doppelganger,ou=Service,dc=aurlott,dc=lott ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=servers ldap passwd sync = only ldap suffix = dc=aurlott,dc=lott ldap user suffix = ou=people lm announce = No load printers = No log file = /var/log/samba/log.%m logon drive = H: logon home = \\%L\%U logon path = "" logon script = logon.bat max log size = 100000 name resolve order = wins lmhosts bcast host os level = 65 pam password change = Yes passdb backend = ldapsam:"ldap://ldap7.aurlott.lott ldap://ldap8.aurlott.lott" passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" passwd program = /usr/sbin/smbldap-passwd -u %u preferred master = Yes printcap name = /dev/null remote announce = 156.24.44.255/AURLOTT 156.24.44.255/AURLOTT server max protocol = SMB3 server min protocol = SMB2 server signing = if_required server string = PDC Samba Server set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' smb ports = 139 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 syslog = 0 username map = /etc/samba/smbusers winbind enum groups = Yes winbind enum users = Yes wins proxy = Yes wins support = Yes workgroup = AURLOTT ldapsam:trusted = Yes ldapsam:editposix = Yes idmap config * : ldap_user_dn = cn=doppelganger,ou=Service,dc=aurlott,dc=lott idmap config * : ldap_base_dn = ou=idmap,dc=aurlott,dc=lott idmap config * : range = 20000-30000 idmap config * : ldap_url = ldap://ldap7.aurlott.lott idmap config * : backend = ldap lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j map acl inherit = Yes print command = lpr -r -P'%p' %s printing = bsd [homes] browseable = No comment = Home Directories create mask = 0644 invalid users = root read only = No valid users = %S [netlogon] comment = Network Logon Service guest ok = Yes locking = No path = /db/samba/netlogon