RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1568207 - Windows 2016 Clients have to use SMB1 to communicate with a RHEL 7 NT-Style Domain Controller, won't work with SMB 2 or 3
Summary: Windows 2016 Clients have to use SMB1 to communicate with a RHEL 7 NT-Style D...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-17 00:57 UTC by Josip Vilicic
Modified: 2021-06-10 15:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-17 07:16:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20 (155.58 KB, application/x-gzip)
2018-04-17 00:58 UTC, Josip Vilicic 		no flags Details
View All

Description Josip Vilicic 2018-04-17 00:57:22 UTC 
Description of problem:
Windows 2016 Clients have to use SMB1 to communicate with a RHEL 7 NT-Style Domain Controller, won't work with SMB 2 or 3


Version-Release number of selected component (if applicable):
kernel-3.10.0-514.16.1.el7.x86_64              Thu May 25 20:58:54 2017
samba-4.7.1-6.el7.x86_64                       Wed Apr 11 17:25:44 2018
samba-winbind-4.7.1-6.el7.x86_64               Wed Apr 11 17:25:43 2018
smbldap-tools-0.9.11-6.el7.noarch              Wed Nov 29 10:16:03 2017


How reproducible:
Consistent -- all Windows 2016 Clients *ONLY* join to RHEL 7 NT-Style DC if SMB1 is enabled


Steps to Reproduce:
1) set up RHEL 7 NT-style DC
2) try to get a Windows 2016 Clients to join to domain


Actual results:
Windows 2016 Client won't join if the "server min protocol" is "SMB2".  They will only join if it is "NT1" or "SMB1"


Expected results:
"SMB2" and "SMB3" being negotiated with Windows 2016 Clients.  In RHEL 6 NT-style DCs, SMB2 and SMB3 get negotiated



Additional info:
1) Unsure if the behavior we're seeing is related to this upstream bug that's been fixed:
      "Bug 12585 - NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE mismatch for DCERPC_NCA_S_FAULT_INVALID_TAG"
      https://bugzilla.samba.org/show_bug.cgi?id=12585


2) From attached log files:

   a) Windows system:  hostname  "win2016-test"  and IP 156.24.44.39

   b) RHEL7 Samba/LDAP:  hostname  "ldap7.aurlott.lott"  and IP 156.24.44.70

   c) Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20

3) Non-working /etc/samba/smb.conf when "SMB2" is specified as the "min" protocol:

   [global]
	add group script = /usr/sbin/smbldap-groupadd -p "%g"
	add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
	add user script = /usr/sbin/smbldap-useradd -m "%u"
	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
	bind interfaces only = Yes
	client ipc signing = if_required
	client signing = required
	delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
	delete user script = /usr/sbin/smbldap-userdel "%u"
	disable spoolss = Yes
	domain logons = Yes
	domain master = Yes
	log level = 10
	interfaces = eth0 127.0.0.1 eno16780032 lo
	ldap admin dn = cn=doppelganger,ou=Service,dc=aurlott,dc=lott
	ldap group suffix = ou=groups
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=servers
	ldap passwd sync = only
	ldap suffix = dc=aurlott,dc=lott
	ldap user suffix = ou=people
	lm announce = No
	load printers = No
	log file = /var/log/samba/log.%m
	logon drive = H:
	logon home = \\%L\%U
	logon path = ""
	logon script = logon.bat
	max log size = 100000
	name resolve order = wins lmhosts bcast host
	os level = 65
	pam password change = Yes
	passdb backend = ldapsam:"ldap://ldap7.aurlott.lott ldap://ldap8.aurlott.lott"
	passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
	passwd program = /usr/sbin/smbldap-passwd -u %u
	preferred master = Yes
	printcap name = /dev/null
	remote announce = 156.24.44.255/AURLOTT 156.24.44.255/AURLOTT
	server max protocol = SMB3
	server min protocol = SMB2
	server signing = if_required
	server string = PDC Samba Server
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
	smb ports = 139
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	syslog = 0
	username map = /etc/samba/smbusers
	winbind enum groups = Yes
	winbind enum users = Yes
	wins proxy = Yes
	wins support = Yes
	workgroup = AURLOTT
	ldapsam:trusted = Yes
	ldapsam:editposix = Yes
	idmap config * : ldap_user_dn = cn=doppelganger,ou=Service,dc=aurlott,dc=lott
	idmap config * : ldap_base_dn = ou=idmap,dc=aurlott,dc=lott
	idmap config * : range = 20000-30000
	idmap config * : ldap_url = ldap://ldap7.aurlott.lott
	idmap config * : backend = ldap
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j
	map acl inherit = Yes
	print command = lpr -r -P'%p' %s
	printing = bsd
   [homes]
	browseable = No
	comment = Home Directories
	create mask = 0644
	invalid users = root
	read only = No
	valid users = %S
   [netlogon]
	comment = Network Logon Service
	guest ok = Yes
	locking = No
	path = /db/samba/netlogon
Comment 2 Josip Vilicic 2018-04-17 00:58:13 UTC 
Created attachment 1422810 [details]
Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20

1) Windows system:  hostname  "win2016-test"  and IP 156.24.44.39

2) RHEL7 Samba/LDAP:  hostname  "ldap7.aurlott.lott"  and IP 156.24.44.70

3) Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20
Comment 3 Andreas Schneider 2018-04-17 07:16:43 UTC 
> In RHEL 6 NT-style DCs, SMB2 and SMB3 get negotiated

Samba 3.6.23 in RHEL 6 does *not* support SMB3 and SMB2 support is experimental and turned off by default! So RHEL6 uses SMB1 only.

However that SMB1 is required is documented here:

https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10_and_Windows_Server_2016:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request

Don't blame Samba that MS removes support for NT4-style domain controllers.
Note You need to log in before you can comment on or make changes to this bug.