Bug 1568207 - Windows 2016 Clients have to use SMB1 to communicate with a RHEL 7 NT-Style Domain Controller, won't work with SMB 2 or 3
Summary: Windows 2016 Clients have to use SMB1 to communicate with a RHEL 7 NT-Style D...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-17 00:57 UTC by Jo Vilicic
Modified: 2018-04-17 07:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-17 07:16:43 UTC
Target Upstream Version:


Attachments (Terms of Use)
Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20 (155.58 KB, application/x-gzip)
2018-04-17 00:58 UTC, Jo Vilicic
no flags Details

Description Jo Vilicic 2018-04-17 00:57:22 UTC
Description of problem:
Windows 2016 Clients have to use SMB1 to communicate with a RHEL 7 NT-Style Domain Controller, won't work with SMB 2 or 3


Version-Release number of selected component (if applicable):
kernel-3.10.0-514.16.1.el7.x86_64              Thu May 25 20:58:54 2017
samba-4.7.1-6.el7.x86_64                       Wed Apr 11 17:25:44 2018
samba-winbind-4.7.1-6.el7.x86_64               Wed Apr 11 17:25:43 2018
smbldap-tools-0.9.11-6.el7.noarch              Wed Nov 29 10:16:03 2017


How reproducible:
Consistent -- all Windows 2016 Clients *ONLY* join to RHEL 7 NT-Style DC if SMB1 is enabled


Steps to Reproduce:
1) set up RHEL 7 NT-style DC
2) try to get a Windows 2016 Clients to join to domain


Actual results:
Windows 2016 Client won't join if the "server min protocol" is "SMB2".  They will only join if it is "NT1" or "SMB1"


Expected results:
"SMB2" and "SMB3" being negotiated with Windows 2016 Clients.  In RHEL 6 NT-style DCs, SMB2 and SMB3 get negotiated



Additional info:
1) Unsure if the behavior we're seeing is related to this upstream bug that's been fixed:
      "Bug 12585 - NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE mismatch for DCERPC_NCA_S_FAULT_INVALID_TAG"
      https://bugzilla.samba.org/show_bug.cgi?id=12585


2) From attached log files:

   a) Windows system:  hostname  "win2016-test"  and IP 156.24.44.39

   b) RHEL7 Samba/LDAP:  hostname  "ldap7.aurlott.lott"  and IP 156.24.44.70

   c) Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20

3) Non-working /etc/samba/smb.conf when "SMB2" is specified as the "min" protocol:

   [global]
	add group script = /usr/sbin/smbldap-groupadd -p "%g"
	add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
	add user script = /usr/sbin/smbldap-useradd -m "%u"
	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
	bind interfaces only = Yes
	client ipc signing = if_required
	client signing = required
	delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
	delete user script = /usr/sbin/smbldap-userdel "%u"
	disable spoolss = Yes
	domain logons = Yes
	domain master = Yes
	log level = 10
	interfaces = eth0 127.0.0.1 eno16780032 lo
	ldap admin dn = cn=doppelganger,ou=Service,dc=aurlott,dc=lott
	ldap group suffix = ou=groups
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=servers
	ldap passwd sync = only
	ldap suffix = dc=aurlott,dc=lott
	ldap user suffix = ou=people
	lm announce = No
	load printers = No
	log file = /var/log/samba/log.%m
	logon drive = H:
	logon home = \\%L\%U
	logon path = ""
	logon script = logon.bat
	max log size = 100000
	name resolve order = wins lmhosts bcast host
	os level = 65
	pam password change = Yes
	passdb backend = ldapsam:"ldap://ldap7.aurlott.lott ldap://ldap8.aurlott.lott"
	passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
	passwd program = /usr/sbin/smbldap-passwd -u %u
	preferred master = Yes
	printcap name = /dev/null
	remote announce = 156.24.44.255/AURLOTT 156.24.44.255/AURLOTT
	server max protocol = SMB3
	server min protocol = SMB2
	server signing = if_required
	server string = PDC Samba Server
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
	smb ports = 139
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	syslog = 0
	username map = /etc/samba/smbusers
	winbind enum groups = Yes
	winbind enum users = Yes
	wins proxy = Yes
	wins support = Yes
	workgroup = AURLOTT
	ldapsam:trusted = Yes
	ldapsam:editposix = Yes
	idmap config * : ldap_user_dn = cn=doppelganger,ou=Service,dc=aurlott,dc=lott
	idmap config * : ldap_base_dn = ou=idmap,dc=aurlott,dc=lott
	idmap config * : range = 20000-30000
	idmap config * : ldap_url = ldap://ldap7.aurlott.lott
	idmap config * : backend = ldap
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j
	map acl inherit = Yes
	print command = lpr -r -P'%p' %s
	printing = bsd
   [homes]
	browseable = No
	comment = Home Directories
	create mask = 0644
	invalid users = root
	read only = No
	valid users = %S
   [netlogon]
	comment = Network Logon Service
	guest ok = Yes
	locking = No
	path = /db/samba/netlogon

Comment 2 Jo Vilicic 2018-04-17 00:58:13 UTC
Created attachment 1422810 [details]
Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20

1) Windows system:  hostname  "win2016-test"  and IP 156.24.44.39

2) RHEL7 Samba/LDAP:  hostname  "ldap7.aurlott.lott"  and IP 156.24.44.70

3) Customer unsuccessfully tried to have "win2016-test" join to ldap7's domain around 2018/04/11 20:20

Comment 3 Andreas Schneider 2018-04-17 07:16:43 UTC
> In RHEL 6 NT-style DCs, SMB2 and SMB3 get negotiated

Samba 3.6.23 in RHEL 6 does *not* support SMB3 and SMB2 support is experimental and turned off by default! So RHEL6 uses SMB1 only.

However that SMB1 is required is documented here:

https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10_and_Windows_Server_2016:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request

Don't blame Samba that MS removes support for NT4-style domain controllers.


Note You need to log in before you can comment on or make changes to this bug.