Can Samba 4 authenticate against Samba 3?

[Feamane]

Hi,

I tried signing up for the Samba general mailing list four or five days ago now but haven't been granted access yet, so I thought I'd try asking here even though it's probably not an OpenBSD specific problem. Though may it is since OpenBSD is so locked down out of the box and I may be missing something I need to unlock.

I have a sandbox where I play with older computers like Sun SPARCclassics and Ultra1s, and is also set up for retro LAN gaming. I decided to standardize most of the Sun boxes on the latest versions of OpenBSD that support their architectures (5.9 for Sun4c & Sun4m, 7.4 for Sun4u). I have a Debian 7 server with RAIDs to store all the packages, configs, etc. I like to use Samba to transfer the files back and forth. But the other main use for SERVER3 is to offer up shares to the WinXP & Win98 gaming desktops. So I don't want to deal with upgrading the whole Samba setup right now--I have too many other things I need to get done first.

Please note that I'm not trying to access SUN6's share from SERVER3--I just want to attach to SUN6's share from a XP desktop I use for doing all the configuration on all the headless unix boxes. But I don't want to keep the passwords on SUN6, I want it to authenticate with SERVER3 like all my other smbd do. Here are the configs, minus all the parameters that are (I hope) irrelevant.

SERVER3 "The authentication server" = Debian 7 "Wheezy" Samba-3.6.6-6
NOTE: This config has been working great for many years, I don't want to screw it up.
[global]
workgroup = WORKGROUP1
netbios name = SERVER3
server string = Samba Server %v on %h
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
lanman auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes
name resolve order = lmhosts host wins bcast
logon script = %U.bat
logon path = \export\logon
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
wins support = Yes
usershare allow guests = Yes
idmap config * : range =
idmap config * : backend = tdb

SUN6 "The authentication client" = OpenBSD-SPARC64 7.4 Samba-4.19.0v0
NOTE: I've been experimenting with different options here, this is just what is current.
[global]
workgroup = WORKGROUP1
netbios name = SUN6
server string = Samba Server %v on %h
server role = MEMBER
password server = SERVER3
hosts allow = 192.168.0. 127.
dns proxy = no
[sd2a]
comment = sun6 filesystem share
path = /
valid users = root
admin users = root
read only = no
browsable = yes


To configure the various samba servers to all authenticate to SERVER3 I have always used this method:

SERVER3# useradd -u 1006 -g 1006 -c "SUN6 Samba" -s /sbin/nologin -d /dev/null SUN6$

SERVER3# smbpasswd -a -m SUN6$

SUN6# smbpasswd -j WORKGROUP1 -U root

SUN6# net join -S SERVER3 -U root
===But instead of joining, I get the following two lines of output===
Password for [WORKGROUP1\root]:
Failed to join domain: failed to lookup DC info for domain 'WORKGROUP1' over rpc: The transport connection is now disconnected.


These are old configs from when some of the other Sun boxes were running Samba 3 that has worked for a long time:
SUN1
[global]
workgroup = WORKGROUP1
netbios name = SUN1
server string = Samba Server %v on %h
security = SERVER
encrypt passwords = true
password server = SERVER3
restrict anonymous = Yes
name resolve order = host lmhosts wins bcast
preferred master = False
local master = No
domain master = False
hide dot files = No
wide links = No
follow symlinks = No
[sda1]
comment = SUN1 filesystem share
path = /
username = root
read only = No

SUN4
[global]
workgroup = WORKGROUP1
netbios name = SUN4
server string = Samba Server %v on %h
security = SERVER
encrypt passwords = Yes
password server = SERVER3
name resolve order = host lmhosts wins bcast
preferred master = False
local master = No
domain master = False
mangle case = Yes
hide dot files = No
wide links = No
follow symlinks = No
[sd0a]
comment = SUN4 filesystem share
path = /
username = root
read only = No

I've been searching for the answer, but I don't think I'm using the correct search terms because I've been using this setup for many years now and don't remember the correct terminology. Any help getting this working would be greatly appreciated!

Thanks,
DJ

[J65nko]

There are many results when you google for failed to lookup DC info for domain.

IIRC some older protocols used by Samba have been replaced with newer ones and interoperability between versions may not be not longer supported.

I used to backup my wife's DOS 7.x computer with Samba on FreeBSD.

[Feamane]

Yes, and I've spent many hours now reading a bunch of them to no avail. Unfortunately that seems to be a rather generic error message because many of the matching search results were very old or involved situations/configurations which I could in no way relate to my issue. I've been running debug to the max on both the client and server but when I search with the output of the logs I'm still not finding anything useful. So hoping someone here has some experience with a similar set up.

That's pretty cool. I used Samba shares to network/PXE install Win98 for a long time, and used to use sharity on old Sun boxes. But it's always just been a useful tool for me that I knew only the bare minimum about. I've never run into a problem with it before that stumped me like this one.

Thanks,
DJ

[J65nko]

IIRC Windows 10 does not support the old 1.0 version of SMB. This is confirmed by https://www.andreszsogon.com/fix-smb...ows-98-and-10/

Quote:

SMB1 support not installed on Windows 10 host/server

Since Windows 10, the required SMB v1.0 support for Windows 9x/2000/XP is no longer preinstalled. To enable it, go to classic Control Panel > Programs and Features > Turn Windows features on/off and check SMB v1.0/CIFS File Sharing Support

That article has the following table for SMB protocol versions.

Code:

PROTOCOL VERSION        FIRST CLIENT VERSION    FIRST SERVER VERSION
SMB 1.0                 Windows 95/98/XP        Windows Server 2003
SMB 2.0                 Windows Vista           Windows Server 2008
SMB 2.1                 Windows 7               Windows Server 2008R2
SMB 3.0                 Windows 8               Windows Server 2012

[Feamane]

That is good info, I'll have to copy it into my notes. However, that doesn't shed any light on my current issue. If I understand correctly it is that the package for OpenBSD 7.4 is Samba 4.19, while my domain controller is Samba 3.6 on Debian. When I use the "net join" command to join the OpenBSD box to the existing domain and get it to authenticate against the Samba user db on the 3.6 box it fails. But I can't figure out what the Samba 4 "net join" is doing different than the Samba 3 "net join" does and thus what the Samba 3 server doesn't like about the Samba 4 "net join".

The XP, Win98, and Suns running old versions of OpenBSD (and thus Samba) are all able to do this just fine. Frustrating that so far neither looking at debug logs or searching has revealed to me why Samba 3 is rejecting the Samba 4 "net join".

Thanks,
DJ

[J65nko]

I was trying to point out the possibility of protocol incompatibility. A few years ago I wanted to scp some data from an old OpenBSD box. It failed because the new scp did not support the older authentication keys anymore.

The Samba 4 net join could be using a newer authentication protocol version. And Samba 3.0, being older, does not yet know this newer version. They both seems to be able to communicate on a basic level, but maybe Samba 4 uses a new protocol enhancement that Samba 3 does not know yet.

[Feamane]

Yes, I think you are correct. Now I just need to find information about what could have changed and if I can set some parameter to make the net join backwards compatible.

Thanks
DJ

[J65nko]

You could download the ports tree and check which compile time options were used to build samba4. I can imagine for example they disabled a samba 3.0 compatibility layer. Just guessing
Or compare with the samba3 ports tree.

You can use https://openports.pl/path/net/samba to get an URL to the CVS or github mirror source file repositories.

At this moment you are trying to authenticate against a Samba 3.x on you Debian box.
Cannot you try a more recent Linux live CD/USB that has Samba4.x?

IIRC Linux Mint USB images comes with the latest Samba4.x
MX Linux, can be run from a live USB stick and has a tool for configuring Samba. See https://mxlinux.org/wiki/help-files/...-samba-config/

[Feamane]

That might help get a clue. It seems highly likely that your guess is dead-on. What am I looking for, the CONFIGURE_ARGS in the Makefile???

I could try that but I'm not sure it would help me figure out why 4 to 3 doesn't work, I'm sure 4 to 4 is working. I guess it might be a better use of time to look into the compile options--or maybe even see if I can do a packet capture and if that reveals any hints. I also need to double check the logging on the 3 server, I should be seeing something there but I'm not even though Samba is writing tons of log files.

Thanks,
DJ

[J65nko]

Yes, IIRC the CONFIGURE_ARGS are the compile time options. But you need to figure out from the Samba docs which one(s) to add.
You get an authentication error. Maybe the Kerberos protocol version is the culprit. See https://wiki.samba.org/index.php/Run...T_Kerberos_KDC

RE: Samba4 server
If if works with the Samba4 server you will know, that it is not something in your configuration. Just rule out as many possible errors as you can

As an alternative you could try to contact the OpenBSD port maintainer, that could save you some time.