Univention Corporate Server (UCS) » Services for Windows

ID #1317

NetApp can't lookup domain SID's

Problem:
Produktlogo UCS Version 4 

A NetApp filer can be joined to a Univention Active Direcory Domain but lookup of domain users and/or SID's is not possible via "cifs lookup".

"cifs domaininfo" reports "PDCBROKEN":

na> cifs domaininfo
NetBIOS Domain:                         LISH
Windows Domain Name:                    40lish.qa
Domain Controller Functionality:        Windows 2008 R2
Domain Functionality:                   Windows 2003
Forest Functionality:                   Windows 2003
Filer AD Site:                          Default-First-Site-Name
 
Not currently connected to any DCs
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40     MASTER           PDCBROKEN
Other Addresses:
                                        None
 
Connected AD LDAP Server:               \\master.40lish.qa
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40    
                                         master.40lish.qa
Other Addresses:
                                        None

The /var/log/samba/log.samba may contain the following messages:

[2015/02/19 19:37:10.936295,  1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3)
  No challenge requested by client [NA/NA$], cannot authenticate

 

Workaround:

The NetApp tries to connect to the domain controller whith a special flag to disable strong encryption. By default, Samba does not accept weak NT4 encryption types and closes the connection.

The NetApp then failes to upgrade to a strong cypher because the connection is already closed (this is what leadts to the "no challenge requested" messages in log.samba).

To work around this you may enable "nt4 crypto" on all Samba 4 DCs whith the following commands, a rejoin of the NetApp is not needed:

cat >>/etc/samba/local.conf <<__CONF__
[global]
  allow nt4 crypto = yes
__CONF__
ucr commit etc/samba/smb.conf
/etc/init.d/samba retsart

Tags: UCS 4

Related entries:

Last update: 2015-02-25 11:06
Author: Janis Meybohm
Revision: 1.1

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 0 (0 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry