I'm attempting to get an old NT4 client participating in a Samba4 domain. Users can logon to the machine locally and access network shares on other machines in the network. However, no one can access shares on the NT4 machine using the machine name. Attempting this results in an error "The account is not authorized to log in from this station." Using the IP address does work however.
The clients are configured to allow no smb signing and NTLMv1, I think I have all the security settings covered. I noticed while looking at wireshark though that the client is doing TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels very odd to me since there is no such SPN cifs/nt4test on the network. 'setspn -Q cifs/nt4test' confirms this. I've also noticed that the MS docs state: <94> Section 3.2.5.2: <http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94>When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC)<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>to verify whether a service ticket is registered for the given security principal name (SPN)<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>. If the query indicates that the SPN<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>is registered with the KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. The client does have CAP_EXTENDED_SECURITY set and I'm guessing the TGS-REQ is how Windows is testing the presence of the SPN. Since the test is succeeding and the server doesn't advertise the extended security capability, Windows disconnects. Can someone confirm my hypothesis? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba