Thursday, February 6, 2014

am i all alone with samba 3 and server 2012 r2

oh.

i spent my afternoon doing stuff and staring at output from this command:

tail -f -n 30 log.win2012adcontroller

i am seeing this:

rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
  Rejecting auth request from client WIN2012ADCONTROLLER machine account MSAD$

why?
http://support.microsoft.com/?id=942564
The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain 
controllers does not allow the use of older cryptography algorithms that are compatible 
with Windows NT 4.0 by default.

well then:

Log on to a Windows Server 2008-based domain controller.
Click Start, click Run, type gpmc.msc, and then click OK.
In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
In the Properties dialog box, click the Enabled option, and then click OK.

Notes
By default, the Not Configured option is set for the Allow cryptography algorithms compatible with Windows NT 4.0 policy in the following Group Policy objects (GPO):
Default Domain Policy
Default Domain Controllers Policy
Local Computer Policy

thanks microsoft good thing i do this on non-prod domains first.
and this helps, too:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]

"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
(hint: it can be added in a gpo to affect/ruin all your systems)

No comments: