We have a report by a customer that is using VMWare Horizon Quickprep to provision and join Microsoft Windows clients into a Samba/AD domain and sees Samba error messages like these, before the tool finally runs into a timeout and gives up: [2019/05/14 15:32:29.589434, 0, pid=602] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:284(dcesrv_netr_ServerAuthenticate3_helper) dcesrv_netr_ServerAuthenticate3_helper: schannel required but client failed to offer it. Client was Win-Cient$ As a workaround the "server schannel" parameter can be set to "auto" in smb.conf and then it works. The man page asks to report cases like these, to vote against the announced removal of this deprecated parameter: "This option is deprecated with Samba 4.8 and will be removed in future. At the same time the default changed to yes, which will be the hardcoded behavior in future. If you have the need for the behavior of "auto" to be kept, please file a bug at https://bugzilla.samba.org."
Relaying reported feedback from VMware: "What’s happening here is that Samba is enforcing schannel use in all cases in order to remove legacy client support. However, the offline domain join used by NGVC, which is suitably secured with an encrypted password, is falling foul of Samba’s blanket enforcement of schannel. In fact, offline domain joins by any client will be barred by Samba by default (unlike the most recent version of AD!). That’s a Samba issue." This is just cut&paste from an email, I cannot speak for VMWare.
(In reply to Arvid Requate from comment #1) Hi Arvid, do you have a network capture? (with server schannel = yes and server schannel = auto) when using 4.10, which has support for security context multiplexing, see bug #11892 and bug #13464 ?
(In reply to Arvid Requate from comment #1) It would be good to know how the offline join is supposed to work.
A Link with some background about the situation: Differences between VMware ClonePrep, QuickPrep and Microsoft Sysprep https://kb.vmware.com/s/article/2003797
Created attachment 15271 [details] Patch for v4-9-test
Created attachment 15272 [details] Patches for v4-10-test
Karo, please apply the patches to the relevant branches. Thanks!
(In reply to Andreas Schneider from comment #7) Pushed to autobuild-v4-{10,9}-test
Hi, One question I don't see on relase notes of 4.10.6, has beedn added or in what version wil be added? Thanks Missatge de l'adreça <samba-bugs@samba.org> del dia dl., 8 de jul. 2019 a les 13:37: > > https://bugzilla.samba.org/show_bug.cgi?id=13949 > > --- Comment #8 from Karolin Seeger <kseeger@samba.org> --- > (In reply to Andreas Schneider from comment #7) > Pushed to autobuild-v4-{10,9}-test > > -- > You are receiving this mail because: > You are on the CC list for the bug.
(In reply to trenta from comment #9) No, this is targeted to the next set of bugfix releases.
(In reply to Karolin Seeger from comment #8) Pushed to both branches. Closing out bug report. Thanks!
Please notice that "server schannel = auto" or "server schannel = no" is very dangerous, see [CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogin" https://bugzilla.samba.org/show_bug.cgi?id=14497