Hi at all,
we have a small domain with UCS as the DC with a few windows-clients joined in the domain. The UCS has the actual version 5.0-5 errata804 with all updates.
One client is running with an old Windows XP and all of a sudden - probably after an (samba) update - none of the Domain-Users could log in anymore. The error message says “wrong username or password” but I think that is missleading. In the windows event log is an error message “the computer account could not be found” so “the registration attempt failed”.
Since the XP client was not used for a longer time, I first thought of a problem with the machine password and completely removed the XP computer from the domain. The computer object in the UCS was deleted and even the computer name on the client was changed. The subsequent rejoin worked without errors, and a completly new computer object was atomatically build on the DC, but the registration of a domain user on the client is still not possible.
So I searched around the web and tried a lot of possible solutions:
client min protocol = NT1
server min protocol = NT1
allow nt4 crypto:RECHNER$ = yes
server reject md5 schannel:RECHNER$ = no
and probably some more…
On the XP-Client I changed some Local Security Policies and registry settings I found on the web, according higher or stronger encryption protocols.
> [2023/09/21 10:39:57.932615, 0, pid=15576] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_ServerAuthenticate3_check_downgrade) > CVE-2022-38023: client_account[RECHNER$] computer_name[RECHNER] schannel_type client_negotiate_flags[0x600fffff] real_account[RECHNER$] NT_STATUS_DOWNGRADE_DETECTED reject_des reject_md5 > [2023/09/21 10:39:57.932636, 0, pid=15576] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_ServerAuthenticate3_check_downgrade) > CVE-2022-38023: Check if option 'server reject md5 schannel:RECHNER$ = no' might be needed for a legacy client.
Now I’m running out of ideas and would be grateful for further solutions.
In principle, is it still possible to join Windows XP against a UCS domain (with samba 4.18.3)?
TIA & greetings