DomUsers can't login on joined Windows XP client anymore

UCS - Univention Corporate Server
, ,
#1

Hi at all,
we have a small domain with UCS as the DC with a few windows-clients joined in the domain. The UCS has the actual version 5.0-5 errata804 with all updates.
One client is running with an old Windows XP and all of a sudden - probably after an (samba) update - none of the Domain-Users could log in anymore. The error message says “wrong username or password” but I think that is missleading. In the windows event log is an error message “the computer account could not be found” so “the registration attempt failed”.
Since the XP client was not used for a longer time, I first thought of a problem with the machine password and completely removed the XP computer from the domain. The computer object in the UCS was deleted and even the computer name on the client was changed. The subsequent rejoin worked without errors, and a completly new computer object was atomatically build on the DC, but the registration of a domain user on the client is still not possible.
So I searched around the web and tried a lot of possible solutions:
On samba:
client min protocol = NT1
server min protocol = NT1
allow nt4 crypto:RECHNER$ = yes
server reject md5 schannel:RECHNER$ = no
and probably some more…

On the XP-Client I changed some Local Security Policies and registry settings I found on the web, according higher or stronger encryption protocols.

/var/log/samba/log.samba:

> [2023/09/21 10:39:57.932615,  0, pid=15576] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:281(dcesrv_netr_ServerAuthenticate3_check_downgrade)
>   CVE-2022-38023: client_account[RECHNER$] computer_name[RECHNER] schannel_type[2] client_negotiate_flags[0x600fffff] real_account[RECHNER$] NT_STATUS_DOWNGRADE_DETECTED reject_des[0] reject_md5[1]
> [2023/09/21 10:39:57.932636,  0, pid=15576] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:291(dcesrv_netr_ServerAuthenticate3_check_downgrade)
>   CVE-2022-38023: Check if option 'server reject md5 schannel:RECHNER$ = no' might be needed for a legacy client.

Now I’m running out of ideas and would be grateful for further solutions.
In principle, is it still possible to join Windows XP against a UCS domain (with samba 4.18.3)?

TIA & greetings
Dirk

#2

I found a solution and share it here if someone has the same problem:

/etc/samba/local.conf

kdc default domain supported enctypes = 4
kdc force enable rc4 weak session keys = yes
kdc supported enctypes = 4

This will (re-)enable the Kerberos RC4 encryption wich was deactivated with Samba 4.17.4.
Release Notes for Samba 4.17.4
See “man smb.conf” for description.

Keep in mind: Reactivating the RC4 encryption is a security problem!

In my case all the other settings in Samba mentioned in my first post are not necessary and were set back to the default.

Greetings
Dirk

Mastodon