A NetApp filer can be joined to a Univention Active Direcory Domain but lookup of domain users and/or SID’s is not possible via
"cifs domaininfo" reports “PDCBROKEN”:
na> cifs domaininfo NetBIOS Domain: LISH Windows Domain Name: 40lish.qa Domain Controller Functionality: Windows 2008 R2 Domain Functionality: Windows 2003 Forest Functionality: Windows 2003 Filer AD Site: Default-First-Site-Name Not currently connected to any DCs Preferred Addresses: None Favored Addresses: 10.200.6.40 MASTER PDCBROKEN Other Addresses: None Connected AD LDAP Server: \\master.40lish.qa Preferred Addresses: None Favored Addresses: 10.200.6.40 master.40lish.qa Other Addresses: None
/var/log/samba/log.samba may contain the following messages:
[2015/02/19 19:37:10.936295, 1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3) No challenge requested by client [NA/NA$], cannot authenticate
The NetApp tries to connect to the domain controller whith a special flag to disable strong encryption. By default, Samba does not accept weak NT4 encryption types and closes the connection.
The NetApp then failes to upgrade to a strong cypher because the connection is already closed (this is what leadts to the “no challenge requested” messages in log.samba).
To work around this you may enable “nt4 crypto” on all Samba 4 DCs whith the following commands, a rejoin of the NetApp is not needed:
cat >>/etc/samba/local.conf <<__CONF__ [global] allow nt4 crypto = yes __CONF__ ucr commit etc/samba/smb.conf /etc/init.d/samba restart