NetApp can't lookup domain SID's




A NetApp filer can be joined to a Univention Active Direcory Domain but lookup of domain users and/or SID’s is not possible via "cifs lookup".

"cifs domaininfo" reports “PDCBROKEN”:

na> cifs domaininfo
NetBIOS Domain:                         LISH
Windows Domain Name:          
Domain Controller Functionality:        Windows 2008 R2
Domain Functionality:                   Windows 2003
Forest Functionality:                   Windows 2003
Filer AD Site:                          Default-First-Site-Name
Not currently connected to any DCs
Preferred Addresses:
Favored Addresses:
                                   MASTER           PDCBROKEN
Other Addresses:
Connected AD LDAP Server:               \\
Preferred Addresses:
Favored Addresses:
Other Addresses:

The /var/log/samba/log.samba may contain the following messages:

[2015/02/19 19:37:10.936295,  1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3)
  No challenge requested by client [NA/NA$], cannot authenticate


The NetApp tries to connect to the domain controller whith a special flag to disable strong encryption. By default, Samba does not accept weak NT4 encryption types and closes the connection.

The NetApp then failes to upgrade to a strong cypher because the connection is already closed (this is what leadts to the “no challenge requested” messages in log.samba).

To work around this you may enable “nt4 crypto” on all Samba 4 DCs whith the following commands, a rejoin of the NetApp is not needed:

cat >>/etc/samba/local.conf <<__CONF__
  allow nt4 crypto = yes
ucr commit etc/samba/smb.conf
/etc/init.d/samba restart