NetApp can't lookup domain SID's

Problem:

A NetApp filer can be joined to a Univention Active Direcory Domain but lookup of domain users and/or SID’s is not possible via "cifs lookup".

"cifs domaininfo" reports “PDCBROKEN”:

na> cifs domaininfo
NetBIOS Domain:                         LISH
Windows Domain Name:                    40lish.qa
Domain Controller Functionality:        Windows 2008 R2
Domain Functionality:                   Windows 2003
Forest Functionality:                   Windows 2003
Filer AD Site:                          Default-First-Site-Name
 
Not currently connected to any DCs
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40     MASTER           PDCBROKEN
Other Addresses:
                                        None
 
Connected AD LDAP Server:               \\master.40lish.qa
Preferred Addresses:
                                        None
Favored Addresses:
                                        10.200.6.40    
                                         master.40lish.qa
Other Addresses:
                                        None

The /var/log/samba/log.samba may contain the following messages:

[2015/02/19 19:37:10.936295,  1, pid=5381, effective(0, 0), real(0, 0)] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:363(dcesrv_netr_ServerAuthenticate3)
  No challenge requested by client [NA/NA$], cannot authenticate

Workaround:

The NetApp tries to connect to the domain controller whith a special flag to disable strong encryption. By default, Samba does not accept weak NT4 encryption types and closes the connection.

The NetApp then failes to upgrade to a strong cypher because the connection is already closed (this is what leadts to the “no challenge requested” messages in log.samba).

To work around this you may enable “nt4 crypto” on all Samba 4 DCs whith the following commands, a rejoin of the NetApp is not needed:

cat >>/etc/samba/local.conf <<__CONF__
[global]
  allow nt4 crypto = yes
__CONF__
ucr commit /etc/samba/smb.conf
/etc/init.d/samba restart

Note: For UCS 4.4-x you might see the following in the log file:

[2019/08/29 06:29:56.277906, 0, pid=5640] 
../../source4/rpc_server/netlogon/dcerpc_netlogon.c:284(dcesrv_netr_ServerAuthenticate3_helper)
dcesrv_netr_ServerAuthenticate3_helper: schannel required but client failed to offer it. Client was NETAPP02$

You could fix this by the following in /etc/samba/local.conf but this is absolutely not recommended, because that makes your Samba/AD DC vulnerable to the Zerologon security vulnerability! (See Status of Zerologon (CVE-2020-1472) security issue in UCS)

[global]

allow nt4 crypto = yes
server schannel = auto

Note: With UCS 4.4-5 and 4.4-6 the config should be changed because of the Zerologon issue:

This now could look like:

server schannel = yes
server require schannel:netapp02$ = no
Mastodon