Web lists-archives.com

Re: [Samba] Samba4 machine fails to join in samba3 domain

On 22/05/2019 15:02, Julien TEHERY via samba wrote:

I actually have troubles to join a samba4 machine into an old samba3 domain. I know I know most of you will yell reading this, but i have to deal with a customer's very old environment :) They're thinking about migrating fully in samba4, but it will take some times so for now let's focus on the situation we have

- Samba3 PDC :3.5.18-28
- Samba4 client Debian 8.7 (samba 4.2.14)

Here is the samba4 smb.conf:

        max protocol = NT1
        client ipc signing = No
        client signing = No
        server signing = No

        panic action = /usr/share/samba/panic-action %d
        workgroup = MYDOMAIN
        netbios name = MYSERVER
        admin users= @"Domain Admins"
        name resolve order = wins lmhosts hosts bcast
        wide links = Yes
        follow symlinks = Yes

        remote announce =
        remote browse sync =
        interfaces = 192.168.X.X/
        bind interfaces only = no
        unix charset = CP850
        server string = FileserverMYSERVER
        security = DOMAIN
        encrypt passwords = true

        log level = 1
        syslog = 0
        log file = /var/log/samba/%m.log
        max log size = 100000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2

        domain logons = No
        os level = 99
        preferred master = No
        domain master = No
        wins server = X.X.X.X
        idmap backend = nss
        passdb backend = ldapsam:ldap://ds.domain.com:389/
        ldap admin dn = cn=Directory Manager,dc=domain,dc=com
        ldap suffix = dc=domain,dc=com
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap ssl = No

        winbind cache time = 5
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes

Here is what i get when trying to join the domain

net rpc join  -Uadministrateur
No realm has been specified! Do you really want to join an Active Directory server?
Enter administrateur's password:
No realm has been specified! Do you really want to join an Active Directory server? User root with invalid SID S-1-5-21-2287936477-1870703456-424640392-1001 in passdb
Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR.
cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error NT_STATUS_RPC_PROTOCOL_ERROR libnet_join_ok: failed to open schannel session on netlogon pipe to server PDC for domain MYDOMAIN. Error was NT_STATUS_RPC_PROTOCOL_ERROR Failed to join domain: failed to verify domain membership after joining: An RPC protocol error occurred.

The fact is that i succeed in getting domain info:

net rpc info -Uadministrateur
Enter administrateur's password:
Domain Name: MYDOMAIN
Domain SID: S-1-5-21-2143421583-854681893-XXXXXXXXXX
Sequence number: 1558533247
Num users: 2479
Num domain groups: 276
Num local groups: 0

I don't know how to deal with this problem (first time i see that..)

Thanks for your help

Louis is right, you should upgrade, but, in the meantime, try adding 'ntlm auth = yes' to your smb.conf, see if that helps.

Also try running the following commands:

net getlocalsid

net getdomainsid


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba