[Samba] How do I join an Centos8 workstation to an NT4 domain?
Nick
nick at howitts.co.uk
Tue Feb 23 21:27:17 UTC 2021
On 23/02/2021 20:49, Rowland penny via samba wrote:
>
> On 23/02/2021 20:11, Nick via samba wrote:
>>
>>
>> On 23/02/2021 19:51, Rowland penny via samba wrote:
>>>
>>> On 23/02/2021 17:17, Nick via samba wrote:
>>>>
>>>>
>>>> On 23/02/2021 16:29, Rowland penny via samba wrote:
>>>>>
>>>>> On 23/02/2021 14:19, Nick Howitt via samba wrote:
>>>>>> Please don't ream me for using an NT4 domain, but that is the
>>>>>> beast I am stuck with.
>>>>>
>>>>>
>>>>> You might think you are stuck with it, but unless you plan to
>>>>> upgrade to Samba AD, you might find you are stuck without it.
>>>>> NT4-style domains are going away, in fact they were deprecated at
>>>>> 4.13.0
>>>>>
>>>>> It is your decision, but I felt that I should warn you.
>>>>>
>>>>>>
>>>>>> I am trying to join a Centos 8 workstation to an NT4 domain and
>>>>>> the only notes I have are not really applicable -
>>>>>> https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain.
>>>>>> It references Ubuntu and its PAM configuration is irrelevant. In
>>>>>> any case I believe the join is falling down before PAM even comes
>>>>>> into play.
>>>>>
>>>>>
>>>>> Ensure that all the Samba daemons are stopped, then try this
>>>>> '[global]' section of the smb.conf:
>>>>>
>>>>> [global]
>>>>> domain master = No
>>>>> security = DOMAIN
>>>>> client min protocol = NT1
>>>>> template shell = /bin/bash
>>>>> winbind use default domain = Yes
>>>>> workgroup = HOME
>>>>> idmap config * : range = 3000-7999
>>>>> idmap config * : backend = tdb
>>>>> idmap config HOME : range = 10000000-19999999
>>>>> idmap config HOME : backend = rid
>>>>>
>>>>> Try the join again and if it joins, then start winbind followed by
>>>>> smbd and nmbd.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> I'm afraid it is the same problem:
>>>>
>>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>>> Enter winadmin's password:
>>>> Failed to join domain: failed to find DC for domain HOME - The
>>>> object was not found.
>>>>
>>>> I don't know if it is of interest but changing "client min protocol
>>>> = NT1" to "client max protocol = NT1" gave:
>>>>
>>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>>> Enter winadmin's password:
>>>> Failed to join domain: failed to find DC for domain HOME - The
>>>> object was not found.
>>>>
>>>> Has NT1/SMB1 been removed from this version of Samba and could that
>>>> be a problem? The server was running with "server min protocol =
>>>> SMB2" and I changed it to allow SMB1 when I changed the min
>>>> protocol to max protocol.
>>>>
>>>
>>> No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still be
>>> in 4.14.0 when it is shortly released, but who knows about 4.15.0 ?
>>>
>>> It was turned off by default at 4.11.0 but is still available for
>>> use by setting 'client min protocol = NT1' for connections to a
>>> server that uses it and setting 'server min protocol = NT1' to make
>>> a server use it. A Samba machine can be both a client and a server.
>>> There should be no reason to set 'client max protocol' or 'server
>>> max protocol', they are both set to SMBv3 and will negotiate the
>>> best protocol to use.
>>>
>>> You could try adding '-S PDC_NAME' or '-I PDC_IP' to your join command.
>>>
>>> Rowland
>>>
>>>
>>>
>> Success (sort of):
>> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server
>> Enter winadmin's password:
>> Failed to join domain: failed to join domain 'HOME' over rpc: The
>> specified account does not exist.
>> [root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1
>> Enter winadmin's password:
>> Failed to join domain: failed to find DC for domain HOME - The object
>> was not found.
>> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server.howitts.co.uk
>> Enter winadmin's password:
>> Using short domain name -- HOME
>> Joined 'PROXMOX106' to domain 'HOME'
>>
>> Doesn't that indicate a DNS issue, but, if so what?
>
>
> well, it would suggest a dns problem, except a PDC uses netbios, so is
> a 'wins server running on the PDC ? Do you have 'wins support = yes'
> in the PDC's smb.conf ?
Yes, it is there
>
> Try adding 'wins server = PDC_IP' in the clients smb.conf
I'll try that.
>
> The line you had in the clients smb.conf:
>
> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
> /bin/false -M %u
>
> Should be in the PDC's smb.conf.
The PDC has:
add machine script = /usr/sbin/samba-add-machine "%u"
>
>>
>> FWIW home.server.howitts.co.uk also resolves to the same IP and the
>> join by IP failed.
>>
>> Smb, nmb and winbind now start so that is good.
>
>
> Well, at least you are getting somewhere 😂
Yes. Chuffed at that, thanks.
>
>
>>
>> Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf
>> now reads:
>>
>> [root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf
>> passwd: sss files systemd
>> group: sss files systemd
>> netgroup: sss files
>> automount: sss files
>> services: sss files
>> shadow: files sss
>> hosts: files dns myhostname
>> aliases: files
>> ethers: files
>> gshadow: files
>> networks: files dns
>> protocols: files
>> publickey: files
>> rpc: files
>>
>> I assume it needs to reference winbind at least, instead of sss. The
>> documentation I had said to do:
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat winbind
>> hosts: files dns wins
>> networks: files
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>> netgroup: nis
>>
>> But the documentation is very old.
>>
>
> And still valid, don't forget NT4-style domains are very old.
Great
>
> Rowland
>
>
>
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
More information about the samba
mailing list