Unable to join domain after upgrade

Michael mlstarling31 at hotmail.com
Wed Apr 13 17:37:00 UTC 2016


In case anyone else runs into the same issue I was able to get my environment functioning again by adding the following lines to my smb.conf.

client signing = requiredserver signing = autoFrom: mlstarling31 at hotmail.com
To: samba-technical at lists.samba.org
Subject: Unable to join domain after upgrade
Date: Tue, 12 Apr 2016 21:13:16 -0400







Hello -
In an attempt to mitigate the "badlock" vulnerability http://badlock.org/ I upgraded to the latest samba 3.6.x (samba-3.6.23-30.el6_7) release on RedHat 6 in my test environment. 
I'm running OpenLDAP with a samba backend for our Windows clients in the NT style domain setup. Once I upgraded I can no longer join the domain with the net command.
[root at test1 setup]# net rpc join -U root%password PDCConnection failed: NT_STATUS_ACCESS_DENIEDCould not connect to server TEST1Connection failed: NT_STATUS_ACCESS_DENIED
Below is my smb.conf
I noticed that that client signing is set to "required" by default. How does this affect my Linux system from joining the domain? I tried to set this to "auto" with the same results.client signing = required
Based on some light reading I tried setting the the following directive below to no availallow dcerpc auth level connect = yes
[global]        workgroup = TEST        server string = PDC Samba Server        interfaces = eth0, 127.0.0.1        bind interfaces only = Yes        passdb backend = ldapsam:"ldap://ldaptest.test.com ldap://ldaptest2.test.com"        pam password change = Yes        passwd program = /usr/sbin/smbldap-passwd -u %u        passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"        username map = /etc/samba/smbusers        ntlm auth = No        syslog = 0        log level = 10        log file = /var/log/samba/log.%m        max log size = 100000        smb ports = 139        min protocol = NT1        name resolve order = wins lmhosts bcast hosts        client signing = required        allow dcerpc auth level connect = yes        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192        load printers = No        printcap name = /dev/null        disable spoolss = Yes        add user script = /usr/sbin/smbldap-useradd -m "%u"        delete user script = /usr/sbin/smbldap-userdel "%u"        add group script = /usr/sbin/smbldap-groupadd -p "%g"        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"        logon script = logon.bat        logon path = ""        logon drive = H:        logon home = \\%L\%U        domain logons = Yes        os level = 65        lm announce = No        preferred master = Yes        domain master = Yes        wins proxy = Yes        wins support = Yes        ldap admin dn = cn=doppelganger,ou=Service,dc=test,dc=com        ldap group suffix = ou=groups        ldap idmap suffix = ou=idmap        ldap machine suffix = ou=servers        ldap passwd sync = only        ldap suffix = dc=test,dc=com        ldap user suffix = ou=people        remote announce = xxx.xxx.xxx.255/TEST xxx.xxx.xxx.255/TEST        winbind enum users = Yes        winbind enum groups = Yes        idmap config * : range = 20000-30000        idmap config * : backend = ldap:ldap://ldaptest.test.com        map acl inherit = Yes        printing = bsd        print command = lpr -r -P'%p' %s        lpq command = lpq -P'%p'        lprm command = lprm -P'%p' %j
Any help would be greatly appreciated.   
Thanks.

 		 	   		   		 	   		  


More information about the samba-technical mailing list