Unable to join domain after upgrade
mlstarling31 at hotmail.com
Wed Apr 13 17:37:00 UTC 2016
In case anyone else runs into the same issue I was able to get my environment functioning again by adding the following lines to my smb.conf.
client signing = requiredserver signing = autoFrom: mlstarling31 at hotmail.com
To: samba-technical at lists.samba.org
Subject: Unable to join domain after upgrade
Date: Tue, 12 Apr 2016 21:13:16 -0400
In an attempt to mitigate the "badlock" vulnerability http://badlock.org/ I upgraded to the latest samba 3.6.x (samba-3.6.23-30.el6_7) release on RedHat 6 in my test environment.
I'm running OpenLDAP with a samba backend for our Windows clients in the NT style domain setup. Once I upgraded I can no longer join the domain with the net command.
[root at test1 setup]# net rpc join -U root%password PDCConnection failed: NT_STATUS_ACCESS_DENIEDCould not connect to server TEST1Connection failed: NT_STATUS_ACCESS_DENIED
Below is my smb.conf
I noticed that that client signing is set to "required" by default. How does this affect my Linux system from joining the domain? I tried to set this to "auto" with the same results.client signing = required
Based on some light reading I tried setting the the following directive below to no availallow dcerpc auth level connect = yes
[global] workgroup = TEST server string = PDC Samba Server interfaces = eth0, 127.0.0.1 bind interfaces only = Yes passdb backend = ldapsam:"ldap://ldaptest.test.com ldap://ldaptest2.test.com" pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" username map = /etc/samba/smbusers ntlm auth = No syslog = 0 log level = 10 log file = /var/log/samba/log.%m max log size = 100000 smb ports = 139 min protocol = NT1 name resolve order = wins lmhosts bcast hosts client signing = required allow dcerpc auth level connect = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No printcap name = /dev/null disable spoolss = Yes add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" logon script = logon.bat logon path = "" logon drive = H: logon home = \\%L\%U domain logons = Yes os level = 65 lm announce = No preferred master = Yes domain master = Yes wins proxy = Yes wins support = Yes ldap admin dn = cn=doppelganger,ou=Service,dc=test,dc=com ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=servers ldap passwd sync = only ldap suffix = dc=test,dc=com ldap user suffix = ou=people remote announce = xxx.xxx.xxx.255/TEST xxx.xxx.xxx.255/TEST winbind enum users = Yes winbind enum groups = Yes idmap config * : range = 20000-30000 idmap config * : backend = ldap:ldap://ldaptest.test.com map acl inherit = Yes printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j
Any help would be greatly appreciated.
More information about the samba-technical