problems with samba as domin member in rpc samba domain

Bartłomiej Solarz-Niesłuchowski Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Fri Mar 11 15:04:23 UTC 2016 

W dniu 2016-03-11 o 14:29, Rowland Penny pisze:
> On 11/03/16 12:40, Bartłomiej Solarz-Niesłuchowski wrote:
>> W dniu 2016-03-11 o 13:15, Rowland Penny pisze:
>>> On 11/03/16 11:38, Bartłomiej Solarz-Niesłuchowski wrote:
>>>> Good morning!
>>>>
>>>> I have problems with domain (fedora 23 x64).
>>>>
>>>> Let's have:
>>>> samba 4.3.4 as domain master (NT4 domain! - no ADS)
>>>> samba 4.3.4 as domain member
>>>>
>>>> if I use:  net rpc testjoin
>>>> no answer
>>>> if i try to join domain:
>>>>  net join -U root
>>>> Enter root's password:
>>>> Failed to join domain: failed to find DC for domain WSISIZ.EDU.PL
>>>>
>>>> BUT if on domain member I downgrade samba to version 4.2.9
>>>> everything start working.
>>>>
>>>> Does somebody saw this problem?
>>>>
>>>> Best Regards
>>>>
>>>
>>>
>>> Can we please see your smb.conf files ?
>>>
>>> Rowland
>>>
>>>
>> domain server:
>> [global]
>>          unix charset = UTF8
>>          workgroup = WSISIZ.EDU.PL
>>          allow trusted domains = No
>>          passdb backend = ldapsam:"ldaps://mythodea.wsisiz.edu.pl/ 
>> ldaps://portraits.wsisiz.edu.pl/"
>>          check password script = /usr/local/sbin/crackcheck -s -d 
>> /usr/lib64/cracklib_dict
>>          map untrusted to domain = Yes
>>          max log size = 1650065408
>>          debug pid = Yes
>>          debug uid = Yes
>>          server max protocol = SMB2
>>          max protocol = SMB2
>>          protocol = SMB2
>>          time server = Yes
>>          unix extensions = No
>>          deadtime = 60
>>          hostname lookups = Yes
>>          printcap cache time = 600
>>          printcap name = cups
>>          add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>          add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>          add user to group script = /usr/local/sbin/smbldap-groupmod 
>> -m "%u" "%g"
>>          delete user from group script = 
>> /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
>>          set primary group script = /usr/local/sbin/smbldap-usermod 
>> -g "%g" "%u"
>>          add machine script = /usr/local/sbin/smbldap-useradd -t 5 -w 
>> "%u"
>>          logon script = login.bat
>>          logon drive = z:
>>          logon home = \\%N\%U\profile
>>          domain logons = Yes
>>          os level = 128
>>          preferred master = Yes
>>          domain master = Yes
>>          wins proxy = Yes
>>          wins support = Yes
>>          ldap admin dn = cn=Manager,dc=wsisiz,dc=edu,dc=pl
>>          ldap delete dn = Yes
>>          ldap group suffix = ou=Groups
>>          ldap idmap suffix = ou=Idmap
>>          ldap machine suffix = ou=Computers
>>          ldap passwd sync = yes
>>          ldap suffix = dc=wsisiz,dc=edu,dc=pl
>>          ldap ssl = no
>>          ldap user suffix = ou=Users
>>          remote browse sync = oxygene.ibspan.waw.pl antarctica china 
>> spiral direct odyssey
>>          winbind use default domain = Yes
>>          idmap config * : backend = tdb
>>          acl allow execute always = Yes
>>          create mask = 0644
>>          inherit acls = Yes
>>          hosts allow = 127. 10.100.0.0/255.255.0.0 
>> 213.135.34.0/255.255.255.0 213.135.44.0/255.255.252.0 
>> 213.135.48.0/255.255.254.0 2001:1a68:a::/48
>>          ea support = Yes
>>          map acl inherit = Yes
>>          cups options = raw
>>          hide dot files = No
>>          store dos attributes = Yes
>>          wide links = Yes
>>
>> domain member:
>> [root at beabourg SRPMS]# testparm
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
>> (16384)
>> Processing section "[private]"
>> Processing section "[reklama]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>>          dos charset = CP852
>>          unix charset = UTF8
>>          workgroup = WSISIZ.EDU.PL
>>          security = DOMAIN
>>          map to guest = Bad User
>>          username map = /etc/samba/smbusers
>>          max log size = 500000
>>          time server = Yes
>>          deadtime = 10
>>          keepalive = 10
>>          hostname lookups = Yes
>>          os level = 32
>>          local master = No
>>          wins server = oceanic.wsisiz.edu.pl
>>          ldap ssl = no
>>          winbind use default domain = Yes
>>          winbind trusted domains only = Yes
>>          idmap config * : backend = tdb
>>          acl allow execute always = Yes
>>          create mask = 0644
>>          hosts allow = 213.135.44.0/255.255.252.0 
>> 213.135.48.0/255.255.254.0 213.135.34. 127. 2001:1a68:a::/48
>>          hide dot files = No
>>
>>
>
> Hmm, the workgroup name is supposed to be a single word, without 
> punctuation, no more than 15 characters and in uppercase.
> Your workgroup name is 'WSISIZ.EDU.PL' , this could be mistaken for a 
> realm name and is possibly your problem.
Maybe - but WHY it was not mistaken in samba 4.2.9?
> Can you try again, but change the workgroup name to just 'WSISIZ' first.
This is impossible - those DC has over 500+ members!

-- 
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 404, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3940 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160311/dff58f54/smime.bin>

More information about the samba-technical mailing list