problems with samba as domin member in rpc samba domain

Rowland Penny repenny241155 at gmail.com
Fri Mar 11 16:00:52 UTC 2016 

On 11/03/16 15:04, Bartłomiej Solarz-Niesłuchowski wrote:
> W dniu 2016-03-11 o 14:29, Rowland Penny pisze:
>> On 11/03/16 12:40, Bartłomiej Solarz-Niesłuchowski wrote:
>>> W dniu 2016-03-11 o 13:15, Rowland Penny pisze:
>>>> On 11/03/16 11:38, Bartłomiej Solarz-Niesłuchowski wrote:
>>>>> Good morning!
>>>>>
>>>>> I have problems with domain (fedora 23 x64).
>>>>>
>>>>> Let's have:
>>>>> samba 4.3.4 as domain master (NT4 domain! - no ADS)
>>>>> samba 4.3.4 as domain member
>>>>>
>>>>> if I use:  net rpc testjoin
>>>>> no answer
>>>>> if i try to join domain:
>>>>>  net join -U root
>>>>> Enter root's password:
>>>>> Failed to join domain: failed to find DC for domain WSISIZ.EDU.PL
>>>>>
>>>>> BUT if on domain member I downgrade samba to version 4.2.9
>>>>> everything start working.
>>>>>
>>>>> Does somebody saw this problem?
>>>>>
>>>>> Best Regards
>>>>>
>>>>
>>>>
>>>> Can we please see your smb.conf files ?
>>>>
>>>> Rowland
>>>>
>>>>
>>> domain server:
>>> [global]
>>>          unix charset = UTF8
>>>          workgroup = WSISIZ.EDU.PL
>>>          allow trusted domains = No
>>>          passdb backend = ldapsam:"ldaps://mythodea.wsisiz.edu.pl/ 
>>> ldaps://portraits.wsisiz.edu.pl/"
>>>          check password script = /usr/local/sbin/crackcheck -s -d 
>>> /usr/lib64/cracklib_dict
>>>          map untrusted to domain = Yes
>>>          max log size = 1650065408
>>>          debug pid = Yes
>>>          debug uid = Yes
>>>          server max protocol = SMB2
>>>          max protocol = SMB2
>>>          protocol = SMB2
>>>          time server = Yes
>>>          unix extensions = No
>>>          deadtime = 60
>>>          hostname lookups = Yes
>>>          printcap cache time = 600
>>>          printcap name = cups
>>>          add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>>          add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>>          add user to group script = /usr/local/sbin/smbldap-groupmod 
>>> -m "%u" "%g"
>>>          delete user from group script = 
>>> /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
>>>          set primary group script = /usr/local/sbin/smbldap-usermod 
>>> -g "%g" "%u"
>>>          add machine script = /usr/local/sbin/smbldap-useradd -t 5 
>>> -w "%u"
>>>          logon script = login.bat
>>>          logon drive = z:
>>>          logon home = \\%N\%U\profile
>>>          domain logons = Yes
>>>          os level = 128
>>>          preferred master = Yes
>>>          domain master = Yes
>>>          wins proxy = Yes
>>>          wins support = Yes
>>>          ldap admin dn = cn=Manager,dc=wsisiz,dc=edu,dc=pl
>>>          ldap delete dn = Yes
>>>          ldap group suffix = ou=Groups
>>>          ldap idmap suffix = ou=Idmap
>>>          ldap machine suffix = ou=Computers
>>>          ldap passwd sync = yes
>>>          ldap suffix = dc=wsisiz,dc=edu,dc=pl
>>>          ldap ssl = no
>>>          ldap user suffix = ou=Users
>>>          remote browse sync = oxygene.ibspan.waw.pl antarctica china 
>>> spiral direct odyssey
>>>          winbind use default domain = Yes
>>>          idmap config * : backend = tdb
>>>          acl allow execute always = Yes
>>>          create mask = 0644
>>>          inherit acls = Yes
>>>          hosts allow = 127. 10.100.0.0/255.255.0.0 
>>> 213.135.34.0/255.255.255.0 213.135.44.0/255.255.252.0 
>>> 213.135.48.0/255.255.254.0 2001:1a68:a::/48
>>>          ea support = Yes
>>>          map acl inherit = Yes
>>>          cups options = raw
>>>          hide dot files = No
>>>          store dos attributes = Yes
>>>          wide links = Yes
>>>
>>> domain member:
>>> [root at beabourg SRPMS]# testparm
>>> Load smb config files from /etc/samba/smb.conf
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
>>> (16384)
>>> Processing section "[private]"
>>> Processing section "[reklama]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_MEMBER
>>>
>>> Press enter to see a dump of your service definitions
>>>
>>> # Global parameters
>>> [global]
>>>          dos charset = CP852
>>>          unix charset = UTF8
>>>          workgroup = WSISIZ.EDU.PL
>>>          security = DOMAIN
>>>          map to guest = Bad User
>>>          username map = /etc/samba/smbusers
>>>          max log size = 500000
>>>          time server = Yes
>>>          deadtime = 10
>>>          keepalive = 10
>>>          hostname lookups = Yes
>>>          os level = 32
>>>          local master = No
>>>          wins server = oceanic.wsisiz.edu.pl
>>>          ldap ssl = no
>>>          winbind use default domain = Yes
>>>          winbind trusted domains only = Yes
>>>          idmap config * : backend = tdb
>>>          acl allow execute always = Yes
>>>          create mask = 0644
>>>          hosts allow = 213.135.44.0/255.255.252.0 
>>> 213.135.48.0/255.255.254.0 213.135.34. 127. 2001:1a68:a::/48
>>>          hide dot files = No
>>>
>>>
>>
>> Hmm, the workgroup name is supposed to be a single word, without 
>> punctuation, no more than 15 characters and in uppercase.
>> Your workgroup name is 'WSISIZ.EDU.PL' , this could be mistaken for a 
>> realm name and is possibly your problem.
> Maybe - but WHY it was not mistaken in samba 4.2.9?

Not sure, it is possible that another fix also fixed this, as you really 
shouldn't use a dot in a domain (netbios) name, it could be mistaken for 
a dns domain name.

>> Can you try again, but change the workgroup name to just 'WSISIZ' first.
> This is impossible - those DC has over 500+ members!
>

Ouch!

Anybody else have any ideas what the OP can do ?

Rowland

More information about the samba-technical mailing list