[Samba] unable to join a SAMBA linux box to MSWindows 2012 AD

Rowland Penny rowlandpenny at googlemail.com
Tue Jun 2 03:22:47 MDT 2015 

On 01/06/15 00:53, tsmafts wrote:
>   
>
> Linux debian1 3.2.0-4-686-pae #1 SMP Debian 3.2.68-1+deb7u1 i686
> GNU/Linux
> it is serving as file server for a few windows pcs in a satellite
> office.
> I am trying to join the machine to a AD Domain in our main office.
> tried[b] net join -U duper%5HaveLefT -d5[/b]
>
> debug results:[code]INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> doing parameter idmap gid = 16777216-33554431
> WARNING: The "idmap gid" option is deprecated
> doing parameter passwd chat = *New*password* %nn *ReType*new*password*
> %nn *passwd*changed*n
> doing parameter obey pam restrictions = yes
> doing parameter preserve case = yes
> doing parameter delete user from group script = /usr/sbin/userdel '%u'
> '%g'
> doing parameter time server = no
> doing parameter dns proxy = no
> doing parameter netbios name = CCSOO
> handle_netbios_name: set global_myname to: CCSOO
> doing parameter cups options = raw
> doing parameter printing = lprng
> doing parameter idmap uid = 16777216-33554431
> WARNING: The "idmap uid" option is deprecated
> doing parameter disable netbios = no
> doing parameter logon script = %G.bat
> doing parameter winbind refresh tickets = no
> doing parameter security = ADS
> doing parameter machine password timeout = 120
> doing parameter add machine script = /usr/sbin/useradd -d /dev/null -g
> sambamachines -c 'Samba Machine Account' -s /dev/null -M '%u'
> doing parameter short preserve case = yes
> doing parameter delete user script = /usr/sbin/userdel '%u'
> doing parameter server schannel = no
> doing parameter max log size = 1000
> doing parameter winbind nss info = no
> doing parameter log file = /var/log/samba/samba.log
> doing parameter printer = Aficio-MP-4500
> doing parameter load printers = yes
> doing parameter guest account = smbguest
> doing parameter passwd chat timeout = 120
> doing parameter delete group script = /usr/sbin/groupdel '%g'
> doing parameter username level = 6
> doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> doing parameter wins server = 192.168.1.218
> doing parameter client use spnego = no
> doing parameter follow symlinks = no
> doing parameter null passwords = no
> WARNING: The "null passwords" option is deprecated
> doing parameter domain master = no
> doing parameter winbind trusted domains only = yes
> doing parameter winbind use default domain = yes
> doing parameter passdb backend = tdbsam
> doing parameter template shell = /dev/null
> doing parameter client plaintext auth = no
> doing parameter bind interfaces only = yes
> doing parameter pam password change = no
> doing parameter enable spoolss = yes
> doing parameter domain logons = yes
> doing parameter name resolve order = wins lmhosts bcast
> doing parameter client signing = yes
> doing parameter hostname lookups = no
> doing parameter remote browse sync = 192.168.102.255
> doing parameter client schannel = no
> doing parameter passwd program = /usr/bin/passwd '%u'
> doing parameter allow hosts = 127. 192.168.102. 192.168.1.
> doing parameter remote announce = 192.168.102.255 192.168.1.255
> doing parameter local master = no
> doing parameter realm = fask.COM
> doing parameter workgroup = fask
> doing parameter os level = 33
> doing parameter server signing = no
> doing parameter printcap name = cups
> doing parameter winbind separator = @
> doing parameter winbind offline logon = yes
> doing parameter allow trusted domains = yes
> doing parameter add group script = /usr/sbin/groupadd '%g'
> doing parameter nt pipe support = yes
> doing parameter add user to group script = /usr/sbin/useradd -d
> /dev/null -c 'Samba User Account' -s /dev/null -g '%g' '%u'
> doing parameter nt status support = yes
> doing parameter logon drive = m:
> doing parameter interfaces = 127.0.0.1/8 192.168.102.0/24
> doing parameter username map = /etc/samba/smbusers
> doing parameter encrypt passwords = yes
> doing parameter public = yes
> doing parameter logon home = \%Lhomes%u
> doing parameter wins proxy = no
> doing parameter password level = 6
> WARNING: The "password level" option is deprecated
> doing parameter server string = Occidentel server
> doing parameter winbind nested groups = no
> doing parameter unix password sync = yes
> doing parameter logon path = \%Lprofiles%u
> doing parameter add user script = /usr/sbin/useradd -d /dev/null -c
> 'Samba User Account' -s /dev/null '%u'
> doing parameter preferred master = no
> doing parameter winbind cache time = 360
> pm_process() returned Yes
> Substituting charset 'UTF-8' for LOCALE
> Netbios name list:-
> my_netbios_names[0]="CCSOO"
> interpret_interface: Adding interface 127.0.0.1/8
> added interface 127.0.0.1/8 ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> interpret_interface: using netmask value 24 from config file on
> interface eth0
> added interface eth0 ip=192.168.102.251 bcast=192.168.102.255
> netmask=255.255.255.0
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Opening cache file at /var/run/samba/gencache.tdb
> Opening cache file at /var/run/samba/gencache_notrans.tdb
> sitename_fetch: Returning sitename for fask.COM:
> "Default-First-Site-Name"
> saf_fetch: failed to find server for "fask.COM" domain
> get_dc_list: preferred server list: ", *"
> name fask.COM#1C found.
> get_dc_list: returning 1 ip addresses in an ordered list
> get_dc_list: 192.168.1.218:389
> ads_try_connect: sending CLDAP request to 192.168.1.218 (realm:
> fask.COM)
> Successfully contacted LDAP server 192.168.1.218
> Invalid configuration. Exiting....
> ADS join did not work, falling back to RPC...
> name fask#1B found.
> namecache_status_fetch: key NBT/fask#1B.20.192.168.1.218 ->
> fask-SERVER01
> Connecting to host=fask-SERVER01
> Connecting to 192.168.1.218 at port 445
> Connecting to 192.168.1.218 at port 139
> Socket options:
>   SO_KEEPALIVE = 0
>   SO_REUSEADDR = 0
>   SO_BROADCAST = 0
>   TCP_NODELAY = 1
>   TCP_KEEPCNT = 9
>   TCP_KEEPIDLE = 7200
>   TCP_KEEPINTVL = 75
>   IPTOS_LOWDELAY = 0
>   IPTOS_THROUGHPUT = 0
>   SO_SNDBUF = 16384
>   SO_RCVBUF = 16384
>   SO_SNDLOWAT = 1
>   SO_RCVLOWAT = 1
>   SO_SNDTIMEO = 0
>   SO_RCVTIMEO = 0
>   TCP_QUICKACK = 1
> Substituting charset 'UTF-8' for LOCALE
> Bind RPC Pipe: host fask-SERVER01 auth_type 0, auth_level 1
> rpc_api_pipe: host fask-SERVER01
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host fask-SERVER01
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host fask-SERVER01
> rpc_read_send: data_to_read: 80
> rpc_api_pipe: host fask-SERVER01
> rpc_read_send: data_to_read: 32
> Bind RPC Pipe: host fask-SERVER01 auth_type 0, auth_level 1
> rpc_api_pipe: host fask-SERVER01
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc command function failed! (NT_STATUS_NOT_SUPPORTED)
> name fask#1B found.
> namecache_status_fetch: key NBT/fask#1B.20.192.168.1.218 ->
> fask-SERVER01
> Connecting to host=fask-SERVER01
> Connecting to 192.168.1.218 at port 445
> Connecting to 192.168.1.218 at port 139
> Socket options:
>   SO_KEEPALIVE = 0
>   SO_REUSEADDR = 0
>   SO_BROADCAST = 0
>   TCP_NODELAY = 1
>   TCP_KEEPCNT = 9
>   TCP_KEEPIDLE = 7200
>   TCP_KEEPINTVL = 75
>   IPTOS_LOWDELAY = 0
>   IPTOS_THROUGHPUT = 0
>   SO_SNDBUF = 16384
>   SO_RCVBUF = 16384
>   SO_SNDLOWAT = 1
>   SO_RCVLOWAT = 1
>   SO_SNDTIMEO = 0
>   SO_RCVTIMEO = 0
>   TCP_QUICKACK = 1
> cli_session_setup: NT1 session setup failed: NT_STATUS_INVALID_PARAMETER
> failed session setup with NT_STATUS_INVALID_PARAMETER
> Could not connect to server fask-SERVER01
> Connection failed: NT_STATUS_INVALID_PARAMETER
> return code = 1 [/code]
>
> hmm. so ran [b]net ads lookup dc[/b] and that resulted in:
> [code]Information for Domain Controller: 192.168.1.218
>
> Response Type: LOGON_SAM_LOGON_RESPONSE_EX
> GUID: 242bf0ef-bb6a-46a3-b220-f709d9bc897a
> Flags:
>   Is a PDC: yes
>   Is a GC of the forest: yes
>   Is an LDAP server: yes
>   Supports DS: yes
>   Is running a KDC: yes
>   Is running time services: yes
>   Is the closest DC: yes
>   Is writable: yes
>   Has a hardware clock: yes
>   Is a non-domain NC serviced by LDAP server: no
>   Is NT6 DC that has some secrets: no
>   Is NT6 DC that has all secrets: yes
> Forest: fask.com
> Domain: fask.com
> Domain Controller: fask-SERVER01.fask.com
> Pre-Win2k Domain: fask
> Pre-Win2k Hostname: fask-SERVER01
> Server Site Name : Default-First-Site-Name
> Client Site Name : Default-First-Site-Name
> NT Version: 5
> LMNT Token: ffff
> LM20 Token: ffff
>   [/code]
> and for good measure ran [b]net ads info[/b] which at least gave back an
> error of some sort:
> [code]Failed to get server's current time!
> LDAP server: 192.168.1.218
> LDAP server name: fask-SERVER01.fask.com
> Realm: fask.COM
> Bind Path: dc=fask,dc=COM
> LDAP port: 389
> Server time: Wed, 31 Dec 1969 16:00:00 PST
> KDC server: 192.168.1.218
> Server time offset: 0
> [/code]
> and just to make sure i'm not being really klutzy about this, the User
> to be used in the net join is a user on the existing Windows AD that I
> want to join that has administrative rights and not the local debian
> super user.
>
> Help please, i need to get the Debian machine on the domain so that an
> ftp server can use it.
>   

It looks like you are using Debian wheezy with the standard 3.6.x 
version of samba and if you look through what you posted there is this:

Invalid configuration. Exiting....

Pretty explicit why it doesn't work, have a look here: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

There is a known working smb.conf on that page, adapt it to your realm, 
workgroup etc and try again, once you have got samba working again, you 
could then start adding some of the lines that you have in your 
original, but be very selective, quite a lot of what you have isn't 
needed any more. I would suggest you read 'man smb.conf'.

You can upgrade to a later samba version by using the backports repo or 
by using the samba packages from sernet, though this would involve 
registering with sernet (this is free).

Rowland

More information about the samba mailing list