[Samba] Mixed Samba 3 & 4 Versions - Issue joining Samba 3 domain with a Samba 4 client
Hernan Saltiel
hsaltiel at gmail.com
Fri Jun 10 04:37:44 UTC 2016
Hello, everybody.
I'm trying to use a Debian 8.5.0 client machine (with hostname
PCSCD850, 10.100.109.5 is its IP) joining an old Samba 3.6.23 tdbsam
based PDC (hostname DSSC01, SCDOM is the NetBIOS domain name, 10.200.0.5
its IP).
The machine was added to the PDC using useradd (unix) and smbpasswd
-a -m (samba). Because there is a group used for the machines
("puestos", in Spanish, for the unix group, and "Puestos", for the Samba
group), the commands used to add that machine were:
useradd -g puestos -d /home/PCSCD850$ -m -c “PCSCD850” -s /bin/false
PCSCD850$
smbpasswd -a -m PCSCD850$
net rpc user setprimarygroup PCSCD850$ "Puestos"
Debian 8.5.0 installs Samba 4, installed with:
apt-get install winbind samba libpam-winbind
After installation, my /etc/samba/smb.conf was modified to have this:
[global]
workgroup = SCDOM
server string = %h server
wins server = 10.200.0.5
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = domain
netbios name = PCSC1999
password server = 10.200.0.5
winbind use default domain = yes
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
/bin/false -M %u
domain master = no
idmap uid = 10000000-19999999
idmap gid = 10000000-19999999
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
On that machine, I create the directory to host the homedirs:
mkdir /home/SCDOM
Then I modified /etc/nsswitch.conf to have this:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The I modified /etc/pam.d/common-account to have *ONLY* the next
two lines:
account sufficient pam_winbind.so
account required pam_unix.so
/etc/pam.d/common-auth has *ONLY* this:
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
In /etc/pam.d/common-password I modified the next line to have this:
password [success=2 default=ignore] pam_unix.so obscure sha512 min=4 max=50
Finally, I modified /etc/pam.d/common-session to *ADD* the
following line:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
After rebooting PCSCD850, the client machine, I try to join the
domain executing (as I did with previous Debian 6 distro):
net rpc join -U root
And I receive a strange message, pointing out to an access issue:
Unknown parameter encountered: "passwd backend"
Ignoring unknown parameter "passwd backend"
No realm has been specified! Do you really want to join an Active
Directory server?
Enter root's password:
smb_signing_good: BAD SIG: seq 1
Failed to join domain: failed to lookup DC info for domain 'SCDOM' over
rpc: Access denied
This is what happens on the client side. On the server side,
looking for the pcscd850.log file, I see this:
[2016/06/10 01:35:06.365031, 2, effective(0, 0), real(0, 0)]
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
Returning domain sid for domain SCDOM ->
S-1-5-21-394484452-176286797-1126986195
[2016/06/10 01:35:06.366012, 2, effective(99, 99), real(0, 0)]
../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal)
credentials check failed
[2016/06/10 01:35:06.366072, 0, effective(99, 99), real(0, 0)]
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client PCSCD850 machine account PCSCD850$
[2016/06/10 01:35:06.415496, 2, effective(0, 0), real(0, 0)]
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
Returning domain sid for domain SCDOM ->
S-1-5-21-394484452-176286797-1126986195
[2016/06/10 01:35:09.179484, 2, effective(0, 0), real(0, 0)]
auth/auth.c:320(check_ntlm_password)
check_ntlm_password: authentication for user [root] -> [root] ->
[root] succeeded
[2016/06/10 01:35:09.180364, 1, effective(0, 0), real(0, 0)]
smbd/session.c:86(session_claim)
Re-using invalid record
[2016/06/10 01:35:09.185607, 2, effective(0, 0), real(0, 0)]
smbd/utmp.c:439(sys_utmp_update)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
[2016/06/10 01:35:09.211072, 2, effective(0, 0), real(0, 0)]
smbd/utmp.c:439(sys_utmp_update)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
I googled a lot for this, but I'm only getting some information
about Windows clients, pointing out to some registry changes.
Does anybody have any clue or idea about what is this issue about,
and how can I join a Samba 3 domain when the client is a Samba 4
(4.2.10) one?
Thanks a lot in advance for your attention.
Best regards,
HeCSa.
More information about the samba
mailing list