[Samba] Mixed Samba 3 & 4 Versions - Issue joining Samba 3 domain with a Samba 4 client

Hernan Saltiel hsaltiel at gmail.com
Fri Jun 10 04:37:44 UTC 2016 

Hello, everybody.

     I'm trying to use a Debian 8.5.0 client machine (with hostname 
PCSCD850, 10.100.109.5 is its IP) joining an old Samba 3.6.23 tdbsam 
based PDC (hostname DSSC01, SCDOM is the NetBIOS domain name, 10.200.0.5 
its IP).

     The machine was added to the PDC using useradd (unix) and smbpasswd 
-a -m (samba). Because there is a group used for the machines 
("puestos", in Spanish, for the unix group, and "Puestos", for the Samba 
group), the commands used to add that machine were:

useradd -g puestos -d /home/PCSCD850$ -m -c “PCSCD850” -s /bin/false 
PCSCD850$

smbpasswd -a -m PCSCD850$

net rpc user setprimarygroup PCSCD850$ "Puestos"

     Debian 8.5.0 installs Samba 4, installed with:

apt-get install winbind samba libpam-winbind

     After installation, my /etc/samba/smb.conf was modified to have this:

[global]
    workgroup = SCDOM
    server string = %h server
wins server = 10.200.0.5
    dns proxy = no
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
security = domain
netbios name = PCSC1999
password server = 10.200.0.5
winbind use default domain = yes
    encrypt passwords = true
    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s 
/bin/false -M %u
domain master = no
idmap uid = 10000000-19999999
idmap gid = 10000000-19999999
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
[homes]
    comment = Home Directories
    browseable = no
    read only = yes
    create mask = 0700
    directory mask = 0700
    valid users = %S
[printers]
    comment = All Printers
    browseable = no
    path = /var/spool/samba
    printable = yes
    guest ok = no
    read only = yes
    create mask = 0700
[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
    browseable = yes
    read only = yes
    guest ok = no

     On that machine, I create the directory to host the homedirs:

mkdir /home/SCDOM

     Then I modified /etc/nsswitch.conf to have this:

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

     The I modified /etc/pam.d/common-account to have *ONLY* the next 
two lines:

account sufficient pam_winbind.so

account required pam_unix.so

     /etc/pam.d/common-auth has *ONLY* this:

auth sufficient pam_winbind.so

auth required pam_unix.so nullok_secure use_first_pass

     In /etc/pam.d/common-password I modified the next line to have this:

password [success=2 default=ignore] pam_unix.so obscure sha512 min=4 max=50

     Finally, I modified /etc/pam.d/common-session to *ADD* the 
following line:

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

     After rebooting PCSCD850, the client machine, I try to join the 
domain executing (as I did with previous Debian 6 distro):

net rpc join -U root

     And I receive a strange message, pointing out to an access issue:

Unknown parameter encountered: "passwd backend"
Ignoring unknown parameter "passwd backend"
No realm has been specified! Do you really want to join an Active 
Directory server?
Enter root's password:
smb_signing_good: BAD SIG: seq 1
Failed to join domain: failed to lookup DC info for domain 'SCDOM' over 
rpc: Access denied

     This is what happens on the client side. On the server side, 
looking for the pcscd850.log file, I see this:

[2016/06/10 01:35:06.365031,  2, effective(0, 0), real(0, 0)] 
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
   Returning domain sid for domain SCDOM -> 
S-1-5-21-394484452-176286797-1126986195
[2016/06/10 01:35:06.366012,  2, effective(99, 99), real(0, 0)] 
../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal)
   credentials check failed
[2016/06/10 01:35:06.366072,  0, effective(99, 99), real(0, 0)] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client PCSCD850 machine account PCSCD850$
[2016/06/10 01:35:06.415496,  2, effective(0, 0), real(0, 0)] 
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
   Returning domain sid for domain SCDOM -> 
S-1-5-21-394484452-176286797-1126986195
[2016/06/10 01:35:09.179484,  2, effective(0, 0), real(0, 0)] 
auth/auth.c:320(check_ntlm_password)
   check_ntlm_password:  authentication for user [root] -> [root] -> 
[root] succeeded
[2016/06/10 01:35:09.180364,  1, effective(0, 0), real(0, 0)] 
smbd/session.c:86(session_claim)
   Re-using invalid record
[2016/06/10 01:35:09.185607,  2, effective(0, 0), real(0, 0)] 
smbd/utmp.c:439(sys_utmp_update)
   utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
[2016/06/10 01:35:09.211072,  2, effective(0, 0), real(0, 0)] 
smbd/utmp.c:439(sys_utmp_update)
   utmp_update: uname:/var/run/utmp wname:/var/log/wtmp

     I googled a lot for this, but I'm only getting some information 
about Windows clients, pointing out to some registry changes.

     Does anybody have any clue or idea about what is this issue about, 
and how can I join a Samba 3 domain when the client is a Samba 4 
(4.2.10) one?

     Thanks a lot in advance for your attention.

     Best regards,

HeCSa.

More information about the samba mailing list