[Samba] Mixed Samba 3 & 4 Versions - Issue joining Samba 3 domain with a Samba 4 client

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Jun 10 13:29:42 UTC 2016 

Can you double check your samba version?  If you are running Samba 
4.4.2, 4.3.8 and 4.2.11 or later, your version has been patched for 
BADLOCK which means the client will not be compatible with an unpatched 
3.x domain controller.     You may need to roll back to a non-patched 
version, ie previous to Samba 4.4.2, 4.3.8 and 4.2.11.   (I had this on 
several machines and despite various config changes could not make it 
work.)     The recommended solution is probably to patch your or upgrade 
the samba software on your domain domain controller.


You may also want to set

     client signing = No
     server signing = No


or

    signing = No
     server signing = No


and verify with "testparm -v | grep sign"



On 06/10/16 00:37, Hernan Saltiel wrote:
> Hello, everybody.
>
>     I'm trying to use a Debian 8.5.0 client machine (with hostname 
> PCSCD850, 10.100.109.5 is its IP) joining an old Samba 3.6.23 tdbsam 
> based PDC (hostname DSSC01, SCDOM is the NetBIOS domain name, 
> 10.200.0.5 its IP).
>
>     The machine was added to the PDC using useradd (unix) and 
> smbpasswd -a -m (samba). Because there is a group used for the 
> machines ("puestos", in Spanish, for the unix group, and "Puestos", 
> for the Samba group), the commands used to add that machine were:
>
> useradd -g puestos -d /home/PCSCD850$ -m -c “PCSCD850” -s /bin/false 
> PCSCD850$
>
> smbpasswd -a -m PCSCD850$
>
> net rpc user setprimarygroup PCSCD850$ "Puestos"
>
>     Debian 8.5.0 installs Samba 4, installed with:
>
> apt-get install winbind samba libpam-winbind
>
>     After installation, my /etc/samba/smb.conf was modified to have this:
>
> [global]
>    workgroup = SCDOM
>    server string = %h server
> wins server = 10.200.0.5
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
> security = domain
> netbios name = PCSC1999
> password server = 10.200.0.5
> winbind use default domain = yes
>    encrypt passwords = true
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s 
> /bin/false -M %u
> domain master = no
> idmap uid = 10000000-19999999
> idmap gid = 10000000-19999999
> template shell = /bin/bash
> template homedir = /home/%D/%U
> winbind enum groups = yes
> winbind enum users = yes
> [homes]
>    comment = Home Directories
>    browseable = no
>    read only = yes
>    create mask = 0700
>    directory mask = 0700
>    valid users = %S
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    guest ok = no
>    read only = yes
>    create mask = 0700
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
>
>     On that machine, I create the directory to host the homedirs:
>
> mkdir /home/SCDOM
>
>     Then I modified /etc/nsswitch.conf to have this:
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat winbind
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
>
>     The I modified /etc/pam.d/common-account to have *ONLY* the next 
> two lines:
>
> account sufficient pam_winbind.so
>
> account required pam_unix.so
>
>     /etc/pam.d/common-auth has *ONLY* this:
>
> auth sufficient pam_winbind.so
>
> auth required pam_unix.so nullok_secure use_first_pass
>
>     In /etc/pam.d/common-password I modified the next line to have this:
>
> password [success=2 default=ignore] pam_unix.so obscure sha512 min=4 
> max=50
>
>     Finally, I modified /etc/pam.d/common-session to *ADD* the 
> following line:
>
> session required pam_mkhomedir.so umask=0022 skel=/etc/skel
>
>     After rebooting PCSCD850, the client machine, I try to join the 
> domain executing (as I did with previous Debian 6 distro):
>
> net rpc join -U root
>
>     And I receive a strange message, pointing out to an access issue:
>
> Unknown parameter encountered: "passwd backend"
> Ignoring unknown parameter "passwd backend"
> No realm has been specified! Do you really want to join an Active 
> Directory server?
> Enter root's password:
> smb_signing_good: BAD SIG: seq 1
> Failed to join domain: failed to lookup DC info for domain 'SCDOM' 
> over rpc: Access denied
>
>     This is what happens on the client side. On the server side, 
> looking for the pcscd850.log file, I see this:
>
> [2016/06/10 01:35:06.365031,  2, effective(0, 0), real(0, 0)] 
> rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
>   Returning domain sid for domain SCDOM -> 
> S-1-5-21-394484452-176286797-1126986195
> [2016/06/10 01:35:06.366012,  2, effective(99, 99), real(0, 0)] 
> ../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal)
>   credentials check failed
> [2016/06/10 01:35:06.366072,  0, effective(99, 99), real(0, 0)] 
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
> Rejecting auth request from client PCSCD850 machine account PCSCD850$
> [2016/06/10 01:35:06.415496,  2, effective(0, 0), real(0, 0)] 
> rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
>   Returning domain sid for domain SCDOM -> 
> S-1-5-21-394484452-176286797-1126986195
> [2016/06/10 01:35:09.179484,  2, effective(0, 0), real(0, 0)] 
> auth/auth.c:320(check_ntlm_password)
>   check_ntlm_password:  authentication for user [root] -> [root] -> 
> [root] succeeded
> [2016/06/10 01:35:09.180364,  1, effective(0, 0), real(0, 0)] 
> smbd/session.c:86(session_claim)
>   Re-using invalid record
> [2016/06/10 01:35:09.185607,  2, effective(0, 0), real(0, 0)] 
> smbd/utmp.c:439(sys_utmp_update)
>   utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
> [2016/06/10 01:35:09.211072,  2, effective(0, 0), real(0, 0)] 
> smbd/utmp.c:439(sys_utmp_update)
>   utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
>
>     I googled a lot for this, but I'm only getting some information 
> about Windows clients, pointing out to some registry changes.
>
>     Does anybody have any clue or idea about what is this issue about, 
> and how can I join a Samba 3 domain when the client is a Samba 4 
> (4.2.10) one?
>
>     Thanks a lot in advance for your attention.
>
>     Best regards,
>
> HeCSa.
>

More information about the samba mailing list