[Samba] Samba domain join issues

Rowland Penny rpenny at samba.org
Mon Oct 31 19:14:16 UTC 2016 

On Mon, 31 Oct 2016 23:36:16 +0530
Pradeep Rawat <pradeeprawat85 at gmail.com> wrote:

> Tried that, same error.
> 
> Enter adminuser's password:
> Failed to join domain: failed to lookup DC info for domain
> 'MYDOMAIN.COM' over rpc:Logon failure
> 
> On Mon, Oct 31, 2016 at 11:25 PM, Rowland Penny <rpenny at samba.org>
> wrote:
> 
> > On Mon, 31 Oct 2016 22:36:55 +0530
> > Pradeep Rawat via samba <samba at lists.samba.org> wrote:
> >
> > > Hi All,
> > >
> > > I am having an issue with Samba joining an active directory
> > > domain.
> > >
> > > When I run 'net ads join -S mydomaincontrollerFQDN -U adminuser
> > > command I get this error:
> > > Failed to join domain: failed to lookup DC info for domain
> > > 'MYDOMAIN.COM' over rpc:                         Logon failure
> > >
> > > The credentials we entered are for sure correct but if we see our
> > > domain controller it count it as a bad password. I see an event
> > > logged 4625 with unknown username or bad password.
> > >
> > > Samba version is 3.6.4 and active directory is running on both
> > > 2008 R2 and 2012 R2 OS (with DFL/FFL as 2008 R2). I have tried
> > > with both versions of domain controllers without any success.
> > >
> > > I have also tried changing LmCompatibilityLevel on domain
> > > controllers from 0 till 5 but issue still persist. We initially
> > > thought this is because of MS16-077 patch but we uninstalled it
> > > from all our 2008 R2 domain controllers and 2012 R2 domain didn't
> > > have this patch at all.
> > >
> > > An example of our smb.conf file is here:
> > >
> > > [global]
> > >         workgroup = MYDOMAIN
> > >         realm = MYDOMAIN.COM
> > >         netbios name = samba-server
> > >         server string = Samba Server
> > >         security =  DOMAIN
> > >         password server = myDomainControllerName.mydomain.com
> > >         client ntlmv2 auth = yes
> > >         encrypt passwords = yes
> > >         max protocol = smb2
> > >         restrict anonymous = 1
> > >         log level = 2
> > >         username map = /etc/samba/smbusers
> > >         log file = /var/samba/log/log.%m
> > >         debug pid = Yes
> > >         debug uid = Yes
> > >         max xmit = 65535
> > >         name resolve order = host wins bcast lmhosts
> > >         max ttl = 5000
> > >         deadtime = 5
> > >         hostname lookups = Yes
> > >         os level = 20
> > >         local master = No
> > >         domain master = No
> > >         wins server = <ip address of WINS server>
> > >         host msdfs = No
> > >         idmap config * : range = 10000-200000
> > >         idmap config * : backend = tdb
> > >         map archive = No
> > >         map hidden = No
> > >         map system = No
> > >         case sensitive = Yes
> > >         read only = No
> > >         create mask = 0775
> > >         directory mask = 0775
> > >         hide dot files = No
> > >         oplocks = No
> > >         level2 oplocks = No
> > >         strict locking = Yes
> > >
> > > Any help or pointers will be appreciated. Thanks in advance.
> > >
> > >
> > >
> > > Thanks
> >
> > Try replacing 'security =  DOMAIN' with 'security = ADS'
> >
> > Rowland
> >
> 
> 
> 

OK, try this smb.conf:

[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        netbios name = samba-server
        server string = Samba Server
        security =  ADS
        restrict anonymous = 1
        log level = 2
        username map = /etc/samba/smbusers
        log file = /var/samba/log/log.%m
        max xmit = 65535
        max ttl = 5000
        deadtime = 5
        os level = 20
        local master = No
        domain master = No
        host msdfs = No
        idmap config * : range = 2000-9999
        idmap config * : backend = tdb
        idmap config MYDOMAIN : range = 10000-200000
        idmap config MYDOMAIN : backend = rid
        map archive = No
        map hidden = No
        hide dot files = No
        oplocks = No
        level2 oplocks = No
        strict locking = Yes

the 'username map' should only have a mapping from 'root' to
'Administrator'

Your /etc/resolv.conf should use one of the DCs as its nameserver

/etc/hosts should contain a line '127.0.0.1 localhost' and a line for
the domain member e.g.

127.0.0.1 localhost
192.168.0.4 samba-server.mydomain.com samba-server

If the domain member gets its ipaddress via dhcp, you don't need the
last line.

If there is a line that starts '127.0.1.1', remove it.

'hostname -s' should display 'samba-server'
'hostname -d' should display 'mydomain.com'

If everything is ok, try joining the machine to the domain:

net ads join -Uadministrator

Rowland

More information about the samba mailing list