[Samba] Samba domain join issues
Rowland Penny
rpenny at samba.org
Mon Oct 31 19:14:16 UTC 2016
On Mon, 31 Oct 2016 23:36:16 +0530
Pradeep Rawat <pradeeprawat85 at gmail.com> wrote:
> Tried that, same error.
>
> Enter adminuser's password:
> Failed to join domain: failed to lookup DC info for domain
> 'MYDOMAIN.COM' over rpc:Logon failure
>
> On Mon, Oct 31, 2016 at 11:25 PM, Rowland Penny <rpenny at samba.org>
> wrote:
>
> > On Mon, 31 Oct 2016 22:36:55 +0530
> > Pradeep Rawat via samba <samba at lists.samba.org> wrote:
> >
> > > Hi All,
> > >
> > > I am having an issue with Samba joining an active directory
> > > domain.
> > >
> > > When I run 'net ads join -S mydomaincontrollerFQDN -U adminuser
> > > command I get this error:
> > > Failed to join domain: failed to lookup DC info for domain
> > > 'MYDOMAIN.COM' over rpc: Logon failure
> > >
> > > The credentials we entered are for sure correct but if we see our
> > > domain controller it count it as a bad password. I see an event
> > > logged 4625 with unknown username or bad password.
> > >
> > > Samba version is 3.6.4 and active directory is running on both
> > > 2008 R2 and 2012 R2 OS (with DFL/FFL as 2008 R2). I have tried
> > > with both versions of domain controllers without any success.
> > >
> > > I have also tried changing LmCompatibilityLevel on domain
> > > controllers from 0 till 5 but issue still persist. We initially
> > > thought this is because of MS16-077 patch but we uninstalled it
> > > from all our 2008 R2 domain controllers and 2012 R2 domain didn't
> > > have this patch at all.
> > >
> > > An example of our smb.conf file is here:
> > >
> > > [global]
> > > workgroup = MYDOMAIN
> > > realm = MYDOMAIN.COM
> > > netbios name = samba-server
> > > server string = Samba Server
> > > security = DOMAIN
> > > password server = myDomainControllerName.mydomain.com
> > > client ntlmv2 auth = yes
> > > encrypt passwords = yes
> > > max protocol = smb2
> > > restrict anonymous = 1
> > > log level = 2
> > > username map = /etc/samba/smbusers
> > > log file = /var/samba/log/log.%m
> > > debug pid = Yes
> > > debug uid = Yes
> > > max xmit = 65535
> > > name resolve order = host wins bcast lmhosts
> > > max ttl = 5000
> > > deadtime = 5
> > > hostname lookups = Yes
> > > os level = 20
> > > local master = No
> > > domain master = No
> > > wins server = <ip address of WINS server>
> > > host msdfs = No
> > > idmap config * : range = 10000-200000
> > > idmap config * : backend = tdb
> > > map archive = No
> > > map hidden = No
> > > map system = No
> > > case sensitive = Yes
> > > read only = No
> > > create mask = 0775
> > > directory mask = 0775
> > > hide dot files = No
> > > oplocks = No
> > > level2 oplocks = No
> > > strict locking = Yes
> > >
> > > Any help or pointers will be appreciated. Thanks in advance.
> > >
> > >
> > >
> > > Thanks
> >
> > Try replacing 'security = DOMAIN' with 'security = ADS'
> >
> > Rowland
> >
>
>
>
OK, try this smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
netbios name = samba-server
server string = Samba Server
security = ADS
restrict anonymous = 1
log level = 2
username map = /etc/samba/smbusers
log file = /var/samba/log/log.%m
max xmit = 65535
max ttl = 5000
deadtime = 5
os level = 20
local master = No
domain master = No
host msdfs = No
idmap config * : range = 2000-9999
idmap config * : backend = tdb
idmap config MYDOMAIN : range = 10000-200000
idmap config MYDOMAIN : backend = rid
map archive = No
map hidden = No
hide dot files = No
oplocks = No
level2 oplocks = No
strict locking = Yes
the 'username map' should only have a mapping from 'root' to
'Administrator'
Your /etc/resolv.conf should use one of the DCs as its nameserver
/etc/hosts should contain a line '127.0.0.1 localhost' and a line for
the domain member e.g.
127.0.0.1 localhost
192.168.0.4 samba-server.mydomain.com samba-server
If the domain member gets its ipaddress via dhcp, you don't need the
last line.
If there is a line that starts '127.0.1.1', remove it.
'hostname -s' should display 'samba-server'
'hostname -d' should display 'mydomain.com'
If everything is ok, try joining the machine to the domain:
net ads join -Uadministrator
Rowland
More information about the samba
mailing list