[Samba] Samba4 machine fails to join in samba3 domain

Julien TEHERY julien.tehery at openevents.fr
Wed May 22 14:02:58 UTC 2019 

Hi

I actually have troubles to join a samba4 machine into an old samba3 domain.
I know I know most of you will yell reading this, but i have to deal 
with a customer's very old environment :)
They're thinking about migrating fully in samba4, but it will take some 
times so for now let's focus on the situation we have

Configuration:
- Samba3 PDC :3.5.18-28
- Samba4 client Debian 8.7 (samba 4.2.14)

Here is the samba4 smb.conf:

[global]
          # OPTIONS TO JOIN SAMBA3 NT DOMAIN
         max protocol = NT1
         client ipc signing = No
         client signing = No
         server signing = No
         ####

         panic action = /usr/share/samba/panic-action %d
         workgroup = MYDOMAIN
         netbios name = MYSERVER
         admin users= @"Domain Admins"
         name resolve order = wins lmhosts hosts bcast
         wide links = Yes
         follow symlinks = Yes

         remote announce = 192.168.255.255/MYDOMAIN
         remote browse sync = 192.168.255.255
         interfaces = 192.168.X.X/255.255.254.0
         bind interfaces only = no
         unix charset = CP850
         server string = FileserverMYSERVER
         security = DOMAIN
         encrypt passwords = true

         log level = 1
         syslog = 0
         log file = /var/log/samba/%m.log
         max log size = 100000
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         mangling method = hash2

         domain logons = No
         os level = 99
         preferred master = No
         domain master = No
         wins server = X.X.X.X
         idmap backend = nss
         passdb backend = ldapsam:ldap://ds.domain.com:389/
         ldap admin dn = cn=Directory Manager,dc=domain,dc=com
         ldap suffix = dc=domain,dc=com
         ldap group suffix = ou=Groups
         ldap user suffix = ou=Users
         ldap machine suffix = ou=Computers
         ldap ssl = No

         winbind cache time = 5
         winbind use default domain = yes
         winbind enum users = yes
         winbind enum groups = yes






Here is what i get when trying to join the domain

net rpc join  -Uadministrateur
No realm has been specified! Do you really want to join an Active 
Directory server?
Enter administrateur's password:
No realm has been specified! Do you really want to join an Active 
Directory server?
User root with invalid SID S-1-5-21-2287936477-1870703456-424640392-1001 
in passdb
Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR.
cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error 
NT_STATUS_RPC_PROTOCOL_ERROR
libnet_join_ok: failed to open schannel session on netlogon pipe to 
server PDC for domain MYDOMAIN. Error was NT_STATUS_RPC_PROTOCOL_ERROR
Failed to join domain: failed to verify domain membership after joining: 
An RPC protocol error occurred.

The fact is that i succeed in getting domain info:


net rpc info -Uadministrateur
Enter administrateur's password:
Domain Name: MYDOMAIN
Domain SID: S-1-5-21-2143421583-854681893-XXXXXXXXXX
Sequence number: 1558533247
Num users: 2479
Num domain groups: 276
Num local groups: 0


I don't know how to deal with this problem (first time i see that..)

Thanks for your help

More information about the samba mailing list