[Samba] Samba4 machine fails to join in samba3 domain

Wed May 22 14:47:45 UTC 2019

On 22/05/2019 15:02, Julien TEHERY via samba wrote:
> Hi
>
> I actually have troubles to join a samba4 machine into an old samba3 
> domain.
> I know I know most of you will yell reading this, but i have to deal 
> with a customer's very old environment :)
> They're thinking about migrating fully in samba4, but it will take 
> some times so for now let's focus on the situation we have
>
> Configuration:
> - Samba3 PDC :3.5.18-28
> - Samba4 client Debian 8.7 (samba 4.2.14)
>
> Here is the samba4 smb.conf:
>
> [global]
>          # OPTIONS TO JOIN SAMBA3 NT DOMAIN
>         max protocol = NT1
>         client ipc signing = No
>         client signing = No
>         server signing = No
>         ####
>
>         panic action = /usr/share/samba/panic-action %d
>         workgroup = MYDOMAIN
>         netbios name = MYSERVER
>         admin users= @"Domain Admins"
>         name resolve order = wins lmhosts hosts bcast
>         wide links = Yes
>         follow symlinks = Yes
>
>         remote announce = 192.168.255.255/MYDOMAIN
>         remote browse sync = 192.168.255.255
>         interfaces = 192.168.X.X/255.255.254.0
>         bind interfaces only = no
>         unix charset = CP850
>         server string = FileserverMYSERVER
>         security = DOMAIN
>         encrypt passwords = true
>
>         log level = 1
>         syslog = 0
>         log file = /var/log/samba/%m.log
>         max log size = 100000
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         mangling method = hash2
>
>         domain logons = No
>         os level = 99
>         preferred master = No
>         domain master = No
>         wins server = X.X.X.X
>         idmap backend = nss
>         passdb backend = ldapsam:ldap://ds.domain.com:389/
>         ldap admin dn = cn=Directory Manager,dc=domain,dc=com
>         ldap suffix = dc=domain,dc=com
>         ldap group suffix = ou=Groups
>         ldap user suffix = ou=Users
>         ldap machine suffix = ou=Computers
>         ldap ssl = No
>
>         winbind cache time = 5
>         winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>
>
>
>
>
>
> Here is what i get when trying to join the domain
>
> net rpc join  -Uadministrateur
> No realm has been specified! Do you really want to join an Active 
> Directory server?
> Enter administrateur's password:
> No realm has been specified! Do you really want to join an Active 
> Directory server?
> User root with invalid SID 
> S-1-5-21-2287936477-1870703456-424640392-1001 in passdb
> Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR.
> cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error 
> NT_STATUS_RPC_PROTOCOL_ERROR
> libnet_join_ok: failed to open schannel session on netlogon pipe to 
> server PDC for domain MYDOMAIN. Error was NT_STATUS_RPC_PROTOCOL_ERROR
> Failed to join domain: failed to verify domain membership after 
> joining: An RPC protocol error occurred.
>
> The fact is that i succeed in getting domain info:
>
>
> net rpc info -Uadministrateur
> Enter administrateur's password:
> Domain Name: MYDOMAIN
> Domain SID: S-1-5-21-2143421583-854681893-XXXXXXXXXX
> Sequence number: 1558533247
> Num users: 2479
> Num domain groups: 276
> Num local groups: 0
>
>
> I don't know how to deal with this problem (first time i see that..)
>
> Thanks for your help

Louis is right, you should upgrade, but, in the meantime, try adding 
'ntlm auth = yes' to your smb.conf, see if that helps.

Also try running the following commands:

net getlocalsid

net getdomainsid

Rowland