[Samba] Samba4 machine fails to join in samba3 domain
Rowland penny
rpenny at samba.org
Wed May 22 14:47:45 UTC 2019
On 22/05/2019 15:02, Julien TEHERY via samba wrote:
> Hi
>
> I actually have troubles to join a samba4 machine into an old samba3
> domain.
> I know I know most of you will yell reading this, but i have to deal
> with a customer's very old environment :)
> They're thinking about migrating fully in samba4, but it will take
> some times so for now let's focus on the situation we have
>
> Configuration:
> - Samba3 PDC :3.5.18-28
> - Samba4 client Debian 8.7 (samba 4.2.14)
>
> Here is the samba4 smb.conf:
>
> [global]
> # OPTIONS TO JOIN SAMBA3 NT DOMAIN
> max protocol = NT1
> client ipc signing = No
> client signing = No
> server signing = No
> ####
>
> panic action = /usr/share/samba/panic-action %d
> workgroup = MYDOMAIN
> netbios name = MYSERVER
> admin users= @"Domain Admins"
> name resolve order = wins lmhosts hosts bcast
> wide links = Yes
> follow symlinks = Yes
>
> remote announce = 192.168.255.255/MYDOMAIN
> remote browse sync = 192.168.255.255
> interfaces = 192.168.X.X/255.255.254.0
> bind interfaces only = no
> unix charset = CP850
> server string = FileserverMYSERVER
> security = DOMAIN
> encrypt passwords = true
>
> log level = 1
> syslog = 0
> log file = /var/log/samba/%m.log
> max log size = 100000
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> mangling method = hash2
>
> domain logons = No
> os level = 99
> preferred master = No
> domain master = No
> wins server = X.X.X.X
> idmap backend = nss
> passdb backend = ldapsam:ldap://ds.domain.com:389/
> ldap admin dn = cn=Directory Manager,dc=domain,dc=com
> ldap suffix = dc=domain,dc=com
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap ssl = No
>
> winbind cache time = 5
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
>
>
>
>
>
> Here is what i get when trying to join the domain
>
> net rpc join -Uadministrateur
> No realm has been specified! Do you really want to join an Active
> Directory server?
> Enter administrateur's password:
> No realm has been specified! Do you really want to join an Active
> Directory server?
> User root with invalid SID
> S-1-5-21-2287936477-1870703456-424640392-1001 in passdb
> Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR.
> cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error
> NT_STATUS_RPC_PROTOCOL_ERROR
> libnet_join_ok: failed to open schannel session on netlogon pipe to
> server PDC for domain MYDOMAIN. Error was NT_STATUS_RPC_PROTOCOL_ERROR
> Failed to join domain: failed to verify domain membership after
> joining: An RPC protocol error occurred.
>
> The fact is that i succeed in getting domain info:
>
>
> net rpc info -Uadministrateur
> Enter administrateur's password:
> Domain Name: MYDOMAIN
> Domain SID: S-1-5-21-2143421583-854681893-XXXXXXXXXX
> Sequence number: 1558533247
> Num users: 2479
> Num domain groups: 276
> Num local groups: 0
>
>
> I don't know how to deal with this problem (first time i see that..)
>
> Thanks for your help
Louis is right, you should upgrade, but, in the meantime, try adding
'ntlm auth = yes' to your smb.conf, see if that helps.
Also try running the following commands:
net getlocalsid
net getdomainsid
Rowland
More information about the samba
mailing list