[Samba] Computer in Samba 4.3.11 domain - logon server unavailable

Rowland penny rpenny at samba.org
Thu Mar 19 19:05:04 UTC 2020 

On 19/03/2020 17:37, Lorenzo Milesi via samba wrote:
> We've a Samba 4 domain (no AD, just DC) with LDAP backend on Ubuntu 14.04. This server has been migrated from files backend to LDAP by the previous maintainer, I know the version is pretty old but we cannot update at the moment.
> The domain works fine with some W7 and W10 (updated from 7) computers, but we have purchased a new Lenovo laptop with Win10 which joined the domain seamlessly but denies any login with a domain user, it always returns:
>
> we can't sign you in with this credential because your domain isn't available.
>
> After digging into event manager I found the error:
>
> RPC Server unavailable (id 5719)
>
> Samba is listening on ports 445 and 139, RPC should be on 135 if I got it right, but I have other Samba4 DC setup without port 135 open, and they work fine. This one as well has other Win10 PCs logging in correctly (tough they were W7 before, the failing one is brand new).

Try reading this:

https://wiki.samba.org/index.php/Samba_NT4_PDC_Port_Usage

>
> We tried enabling SMBv1, changing computer name, removing and adding it back to the domain, none of these actions produced a change. We also tried the three common actions suggested for this kind of error (changing dns, remove credentials caching, remove protected user (tough having no one)) and none of these worked.
>
> I raised Samba log level but it won't report anything useful. We've just seen the IP successfully connecting to port 445, but nothing else.
> Could it be a SID problem?
>
>
> Another error I found in event log is:
> NETLOGON 5719: Unable to establish secure connection to a domain controller.
>
> I checked with
> nltest /DSGET:DOM
> nltest /DNSGET:DOM
> and the first return all the domain information, the latter just report "Command executed correctly".
>
>
> smb.conf:
>
> [global]
>      name resolve order = lmhosts hosts bcast
>      force group = adm
>      pam password change = yes
>      browsable = yes
>      server signing = auto
>      winbind uid = 10000-20000
>      remote announce = 10.0.0.255/OFFICE
>      interfaces = 10.0.0.3/24 127.0.0.1
>      bind interfaces only = yes
>      guest account = nobody
>      guest ok = yes
>      netbios name = server3
>      printing = bsd
>      delete readonly = yes
>      writeable = yes
>      logon script = netlogon.bat
>      local master = yes
>      workgroup = office
>      os level = 255
>      printcap name = /dev/null
>      security = user
>      username map = /etc/samba/username.map
>      max log size = 50
>      directory mode = 2770
>      log level = 10
>      log file = /var/log/samba/log.%m
>      load printers = no
>      root directory = /
>      force directory mode = 2777
>      logon drive = H:
>      domain master = yes
>      domain logons = yes
>      encrypt passwords = yes
>      winbind use default domain = Yes
>
>      server string = server3
>      winbind enum users = yes
>      unix password sync = yes
>      force create mode = 0777
>      winbind enum groups = yes
>      create mode = 0770
>      prefered master = yes
>      winbind cache time = 10
>      server signing = auto
>      ntlm auth = yes
>      lanman auth = yes
>      server signing = auto
>      map untrusted to domain = Yes
>      # wins support = yes
>      allow dcerpc auth level connect = yes
>      ldap suffix = dc=office,dc=lan
>      ldap user suffix = ou=Users
>      ldap machine suffix = ou=Computers
>      ldap group suffix = ou=Groups
>      ldap idmap suffix = ou=Idmap
>      ldap admin dn = cn=admin,dc=office,dc=lan
>      passdb backend = ldapsam:ldap://localhost:3890/
>      name resolve order = wins host dns bcast
>      add user script = /bin/netuseradd -a -m '%u'
>      delete user script = /bin/netuserdel '%u'
>      add group script = /bin/netgroupadd -a -p '%g'
>      delete group script = /bin/netgroupdel '%g'
>      add user to group script = /bin/netgroupmod -m '%u' '%g'
>      delete user from group script = /bin/netgroupmod -x '%u' '%g'
>      set primary group script = /bin/netusermod -g '%g' '%u'
>      add machine script = /bin/netuseradd -w '%u'
>      logon script = %U.bat
>      logon path =
>      logon home =
>      ldap ssl = no
>      wins support = yes

Can I suggest you read 'man smb.conf'

Try adding 'server max protocol = NT1' and ensure SMBv1 is running on 
all machines.

Also, is the ldap server really running on port 3890 ?

You also some winbind lines, is winbind running ?

Finally, I note that you say 'we cannot update at the moment', can I 
suggest that you find the time to not only upgrade your distro, but to 
upgrade to AD, one of these days Microsoft will turn off the the 
NT4-style domain support (probably by accident) and the refuse to turn 
it back on again.

Rowland

More information about the samba mailing list