[Samba] How do I join an Centos8 workstation to an NT4 domain?

Nick nick at howitts.co.uk
Tue Feb 23 20:11:20 UTC 2021 


On 23/02/2021 19:51, Rowland penny via samba wrote:
> 
> On 23/02/2021 17:17, Nick via samba wrote:
>>
>>
>> On 23/02/2021 16:29, Rowland penny via samba wrote:
>>>
>>> On 23/02/2021 14:19, Nick Howitt via samba wrote:
>>>> Please don't ream me for using an NT4 domain, but that is the beast 
>>>> I am stuck with.
>>>
>>>
>>> You might think you are stuck with it, but unless you plan to upgrade 
>>> to Samba AD, you might find you are stuck without it. NT4-style 
>>> domains are going away, in fact they were deprecated at 4.13.0
>>>
>>> It is your decision, but I felt that I should warn you.
>>>
>>>>
>>>> I am trying to join a Centos 8 workstation to an NT4 domain and the 
>>>> only notes I have are not really applicable - 
>>>> https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain. 
>>>> It references Ubuntu and its PAM configuration is irrelevant. In any 
>>>> case I believe the join is falling down before PAM even comes into 
>>>> play.
>>>
>>>
>>> Ensure that all the Samba daemons are stopped, then try this 
>>> '[global]' section of the smb.conf:
>>>
>>> [global]
>>>          domain master = No
>>>          security = DOMAIN
>>>          client min protocol = NT1
>>>          template shell = /bin/bash
>>>          winbind use default domain = Yes
>>>          workgroup = HOME
>>>          idmap config * : range = 3000-7999
>>>          idmap config * : backend = tdb
>>>          idmap config HOME : range = 10000000-19999999
>>>          idmap config HOME : backend = rid
>>>
>>> Try the join again and if it joins, then start winbind followed by 
>>> smbd and nmbd.
>>>
>>> Rowland
>>>
>>>
>>>
>> I'm afraid it is the same problem:
>>
>> [root at proxmox106 ~]# net rpc join -U winadmin
>> Enter winadmin's password:
>> Failed to join domain: failed to find DC for domain HOME - The object 
>> was not found.
>>
>> I don't know if it is of interest but changing "client min protocol = 
>> NT1" to "client max protocol = NT1" gave:
>>
>> [root at proxmox106 ~]# net rpc join -U winadmin
>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>> Enter winadmin's password:
>> Failed to join domain: failed to find DC for domain HOME - The object 
>> was not found.
>>
>> Has NT1/SMB1 been removed from this version of Samba and could that be 
>> a problem? The server was running with "server min protocol = SMB2" 
>> and I changed it to allow SMB1 when I changed the min protocol to max 
>> protocol.
>>
> 
> No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still be in 
> 4.14.0 when it is shortly released, but who knows about 4.15.0 ?
> 
> It was turned off by default at 4.11.0  but is still available for use 
> by setting 'client min protocol = NT1' for connections to a server that 
> uses it and setting 'server min protocol = NT1' to make a server use it. 
> A Samba machine can be both a client and a server. There should be no 
> reason to set 'client max protocol' or 'server max protocol', they are 
> both set to SMBv3 and will negotiate the best protocol to use.
> 
> You could try adding '-S PDC_NAME' or '-I PDC_IP' to your join command.
> 
> Rowland
> 
> 
> 
Success (sort of):
[root at proxmox106 ~]# net rpc join -U winadmin -v -S server
Enter winadmin's password:
Failed to join domain: failed to join domain 'HOME' over rpc: The 
specified account does not exist.
[root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1
Enter winadmin's password:
Failed to join domain: failed to find DC for domain HOME - The object 
was not found.
[root at proxmox106 ~]# net rpc join -U winadmin -v -S server.howitts.co.uk
Enter winadmin's password:
Using short domain name -- HOME
Joined 'PROXMOX106' to domain 'HOME'

Doesn't that indicate a DNS issue, but, if so what?

FWIW home.server.howitts.co.uk also resolves to the same IP and the join 
by IP failed.

Smb, nmb and winbind now start so that is good.

Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf now 
reads:

[root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf
passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
shadow:     files sss
hosts:      files dns myhostname
aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

I assume it needs to reference winbind at least, instead of sss. The 
documentation I had said to do:

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
hosts:          files dns wins
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

But the documentation is very old.

-- 
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

More information about the samba mailing list