[Samba] How do I join an Centos8 workstation to an NT4 domain?

Rowland penny rpenny at samba.org
Tue Feb 23 20:49:36 UTC 2021 

On 23/02/2021 20:11, Nick via samba wrote:
>
>
> On 23/02/2021 19:51, Rowland penny via samba wrote:
>>
>> On 23/02/2021 17:17, Nick via samba wrote:
>>>
>>>
>>> On 23/02/2021 16:29, Rowland penny via samba wrote:
>>>>
>>>> On 23/02/2021 14:19, Nick Howitt via samba wrote:
>>>>> Please don't ream me for using an NT4 domain, but that is the 
>>>>> beast I am stuck with.
>>>>
>>>>
>>>> You might think you are stuck with it, but unless you plan to 
>>>> upgrade to Samba AD, you might find you are stuck without it. 
>>>> NT4-style domains are going away, in fact they were deprecated at 
>>>> 4.13.0
>>>>
>>>> It is your decision, but I felt that I should warn you.
>>>>
>>>>>
>>>>> I am trying to join a Centos 8 workstation to an NT4 domain and 
>>>>> the only notes I have are not really applicable - 
>>>>> https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain. 
>>>>> It references Ubuntu and its PAM configuration is irrelevant. In 
>>>>> any case I believe the join is falling down before PAM even comes 
>>>>> into play.
>>>>
>>>>
>>>> Ensure that all the Samba daemons are stopped, then try this 
>>>> '[global]' section of the smb.conf:
>>>>
>>>> [global]
>>>>          domain master = No
>>>>          security = DOMAIN
>>>>          client min protocol = NT1
>>>>          template shell = /bin/bash
>>>>          winbind use default domain = Yes
>>>>          workgroup = HOME
>>>>          idmap config * : range = 3000-7999
>>>>          idmap config * : backend = tdb
>>>>          idmap config HOME : range = 10000000-19999999
>>>>          idmap config HOME : backend = rid
>>>>
>>>> Try the join again and if it joins, then start winbind followed by 
>>>> smbd and nmbd.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>> I'm afraid it is the same problem:
>>>
>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>> Enter winadmin's password:
>>> Failed to join domain: failed to find DC for domain HOME - The 
>>> object was not found.
>>>
>>> I don't know if it is of interest but changing "client min protocol 
>>> = NT1" to "client max protocol = NT1" gave:
>>>
>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>> Enter winadmin's password:
>>> Failed to join domain: failed to find DC for domain HOME - The 
>>> object was not found.
>>>
>>> Has NT1/SMB1 been removed from this version of Samba and could that 
>>> be a problem? The server was running with "server min protocol = 
>>> SMB2" and I changed it to allow SMB1 when I changed the min protocol 
>>> to max protocol.
>>>
>>
>> No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still be 
>> in 4.14.0 when it is shortly released, but who knows about 4.15.0 ?
>>
>> It was turned off by default at 4.11.0  but is still available for 
>> use by setting 'client min protocol = NT1' for connections to a 
>> server that uses it and setting 'server min protocol = NT1' to make a 
>> server use it. A Samba machine can be both a client and a server. 
>> There should be no reason to set 'client max protocol' or 'server max 
>> protocol', they are both set to SMBv3 and will negotiate the best 
>> protocol to use.
>>
>> You could try adding '-S PDC_NAME' or '-I PDC_IP' to your join command.
>>
>> Rowland
>>
>>
>>
> Success (sort of):
> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server
> Enter winadmin's password:
> Failed to join domain: failed to join domain 'HOME' over rpc: The 
> specified account does not exist.
> [root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1
> Enter winadmin's password:
> Failed to join domain: failed to find DC for domain HOME - The object 
> was not found.
> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server.howitts.co.uk
> Enter winadmin's password:
> Using short domain name -- HOME
> Joined 'PROXMOX106' to domain 'HOME'
>
> Doesn't that indicate a DNS issue, but, if so what?


well, it would suggest a dns problem, except a PDC uses netbios, so is a 
'wins server running on the PDC ? Do you have 'wins support = yes' in 
the PDC's smb.conf ?

Try adding 'wins server = PDC_IP' in the clients smb.conf

The line you had in the clients smb.conf:

add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s 
/bin/false -M %u

Should be in the PDC's smb.conf.

>
> FWIW home.server.howitts.co.uk also resolves to the same IP and the 
> join by IP failed.
>
> Smb, nmb and winbind now start so that is good.


Well, at least you are getting somewhere 😂


>
> Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf 
> now reads:
>
> [root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf
> passwd:     sss files systemd
> group:      sss files systemd
> netgroup:   sss files
> automount:  sss files
> services:   sss files
> shadow:     files sss
> hosts:      files dns myhostname
> aliases:    files
> ethers:     files
> gshadow:    files
> networks:   files dns
> protocols:  files
> publickey:  files
> rpc:        files
>
> I assume it needs to reference winbind at least, instead of sss. The 
> documentation I had said to do:
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat winbind
> hosts:          files dns wins
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
>
> But the documentation is very old.
>

And still valid, don't forget NT4-style domains are very old.

Rowland

More information about the samba mailing list