[Samba] How do I join an Centos8 workstation to an NT4 domain?

Nick Howitt nick at howitts.co.uk
Wed Feb 24 10:25:35 UTC 2021 


On 23/02/2021 21:27, Nick via samba wrote:
> 
> 
> 
> On 23/02/2021 20:49, Rowland penny via samba wrote:
>>
>> On 23/02/2021 20:11, Nick via samba wrote:
>>>
>>>
>>> On 23/02/2021 19:51, Rowland penny via samba wrote:
>>>>
>>>> On 23/02/2021 17:17, Nick via samba wrote:
>>>>>
>>>>>
>>>>> On 23/02/2021 16:29, Rowland penny via samba wrote:
>>>>>>
>>>>>> On 23/02/2021 14:19, Nick Howitt via samba wrote:
>>>>>>> Please don't ream me for using an NT4 domain, but that is the 
>>>>>>> beast I am stuck with.
>>>>>>
>>>>>>
>>>>>> You might think you are stuck with it, but unless you plan to 
>>>>>> upgrade to Samba AD, you might find you are stuck without it. 
>>>>>> NT4-style domains are going away, in fact they were deprecated at 
>>>>>> 4.13.0
>>>>>>
>>>>>> It is your decision, but I felt that I should warn you.
>>>>>>
>>>>>>>
>>>>>>> I am trying to join a Centos 8 workstation to an NT4 domain and 
>>>>>>> the only notes I have are not really applicable - 
>>>>>>> https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain. 
>>>>>>> It references Ubuntu and its PAM configuration is irrelevant. In 
>>>>>>> any case I believe the join is falling down before PAM even comes 
>>>>>>> into play.
>>>>>>
>>>>>>
>>>>>> Ensure that all the Samba daemons are stopped, then try this 
>>>>>> '[global]' section of the smb.conf:
>>>>>>
>>>>>> [global]
>>>>>>          domain master = No
>>>>>>          security = DOMAIN
>>>>>>          client min protocol = NT1
>>>>>>          template shell = /bin/bash
>>>>>>          winbind use default domain = Yes
>>>>>>          workgroup = HOME
>>>>>>          idmap config * : range = 3000-7999
>>>>>>          idmap config * : backend = tdb
>>>>>>          idmap config HOME : range = 10000000-19999999
>>>>>>          idmap config HOME : backend = rid
>>>>>>
>>>>>> Try the join again and if it joins, then start winbind followed by 
>>>>>> smbd and nmbd.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>>
>>>>> I'm afraid it is the same problem:
>>>>>
>>>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>>>> Enter winadmin's password:
>>>>> Failed to join domain: failed to find DC for domain HOME - The 
>>>>> object was not found.
>>>>>
>>>>> I don't know if it is of interest but changing "client min protocol 
>>>>> = NT1" to "client max protocol = NT1" gave:
>>>>>
>>>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>>>> Enter winadmin's password:
>>>>> Failed to join domain: failed to find DC for domain HOME - The 
>>>>> object was not found.
>>>>>
>>>>> Has NT1/SMB1 been removed from this version of Samba and could that 
>>>>> be a problem? The server was running with "server min protocol = 
>>>>> SMB2" and I changed it to allow SMB1 when I changed the min 
>>>>> protocol to max protocol.
>>>>>
>>>>
>>>> No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still be 
>>>> in 4.14.0 when it is shortly released, but who knows about 4.15.0 ?
>>>>
>>>> It was turned off by default at 4.11.0  but is still available for 
>>>> use by setting 'client min protocol = NT1' for connections to a 
>>>> server that uses it and setting 'server min protocol = NT1' to make 
>>>> a server use it. A Samba machine can be both a client and a server. 
>>>> There should be no reason to set 'client max protocol' or 'server 
>>>> max protocol', they are both set to SMBv3 and will negotiate the 
>>>> best protocol to use.
>>>>
>>>> You could try adding '-S PDC_NAME' or '-I PDC_IP' to your join command.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>> Success (sort of):
>>> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server
>>> Enter winadmin's password:
>>> Failed to join domain: failed to join domain 'HOME' over rpc: The 
>>> specified account does not exist.
>>> [root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1
>>> Enter winadmin's password:
>>> Failed to join domain: failed to find DC for domain HOME - The object 
>>> was not found.
>>> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server.howitts.co.uk
>>> Enter winadmin's password:
>>> Using short domain name -- HOME
>>> Joined 'PROXMOX106' to domain 'HOME'
>>>
>>> Doesn't that indicate a DNS issue, but, if so what?
>>
>>
>> well, it would suggest a dns problem, except a PDC uses netbios, so is 
>> a 'wins server running on the PDC ? Do you have 'wins support = yes' 
>> in the PDC's smb.conf ?
> Yes, it is there
>>
>> Try adding 'wins server = PDC_IP' in the clients smb.conf
> I'll try that.
>>
>> The line you had in the clients smb.conf:
>>
>> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s 
>> /bin/false -M %u
>>
>> Should be in the PDC's smb.conf.
> The PDC has:
> add machine script = /usr/sbin/samba-add-machine "%u"
> 
>>
>>>
>>> FWIW home.server.howitts.co.uk also resolves to the same IP and the 
>>> join by IP failed.
>>>
>>> Smb, nmb and winbind now start so that is good.
>>
>>
>> Well, at least you are getting somewhere 😂
> Yes. Chuffed at that, thanks.
>>
>>
>>>
>>> Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf 
>>> now reads:
>>>
>>> [root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf
>>> passwd:     sss files systemd
>>> group:      sss files systemd
>>> netgroup:   sss files
>>> automount:  sss files
>>> services:   sss files
>>> shadow:     files sss
>>> hosts:      files dns myhostname
>>> aliases:    files
>>> ethers:     files
>>> gshadow:    files
>>> networks:   files dns
>>> protocols:  files
>>> publickey:  files
>>> rpc:        files
>>>
>>> I assume it needs to reference winbind at least, instead of sss. The 
>>> documentation I had said to do:
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat winbind
>>> hosts:          files dns wins
>>> networks:       files
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>> netgroup:       nis
>>>
>>> But the documentation is very old.
>>>
>>
>> And still valid, don't forget NT4-style domains are very old.
> Great
>>
>> Rowland
>>
>>
>>
> 
> 
Is there a way to leave a domain with "net ..." so I can test a rejoin? 
I added the 'wins server' line to smb.conf and the join went OK without 
specifying the -S, but it was already joined at that point.

I've made the nsswitch.conf changes but still cannot log in as domain 
user as password validation fails:

Feb 24 10:10:48 proxmox106 gdm-password][3498]: 
pam_unix(gdm-password:auth): check pass; user unknown
Feb 24 10:10:48 proxmox106 gdm-password][3498]: 
pam_unix(gdm-password:auth): authentication failure; logname= uid=0 
euid=0 tty=/dev/tty1 ruser= rhost=
Feb 24 10:10:48 proxmox106 gdm-password][3498]: gkr-pam: error looking 
up user information
Feb 24 10:10:59 proxmox106 gdm-password][3503]: 
pam_unix(gdm-password:auth): check pass; user unknown
Feb 24 10:10:59 proxmox106 gdm-password][3503]: 
pam_unix(gdm-password:auth): authentication failure; logname= uid=0 
euid=0 tty=/dev/tty1 ruser= rhost=
Feb 24 10:10:59 proxmox106 gdm-password][3503]: gkr-pam: error looking 
up user information

Do I now need to adjust the pam configuration. Again the notes I have 
suggest so but the files mentioned don't exist in Centos 8.

More information about the samba mailing list