[Samba] Domain Join Error with samba 4.15.5
Rowland Penny
rpenny at samba.org
Wed Apr 6 14:57:47 UTC 2022
On Wed, 2022-04-06 at 11:38 +0200, Peter Varkoly via samba wrote:
> Hi List,
>
> after upgrading to 4.15.5 samba-ad I got an error by joining the
> domain:
> "interface unknown error"
> All other stuff works fine. After restarting the samba service the
> domain join works for a for a while. But after some time the same
> error
> occurs.
> With earlier version of samba I have not this problem.
>
> Furthermore in the samba log I can see this error periodicaly:
> Apr 06 11:30:41 admin smbd[21269]: [2022/04/06 11:30:41.480400, 0]
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> Apr 06 11:30:41 admin smbd[21269]: dcesrv_auth_gensec_prepare:
> Failed
> to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
>
> Du you have any hints for me?
Yes, stop using a Samba AD DC as a fileserver :-)
Samba does not recommend using a DC as a fileserver.
>
> smb.conf:
> [global]
> netbios name = admin
> realm = <REALM>
> workgroup = <WORKGROUP>
> dns forwarder = 192.168.1.10
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = Yes
> check password script =
> /usr/share/cranix/tools/check_password_complexity.sh
> winbind enum users = Yes
> winbind enum groups = Yes
> wide links = Yes
> unix extensions = No
> bind interfaces only = yes
> interfaces = 127.0.0.1, 172.16.0.2
> ntlm auth = yes
> ldap server require strong auth = no
> template shell = /bin/bash
> printing = CUPS
> load printers = no
> min protocol = SMB2
> hosts deny = 172.16.1.0/24 172.16.13.128/26
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> [netlogon]
> comment = Network logon
> path = /var/lib/samba/sysvol/XXXX/scripts
> root preexec = /usr/share/cranix/plugins/share_plugin_handler.sh
> netlogon open %U %I %a %m
> browseable = No
> writable = No
> guest ok = Yes
>
> [profiles]
> comment = Network profiles
> path = /home/profiles/
> root preexec = /usr/share/cranix/plugins/share_plugin_handler.sh
> profiles open %U %I %a %m
> browseable = No
> read only = No
> force create mode = 0600
> force directory mode = 0700
> csc policy = disable
> store dos attributes = yes
> vfs objects = acl_xattr
>
> [homes]
> comment = Home Directories
> root preexec = /usr/share/cranix/plugins/share_plugin_handler.sh
> homes
> open %U %I %a %m
> root postexec = /usr/share/cranix/plugins/share_plugin_handler.sh
> homes
> close %U %I %a %m
> inherit permissions = Yes
> browseable = No
> printable = No
> read only = No
> guest ok = No
> valid users = %S
If you are going to use a Samba AD DC as a fileserver, you are going to
have to follow the rules, part of which is that you must set the
permissions from Windows. Another rule is that if you set 'vfs objects'
, you must set 'vfs objects = dfs_samba4 acl_xattr' with the VFS object
you want to use, or in your case, just remove the line.
You might it helps find reading these:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland
More information about the samba
mailing list