[Samba] samba+winbindd problem joining Ubuntu 20+ to windows 2000 domain (SOLVED)
ilopez at enress.gov.ar
Wed Jun 7 11:36:18 UTC 2023
Thanks, Rowland. You steered us on the right path. Reading
We could see:
Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto Deprecated no
allow nt4 crypto:COMPUTERACCOUNT New
kdc default domain supported enctypes New (see manpage)
kdc supported enctypes New (see manpage)
kdc force enable rc4 weak session keys New No
reject md5 clients New Default, Deprecated Yes
reject md5 servers New Default, Deprecated Yes
server schannel Deprecated Yes
server schannel require seal New, Deprecated Yes
server schannel require seal:COMPUTERACCOUNT New
winbind sealed pipes Deprecated Yes
A diff between smb.conf showed us, among other things, possible
*reject md5 clients*
*reject md5 servers*
*server schannel require seal*
Then we tried:
*reject md5 clients = No*
*reject md5 servers = No*
*server schannel require seal = No*
And it works.
*reject md5 servers = No*
With that line, PC was allowed to join.
Ing Iván López
Sistemas - ENRESS
El 31/5/23 a las 13:16, Rowland Penny via samba escribió:
> On 31/05/2023 16:44, Ivan Lopez via samba wrote:
>> Hi, Rowland. Thanks for your answer. There is the result of testparm
>> -s in Ubuntu 20. I've send the result of testparm -v because I
>> thought that some default could have changed between versions.
> There may have been changes between versions, but it is what you are
> running now that counts, your very long smb.conf was off putting to
> say the least.
>> #sudo testparm -s
>> Load smb config files from /etc/samba/smb.conf
>> lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
>> Loaded services file OK.
>> Weak crypto is allowed
>> Server role: ROLE_DOMAIN_MEMBER
>> # Global parameters
>> client ipc min protocol = NT1
>> client min protocol = NT1
>> client max protocol = NT1
>> dns proxy = No
>> log file = /var/log/samba/log.%m
>> map to guest = Bad User
>> max log size = 1000
>> obey pam restrictions = Yes
>> pam password change = Yes
>> panic action = /usr/share/samba/panic-action %d
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> passwd program = /usr/bin/passwd %u
>> realm = OUR.REALM
>> security = ADS
>> server role = standalone server
> I would remove that, it isn't a standalone server.
>> server string = %h server (Samba, Ubuntu)
>> syslog = 0
>> template shell = /bin/bash
>> unix password sync = Yes
> You do need to remove that, you do not sync local users to domain
> users, you map domain users to be Unix users.
>> usershare allow guests = Yes
>> winbind use default domain = Yes
>> workgroup = OUR
>> idmap config our : range = 16777220-33554431
>> idmap config our : backend = rid
>> idmap config * : range = 5000-16777200
>> idmap config * : backend = tdb
> Why do use such a large range for the default '*' domain, over 16
> million for something that is meant for the Well Known SID's (there
> are less than 200 of them) and anything outside the 'OUR' domain
> (there will be very few, if any of those).
> between 4.7.0 and 4.15.0 a few parameters changed defaults, these may
> be relevant, these are the defaults on 4.15.x:
> lanman auth = no
> client plaintext auth = no
> client NTLMv2 auth = yes
> client lanman auth = no
> You may need to add these, with the value set to the opposite i.e.
> 'lanman auth = yes'
More information about the samba