[Samba] samba+winbindd problem joining Ubuntu 20+ to windows 2000 domain
Ivan Lopez
ilopez at enress.gov.ar
Wed May 31 13:40:29 UTC 2023
Hi, people. How are you?. I hope you are very well
Could you help us, please?. We've a problem with Ubuntu+samba+winbindd
joining an old Windows 2000 Active Directory domain (we are testing
migrate our domain to SAMBA4 but, for now, we must continue using the
current domain).
We have no problems joining Ubuntu 18 and, in the past, we've joined
Ubuntu 20 PCs. It seems to be some update in libraries or packages
involved in interactions winbindd/samba-Windows 2000 AD has broken
something in our environment and now, join an updated Ubuntu 20 can't be
done. We can install ubuntu 18, join the PC to domain and then, update
to Ubuntu 20 but is a pain because we are planning go to ubuntu 22.
*In the PC (ubuntu 20) we are trying to join:*
a) Result of net ads:
sudo net ads join -U Administrador
[sudo] contraseña para sistemas:
Password for [OUR\Administrador]:
ads_print_error: AD LDAP ERROR: 53 (Server is unwilling to perform):
00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT_PERFORM), data 0
connect_to_domain_password_server: unable to open the domain client
session to machine mailsrv.OUR.REALM. Flags[0x00000000] Error was :
NT_STATUS_ACCESS_DENIED.
Failed to join domain: failed to verify domain membership after joining:
{Access Denied} A process has requested access to an object but has not
been granted those access rights.
c) After that, winbindd can't be started. In winbind logs:
[2023/05/31 08:51:46.501656, 0]
../../source3/winbindd/winbindd.c:1722(main)
winbindd version 4.15.13-Ubuntu started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2023/05/31 08:51:46.505271, 0]
../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with
version number 2
[2023/05/31 08:51:46.507658, 0]
../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
Could not fetch our SID - did we join?
[2023/05/31 08:51:46.507681, 0]
../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
unable to initialize domain list
b) Result of testparm -v:
# Global parameters
[global]
abort shutdown script =
add group script =
additional dns hostnames =
add machine script =
addport command =
addprinter command =
add share command =
add user script =
add user to group script =
afs token lifetime = 604800
afs username map =
aio max threads = 100
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow dns updates = secure only
allow insecure wide links = No
allow nt4 crypto = No
allow trusted domains = Yes
allow unsafe cluster upgrade = No
apply group policies = No
async dns timeout = 10
async smb echo handler = No
auth event notification = No
auto services =
binddns dir = /var/lib/samba/bind-dns
bind interfaces only = No
browse list = Yes
cache directory = /var/cache/samba
change notify = Yes
change share command =
check password script =
cldap port = 389
client ipc max protocol = default
client ipc min protocol = NT1
client ipc signing = default
client lanman auth = No
client ldap sasl wrapping = sign
client max protocol = NT1
client min protocol = NT1
client NTLMv2 auth = Yes
client plaintext auth = No
client protection = default
client schannel = Yes
client signing = default
client smb encrypt = default
client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM,
AES-256-GCM, AES-256-CCM
client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC,
HMAC-SHA256
client use kerberos = desired
client use spnego principal = No
client use spnego = Yes
cluster addresses =
clustering = No
config backend = file
config file =
create krb5 conf = Yes
ctdbd socket =
ctdb locktime warn threshold = 0
ctdb timeout = 0
cups connection timeout = 30
cups encrypt = No
cups server =
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
deadtime = 10080
debug class = No
debug encryption = No
debug hires timestamp = Yes
debug pid = No
debug prefix timestamp = No
debug uid = No
dedicated keytab file =
default service =
defer sharing violations = Yes
delete group script =
deleteprinter command =
delete share command =
delete user from group script =
delete user script =
dgram port = 138
disable netbios = No
disable spoolss = No
dns forwarder =
dns proxy = Yes
dns update command = /usr/sbin/samba_dnsupdate
dns zone scavenging = No
dns zone transfer clients allow =
dns zone transfer clients deny =
domain logons = No
domain master = Auto
dos charset = CP850
dsdb event notification = No
dsdb group change notification = No
dsdb password event notification = No
enable asu support = No
enable core files = Yes
enable privileges = Yes
encrypt passwords = Yes
enhanced browsing = Yes
enumports command =
eventlog list =
get quota command =
getwd cache = Yes
gpo update command = /usr/sbin/samba-gpupdate
guest account = nobody
host msdfs = Yes
hostname lookups = No
idmap backend = tdb
idmap cache time = 604800
idmap gid =
idmap negative cache time = 120
idmap uid =
include system krb5 conf = Yes
init logon delay = 100
init logon delayed hosts =
interfaces =
iprint server =
kdc default domain supported enctypes = 0
kdc force enable rc4 weak session keys = No
kdc supported enctypes = 0
keepalive = 300
kerberos encryption types = all
kerberos method = default
kernel change notify = Yes
kpasswd port = 464
krb5 port = 88
lanman auth = No
large readwrite = Yes
ldap admin dn =
ldap connection timeout = 2
ldap debug level = 0
ldap debug threshold = 10
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap max anonymous request size = 256000
ldap max authenticated request size = 16777216
ldap max search request size = 256000
ldap page size = 1000
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = Yes
ldap ssl = start tls
ldap suffix =
ldap timeout = 15
ldap user suffix =
lm announce = Auto
lm interval = 60
load printers = Yes
local master = Yes
lock directory = /run/samba
lock spin time = 200
log file = /var/log/samba/log.%m
logging = file
log level = 1
log nt token command =
logon drive =
logon home = \\%N\%U
logon path = \\%N\%U\profile
logon script =
log writeable files on exit = No
lpq cache time = 30
lsa over netlogon = No
machine password timeout = 604800
mangle prefix = 1
mangling method = hash2
map to guest = Bad User
max disk size = 0
max log size = 1000
max mux = 50
max open files = 16384
max smbd processes = 0
max stat cache size = 512
max ttl = 259200
max wins ttl = 518400
max xmit = 16644
mdns name = netbios
message command =
min domain uid = 1000
min receivefile size = 0
min wins ttl = 21600
mit kdc command =
multicast dns register = Yes
name cache timeout = 660
name resolve order = lmhosts wins host bcast
nbt client socket address = 0.0.0.0
nbt port = 137
ncalrpc dir = /var/run/samba/ncalrpc
netbios aliases =
netbios name = UB-PC00092
netbios scope =
neutralize nt4 emulation = No
nmbd bind explicit broadcast = Yes
nsupdate command = /usr/bin/nsupdate -g
ntlm auth = ntlmv2-only
nt pipe support = Yes
ntp signd socket directory = /var/lib/samba/ntp_signd
nt status support = Yes
null passwords = No
obey pam restrictions = Yes
old password allowed period = 60
oplock break wait time = 0
os2 driver map =
os level = 20
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passdb backend = tdbsam
passdb expand explicit = No
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd chat debug = No
passwd chat timeout = 2
passwd program = /usr/bin/passwd %u
password hash gpg key ids =
password hash userPassword schemes =
password server = *
perfcount module =
pid directory = /run/samba
preferred master = Auto
prefork backoff increment = 10
prefork children = 4
prefork maximum backoff = 120
preload modules =
printcap cache time = 750
printcap name =
private dir = /var/lib/samba/private
raw NTLMv2 auth = No
read raw = Yes
realm = OUR.REALM
registry shares = No
reject md5 clients = Yes
reject md5 servers = Yes
remote announce =
remote browse sync =
rename user script =
require strong key = Yes
reset on zero vc = No
restrict anonymous = 0
root directory =
rpc big endian = No
rpc server dynamic port range = 49152-65535
rpc server port = 0
samba kcc command = /usr/sbin/samba_kcc
security = ADS
server max protocol = SMB3
server min protocol = SMB2_02
server multi channel support = Yes
server role = standalone server
server schannel = Yes
server schannel require seal = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
server signing = default
server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM,
AES-256-GCM, AES-256-CCM
server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC,
HMAC-SHA256
server string = %h server (Samba, Ubuntu)
set primary group script =
set quota command =
show add printer wizard = Yes
shutdown script =
smb2 disable lock sequence checking = No
smb2 disable oplock break retry = No
smb2 leases = Yes
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smbd profiling level = off
smb passwd file = /etc/samba/smbpasswd
smb ports = 445 139
socket options = TCP_NODELAY
spn update command = /usr/sbin/samba_spnupdate
stat cache = Yes
state directory = /var/lib/samba
svcctl list =
syslog = 1
syslog only = No
template homedir = /home/%D/%U
template shell = /bin/bash
time server = No
timestamp logs = Yes
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls crlfile =
tls dh params file =
tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
unicode = Yes
unix charset = UTF-8
unix extensions = Yes
unix password sync = Yes
use mmap = Yes
username level = 0
username map =
username map cache time = 0
username map script =
usershare allow guests = Yes
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
utmp = No
utmp directory =
winbind cache time = 300
winbindd socket directory = /var/run/samba/winbindd
winbind enum groups = No
winbind enum users = No
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = template
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind scan trusted domains = No
winbind sealed pipes = Yes
winbind separator = \
winbind use default domain = Yes
winbind use krb5 enterprise principals = Yes
wins hook =
wins proxy = No
wins server =
wins support = No
workgroup = OUR
write raw = Yes
wtmp directory =
idmap config our : range = 16777220-33554431
idmap config our : backend = rid
idmap config * : range = 5000-16777200
idmap config * : backend = tdb
access based share enum = No
acl allow execute always = No
acl check permissions = Yes
acl flag inherited canonicalization = Yes
acl group control = No
acl map full control = Yes
administrative share = No
admin users =
afs share = No
aio read size = 1
aio write behind =
aio write size = 1
allocation roundup size = 0
available = Yes
blocking locks = Yes
block size = 1024
browseable = Yes
case sensitive = Auto
check parent directory delete on close = No
comment =
copy =
create mask = 0744
csc policy = manual
cups options =
default case = lower
default devmode = Yes
delete readonly = No
delete veto files = No
dfree cache time = 0
dfree command =
directory mask = 0755
directory name cache size = 100
dmapi support = No
dont descend =
dos filemode = No
dos filetime resolution = No
dos filetimes = Yes
durable handles = Yes
ea support = Yes
fake directory create times = No
fake oplocks = No
follow symlinks = Yes
smbd force process locks = No
force create mode = 0000
force directory mode = 0000
force group =
force printername = No
force unknown acl user = No
force user =
fstype = NTFS
guest ok = No
guest only = No
hide dot files = Yes
hide files =
hide new files timeout = 0
hide special files = No
hide unreadable = No
hide unwriteable files = No
honor change notify privilege = No
hosts allow =
hosts deny =
include =
inherit acls = No
inherit owner = no
inherit permissions = No
invalid users =
kernel oplocks = No
kernel share modes = Yes
level2 oplocks = Yes
locking = Yes
lppause command =
lpq command = %p
lpresume command =
lprm command =
magic output =
magic script =
mangled names = illegal
mangling char = ~
map acl inherit = No
map archive = Yes
map hidden = No
map readonly = no
map system = No
max connections = 0
max print jobs = 1000
max reported print jobs = 0
min print space = 0
msdfs proxy =
msdfs root = No
msdfs shuffle referrals = No
nt acl support = Yes
ntvfs handler = unixuid, default
oplocks = Yes
path =
posix locking = Yes
postexec =
preexec =
preexec close = No
preserve case = Yes
printable = No
print command =
printer name =
printing = cups
printjob username = %U
print notify backchannel = No
queuepause command =
queueresume command =
read list =
read only = Yes
root postexec =
root preexec =
root preexec close = No
server smb encrypt = default
short preserve case = Yes
smbd async dosmode = No
smbd getinfo ask sharemode = Yes
smbd max async dosmode = 0
smbd max xattr size = 65536
smbd search ask sharemode = Yes
spotlight = No
spotlight backend = noindex
store dos attributes = Yes
strict allocate = No
strict locking = Auto
strict rename = No
strict sync = Yes
sync always = No
use client driver = No
use sendfile = No
valid users =
veto files =
veto oplock files =
vfs objects =
volume =
wide links = No
write list =
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
c) result of dpkg -l |grep -E
"winbind|libpam-winbind|libnss-winbind|krb5-config|smb"
dpkg -l |grep -E "winbind|libpam-winbind|libnss-winbind|krb5-config|smb"
ii krb5-config 2.6ubuntu1 all Configuration files for Kerberos
Version 5
ii libnss-winbind:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64
shared library for communication with SMB/CIFS servers
ii libsmbios-c2 2.4.3-1 amd64 Provide access to (SM)BIOS
information -- dynamic library
ii libwbclient0:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64
Samba winbind client library
ii winbind 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64 service to
resolve user and group information from Windows NT servers5d4
< additional dns hostnames =
22,23d20
< apply group policies = No
< async dns timeout = 10
25a23
> auth methods =
27d24
< binddns dir = /var/lib/samba/bind-dns
41c38
< client min protocol = NT1
---
> client min protocol = CORE
44d40
< client protection = default
47,50d42
< client smb encrypt = default
< client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM,
AES-256-GCM, AES-256-CCM
< client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC,
HMAC-SHA256
< client use kerberos = desired
65c57
< deadtime = 10080
---
> deadtime = 0
67d58
< debug encryption = No
84c75
< dns proxy = Yes
---
> dns proxy = No
86,88d76
< dns zone scavenging = No
< dns zone transfer clients allow =
< dns zone transfer clients deny =
92,94d79
< dsdb event notification = No
< dsdb group change notification = No
< dsdb password event notification = No
104d88
< gpo update command = /usr/sbin/samba-gpupdate
105a90
> homedir map = auto.home
118,120d102
< kdc default domain supported enctypes = 0
< kdc force enable rc4 weak session keys = No
< kdc supported enctypes = 0
146a129
> ldap ssl ads = No
154c137
< lock directory = /run/samba
---
> lock directory = /var/run/samba
157,158c140,141
< logging = file
< log level = 1
---
> logging =
> log level = 2
170a154
> map untrusted to domain = Auto
176c160
< max stat cache size = 512
---
> max stat cache size = 256
180d163
< mdns name = netbios
193c176
< netbios name = UB-PC00092
---
> netbios name = UB-PC00162
195a179
> NIS homedir = No
220c204
< pid directory = /run/samba
---
> pid directory = /var/run/samba
222,224d205
< prefork backoff increment = 10
< prefork children = 4
< prefork maximum backoff = 120
231c212
< realm = OUR.REALM
---
> realm = SANTAFE.ENRESS.GOV.AR
233,234c214,215
< reject md5 clients = Yes
< reject md5 servers = Yes
---
> reject md5 clients = No
> reject md5 servers = No
240a222
> rndc command = /usr/sbin/rndc
248,249c230,231
< server min protocol = SMB2_02
< server multi channel support = Yes
---
> server min protocol = LANMAN1
> server multi channel support = No
252d233
< server schannel require seal = Yes
255,256d235
< server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM,
AES-256-GCM, AES-256-CCM
< server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC,
HMAC-SHA256
259a239
> share backend = classic
262,263d241
< smb2 disable lock sequence checking = No
< smb2 disable oplock break retry = No
277c255
< syslog = 1
---
> syslog = 0
306a285
> use spnego = Yes
308a288
> web port = 901
324d303
< winbind scan trusted domains = No
326a306
> winbind trusted domains only = No
328d307
< winbind use krb5 enterprise principals = Yes
333c312
< workgroup = OUR
---
> workgroup = SANTAFE
336,337c315,316
< idmap config our : range = 16777220-33554431
< idmap config our : backend = rid
---
> idmap config santafe : range = 16777220-33554431
> idmap config santafe : backend = rid
343d321
< acl flag inherited canonicalization = Yes
349c327
< aio read size = 1
---
> aio read size = 0
351,352c329,330
< aio write size = 1
< allocation roundup size = 0
---
> aio write size = 0
> allocation roundup size = 1048576
358d335
< check parent directory delete on close = No
378c355
< ea support = Yes
---
> ea support = No
382d358
< smbd force process locks = No
394d369
< hide new files timeout = 0
398d372
< honor change notify privilege = No
416c390
< mangled names = illegal
---
> mangled names = yes
421c395
< map readonly = no
---
> map readonly = yes
431a406
> oplock contention limit = 2
444a420
> profile acls = No
452d427
< server smb encrypt = default
454,458c429
< smbd async dosmode = No
< smbd getinfo ask sharemode = Yes
< smbd max async dosmode = 0
< smbd max xattr size = 65536
< smbd search ask sharemode = Yes
---
> smb encrypt = default
460,461c431
< spotlight backend = noindex
< store dos attributes = Yes
---
> store dos attributes = No
474a445
> write cache size = 0
*
*
*In Windows 2000 Domain Controller:*
* The Computer Object is created in Active Directory but is marked
with a red cross (blocked?)
* The Event 5772 from NETLOGON is logged
* Tipo de suceso: Error
Origen del suceso: NETLOGON
Categoría del suceso: Ninguno
Id. del suceso: 5722
Fecha: 31/05/2023
Hora: 6:54:01
Usuario: No disponible
Equipo: MAILSRV
Descripción:
No se puede autenticar la configuración de sesión desde el
equipo UB-PC00092. El nombre de la cuenta a la que se hace
referencia en la base de datos de seguridad es UB-PC00092$. Error:
Acceso denegado.
Datos:
0000: 22 00 00 c0 "..À
*Additional Info; may be important:*
* We noted the event 5772 is also logged intermitently for other
PCs already joined to the domain, all of them with Ubuntu 20. We
think this log happens when the pc tries to change its password.
Those PCs are running ok in domain but may be this event is the
tip of an iceberg.
* May be event 5722 is logged also when joining Ubutnu 20 to
domain because PCs is trying to establish its password in that
moment?.
Thanks in advance.
Iván
More information about the samba
mailing list