samba - Apr 2016 - Cannot join server to Samba4 NT4 domain

I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP.

I would like to add another server, and have it authenticate users against
openLDAP.
I thought I had to add the new server to the domain with "net rpc
join", but that
seems to think I want to join an AD domain, and fails:

     # net rpc join -U root%mypassword
     No realm has been specified! Do you really want to join an Active Directory
server?
     Failed to join domain: failed to lookup DC info for domain
'MYDOMAIN' over rpc:
This error indicates that the requested
     operation cannot be completed due to a catastrophic media failure or an
on-disk
data structure corruption.

Before that, I tried to configure it just as a standalone server with LDAP, but
that
didn't work either (it didn't find the user accounts)

Would someone know how to add a plain file server to a Samba 4 domain, and have
the
file server authenticate the LDAP users?

Below is my current config which gives the "net rpc join" error above:

# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[backups]"
Processing section "[diskimages]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
     workgroup = MYDOMAIN
     server role = standalone server
     security = DOMAIN
     map to guest = Bad User
     obey pam restrictions = Yes
     passdb backend = ldapsam:"ldap://localhost ldap://ldap.mydomain.lan 
ldap://ldap2.mydomaini.lan"
     pam password change = Yes
     passwd program = /usr/bin/passwd %u
     passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n
*password\supdated\ssuccessfully* .
     unix password sync = Yes
     syslog = 0
     log file = /var/log/samba/log.%m
     max log size = 4000
     dns proxy = No
     wins server = 192.168.44.10
     ldap admin dn = "cn=admin,dc=mydomain,dc=lan"
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers
     ldap suffix = dc=mydomain,dc=lan
     ldap ssl = no
     ldap user suffix = ou=People
     usershare allow guests = Yes
     panic action = /usr/share/samba/panic-action %d
     idmap config * : backend = tdb


[backups]
...


In case it matters, this is the PDC config:

# testparm -s
Load smb config files from /etc/samba/smb.conf
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_url_parse_ext(ldapi://)
ldap_url_parse_ext(ldap://)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Processing section "[netlogon]"
...
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
[global]
     workgroup = MYDOMAIN
     netbios name = JANUS
     server string = %h server
     interfaces = 127.0.0.0/8, 192.168.44.10/24, 10.44.0.0/24
     server role = classic primary domain controller
     map to guest = Bad User
     passdb backend = ldapsam
     syslog = 0
     log file = /var/log/samba/log.%m
     server max protocol = NT1
     time server = Yes
     unix extensions = No
     load printers = No
     printcap name = /dev/null
     disable spoolss = Yes
     show add printer wizard = No
     add machine script = /usr/sbin/smbldap-useradd -w "%u"
     logon script = logon-%a.bat
     logon path = \\%N\%U\profile-%a
     logon drive = H:
     domain logons = Yes
     os level = 64
     preferred master = Yes
     domain master = Yes
     wins support = Yes
     ldap admin dn = "cn=admin,dc=mydomain,dc=lan"
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers
     ldap passwd sync = yes
     ldap suffix = dc=frenetic,dc=lan
     ldap ssl = no
     ldap user suffix = ou=People
     ldap debug level = 1
     panic action = /usr/share/samba/panic-action %d
     ldapsam:trusted = yes
     idmap config * : backend = tdb
     acl allow execute always = Yes
     create mask = 0775
     directory mask = 02775
     force unknown acl user = Yes
     print notify backchannel = No
     printing = bsd
     print command = lpr -r -P'%p' %s
     lpq command = lpq -P'%p'
     lprm command = lprm -P'%p' %j
     veto oplock files = /*.doc*/*.DOC*/*.xls*/*.XLS*/*.mdb/*.MDB/~$*/
     csc policy = disable

[netlogon]
...

On 28/04/16 15:16, MI wrote:
> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP.
>
> I would like to add another server, and have it authenticate users 
> against openLDAP. I thought I had to add the new server to the domain 
> with "net rpc join", but that seems to think I want to join an AD
> domain, and fails:
>
>     # net rpc join -U root%mypassword
>     No realm has been specified! Do you really want to join an Active 
> Directory server?
>     Failed to join domain: failed to lookup DC info for domain 
> 'MYDOMAIN' over rpc: This error indicates that the requested
>     operation cannot be completed due to a catastrophic media failure 
> or an on-disk data structure corruption.
>
I did something similar last week in a test domain and had a similar 
problem, I got it to work by using 'administrator' instead of
'root'. It
still complained about active directory, I think somebody changed 'net' 
without considering NT-4 style domains.

Rowland

Isn't this problem connected too to badlock patches? I have encountered
this after upgrade of fileserver from 4.1.17 to 4.2.10 (Debian).
Although it could have happened anytime between these two versions...

Dňa 28.04.2016 o 17:14 Rowland penny napísal(a):
> On 28/04/16 15:16, MI wrote:
>> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP.
>>
>> I would like to add another server, and have it authenticate users
>> against openLDAP. I thought I had to add the new server to the domain
>> with "net rpc join", but that seems to think I want to join
an AD
>> domain, and fails:
>>
>>     # net rpc join -U root%mypassword
>>     No realm has been specified! Do you really want to join an Active
>> Directory server?
>>     Failed to join domain: failed to lookup DC info for domain
>> 'MYDOMAIN' over rpc: This error indicates that the requested
>>     operation cannot be completed due to a catastrophic media failure
>> or an on-disk data structure corruption.
>>
>
> I did something similar last week in a test domain and had a similar
> problem, I got it to work by using 'administrator' instead of
'root'.
> It still complained about active directory, I think somebody changed
> 'net' without considering NT-4 style domains.
>
> Rowland
>
>
>

Em 28-04-2016 12:14, Rowland penny escreveu:
> On 28/04/16 15:16, MI wrote:
>> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP.
>>
>> I would like to add another server, and have it authenticate users 
>> against openLDAP. I thought I had to add the new server to the domain 
>> with "net rpc join", but that seems to think I want to join
an AD
>> domain, and fails:
>>
>>     # net rpc join -U root%mypassword
>>     No realm has been specified! Do you really want to join an Active 
>> Directory server?
>>     Failed to join domain: failed to lookup DC info for domain 
>> 'MYDOMAIN' over rpc: This error indicates that the requested
>>     operation cannot be completed due to a catastrophic media failure 
>> or an on-disk data structure corruption.
>>
>
> I did something similar last week in a test domain and had a similar 
> problem, I got it to work by using 'administrator' instead of
'root'.
> It still complained about active directory, I think somebody changed 
> 'net' without considering NT-4 style domains.
Sorry to say just "me too".

Trying to join my Mint 17.3 Desktop (samba 
2:4.3.9+dfsg-0ubuntu0.14.04.1) as a NT4-style domain member of an old 
3.4 samba PDC (2:3.4.7~dfsg-1ubuntu3.15) I get this:

mic-158 samba # net rpc join -S pdc -U administrador
No realm has been specified! Do you really want to join an Active 
Directory server?
Enter administrador's password:
smb_signing_good: BAD SIG: seq 1
Failed to join domain: failed to lookup DC info for domain 'DOM' over 
rpc: Access denied
mic-158 samba #

Log from server:
[2016/05/04 14:51:15,  2] lib/smbldap.c:890(smbldap_open_connection)
   smbldap_open_connection: connection opened
[2016/05/04 14:51:15,  2] passdb/pdb_ldap.c:2434(init_group_from_ldap)
   init_group_from_ldap: Entry found for group: 5144
[2016/05/04 14:51:15,  0] rpc_server/srv_netlog_nt.c:336(get_md4pw)
   get_md4pw: Workstation MIC-158$: no account in domain
[2016/05/04 14:51:15,  0] 
rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3)
   _netr_ServerAuthenticate3: failed to get machine password for account 
MIC-158$: NT_STATUS_ACCESS_DENIED
[2016/05/04 14:51:15,  0] rpc_server/srv_netlog_nt.c:336(get_md4pw)
   get_md4pw: Workstation MIC-158$: no account in domain
[2016/05/04 14:51:15,  0] 
rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3)
   _netr_ServerAuthenticate3: failed to get machine password for account 
MIC-158$: NT_STATUS_ACCESS_DENIED

Frozen hell: no problem to add Windows XP, 7, 8.x, 10 machines to 
domain. Just another samba.

Found any workaround? Tks, best regards.


-- 
*Marcio Merlone*

In case it helps someone, the only way I found to add this server and have it
use
LDAP for authentication, was with a weird hack which I found here:
http://lapsz.eu/blog/2013/09/04/standalone-samba-server-with-ldap-authentication/

Basically, I changed the sambaSID of that other server in the LDAP entry it had 
created under "dn: sambaDomainName=FILESERVER,dc=mydomain,dc=lan" to
be the domain SID.

That now works, and users can authenticate, but I have a duplicate SID, which
doesn't
seem right. That server's config is now (excerpts):

# testparm -s
...
Server role: ROLE_STANDALONE

[global]
     workgroup = MYDOMAIN
     map to guest = Bad User
     password server = myPDC.mydomain.lan
     passdb backend = ldapsam:"ldap://ldap.mydomain.lan
ldap://ldap2.mydomain.lan"
     preferred master = No
     local master = No
     domain master = No
     dns proxy = No
     wins server = 192.168.44.10
     ldap admin dn = "cn=admin,dc=mydomain,dc=lan"
     ldap group suffix = ou=Groups
     ldap idmap suffix = ou=idmap
     ldap machine suffix = ou=Computers
     ldap suffix = dc=mydomain,dc=lan
     ldap ssl = no
     ldap user suffix = ou=People
     idmap config * : backend = tdb
....

My previous tests with "server role = member server", or "netbios
backup domain
controller" or "classic backup domain controller" and
"security = domain" and "net
rpc JOIN" all failed.

"net rpc info" would tell me "Connection failed:
NT_STATUS_INTERNAL_DB_CORRUPTION"
(when using the right user/password. With a wrong user/password, the error was 
different.)

Anyway, while it sort-of-works now, I have a strong feeling that this is not
quite
right, and I really should upgrade to AD. I avoided it until now because I saw
only
unneeded added complexity, and no benefit (for a single small network). But
maybe
it's unavoidable...