samba - Feb 2021 - How do I join an Centos8 workstation to an NT4 domain?

On 23/02/2021 20:11, Nick via samba wrote:
>
>
> On 23/02/2021 19:51, Rowland penny via samba wrote:
>>
>> On 23/02/2021 17:17, Nick via samba wrote:
>>>
>>>
>>> On 23/02/2021 16:29, Rowland penny via samba wrote:
>>>>
>>>> On 23/02/2021 14:19, Nick Howitt via samba wrote:
>>>>> Please don't ream me for using an NT4 domain, but that
is the
>>>>> beast I am stuck with.
>>>>
>>>>
>>>> You might think you are stuck with it, but unless you plan to 
>>>> upgrade to Samba AD, you might find you are stuck without it. 
>>>> NT4-style domains are going away, in fact they were deprecated
at
>>>> 4.13.0
>>>>
>>>> It is your decision, but I felt that I should warn you.
>>>>
>>>>>
>>>>> I am trying to join a Centos 8 workstation to an NT4 domain
and
>>>>> the only notes I have are not really applicable - 
>>>>>
https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain.
>>>>> It references Ubuntu and its PAM configuration is
irrelevant. In
>>>>> any case I believe the join is falling down before PAM even
comes
>>>>> into play.
>>>>
>>>>
>>>> Ensure that all the Samba daemons are stopped, then try this 
>>>> '[global]' section of the smb.conf:
>>>>
>>>> [global]
>>>> ???????? domain master = No
>>>> ???????? security = DOMAIN
>>>> ???????? client min protocol = NT1
>>>> ???????? template shell = /bin/bash
>>>> ???????? winbind use default domain = Yes
>>>> ???????? workgroup = HOME
>>>> ???????? idmap config * : range = 3000-7999
>>>> ???????? idmap config * : backend = tdb
>>>> ???????? idmap config HOME : range = 10000000-19999999
>>>> ???????? idmap config HOME : backend = rid
>>>>
>>>> Try the join again and if it joins, then start winbind followed
by
>>>> smbd and nmbd.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>> I'm afraid it is the same problem:
>>>
>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>> Enter winadmin's password:
>>> Failed to join domain: failed to find DC for domain HOME - The 
>>> object was not found.
>>>
>>> I don't know if it is of interest but changing "client min
protocol
>>> = NT1" to "client max protocol = NT1" gave:
>>>
>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>> Enter winadmin's password:
>>> Failed to join domain: failed to find DC for domain HOME - The 
>>> object was not found.
>>>
>>> Has NT1/SMB1 been removed from this version of Samba and could that
>>> be a problem? The server was running with "server min protocol
=
>>> SMB2" and I changed it to allow SMB1 when I changed the min
protocol
>>> to max protocol.
>>>
>>
>> No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still
be
>> in 4.14.0 when it is shortly released, but who knows about 4.15.0 ?
>>
>> It was turned off by default at 4.11.0? but is still available for 
>> use by setting 'client min protocol = NT1' for connections to a
>> server that uses it and setting 'server min protocol = NT1' to
make a
>> server use it. A Samba machine can be both a client and a server. 
>> There should be no reason to set 'client max protocol' or
'server max
>> protocol', they are both set to SMBv3 and will negotiate the best 
>> protocol to use.
>>
>> You could try adding '-S PDC_NAME' or '-I PDC_IP' to
your join command.
>>
>> Rowland
>>
>>
>>
> Success (sort of):
> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server
> Enter winadmin's password:
> Failed to join domain: failed to join domain 'HOME' over rpc: The 
> specified account does not exist.
> [root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1
> Enter winadmin's password:
> Failed to join domain: failed to find DC for domain HOME - The object 
> was not found.
> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server.howitts.co.uk
> Enter winadmin's password:
> Using short domain name -- HOME
> Joined 'PROXMOX106' to domain 'HOME'
>
> Doesn't that indicate a DNS issue, but, if so what?

well, it would suggest a dns problem, except a PDC uses netbios, so is a 
'wins server running on the PDC ? Do you have 'wins support = yes'
in
the PDC's smb.conf ?

Try adding 'wins server = PDC_IP' in the clients smb.conf

The line you had in the clients smb.conf:

add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s 
/bin/false -M %u

Should be in the PDC's smb.conf.
>
> FWIW home.server.howitts.co.uk also resolves to the same IP and the 
> join by IP failed.
>
> Smb, nmb and winbind now start so that is good.

Well, at least you are getting somewhere ?

>
> Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf 
> now reads:
>
> [root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf
> passwd:???? sss files systemd
> group:????? sss files systemd
> netgroup:?? sss files
> automount:? sss files
> services:?? sss files
> shadow:???? files sss
> hosts:????? files dns myhostname
> aliases:??? files
> ethers:???? files
> gshadow:??? files
> networks:?? files dns
> protocols:? files
> publickey:? files
> rpc:??????? files
>
> I assume it needs to reference winbind at least, instead of sss. The 
> documentation I had said to do:
>
> passwd:???????? compat winbind
> group:????????? compat winbind
> shadow:???????? compat winbind
> hosts:????????? files dns wins
> networks:?????? files
> protocols:????? db files
> services:?????? db files
> ethers:???????? db files
> rpc:??????????? db files
> netgroup:?????? nis
>
> But the documentation is very old.
>
And still valid, don't forget NT4-style domains are very old.

Rowland

On 23/02/2021 20:49, Rowland penny via samba wrote:
>
> On 23/02/2021 20:11, Nick via samba wrote:
>>
>>
>> On 23/02/2021 19:51, Rowland penny via samba wrote:
>>>
>>> On 23/02/2021 17:17, Nick via samba wrote:
>>>>
>>>>
>>>> On 23/02/2021 16:29, Rowland penny via samba wrote:
>>>>>
>>>>> On 23/02/2021 14:19, Nick Howitt via samba wrote:
>>>>>> Please don't ream me for using an NT4 domain, but
that is the
>>>>>> beast I am stuck with.
>>>>>
>>>>>
>>>>> You might think you are stuck with it, but unless you plan
to
>>>>> upgrade to Samba AD, you might find you are stuck without
it.
>>>>> NT4-style domains are going away, in fact they were
deprecated at
>>>>> 4.13.0
>>>>>
>>>>> It is your decision, but I felt that I should warn you.
>>>>>
>>>>>>
>>>>>> I am trying to join a Centos 8 workstation to an NT4
domain and
>>>>>> the only notes I have are not really applicable - 
>>>>>>
https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain.
>>>>>> It references Ubuntu and its PAM configuration is
irrelevant. In
>>>>>> any case I believe the join is falling down before PAM
even comes
>>>>>> into play.
>>>>>
>>>>>
>>>>> Ensure that all the Samba daemons are stopped, then try
this
>>>>> '[global]' section of the smb.conf:
>>>>>
>>>>> [global]
>>>>> ???????? domain master = No
>>>>> ???????? security = DOMAIN
>>>>> ???????? client min protocol = NT1
>>>>> ???????? template shell = /bin/bash
>>>>> ???????? winbind use default domain = Yes
>>>>> ???????? workgroup = HOME
>>>>> ???????? idmap config * : range = 3000-7999
>>>>> ???????? idmap config * : backend = tdb
>>>>> ???????? idmap config HOME : range = 10000000-19999999
>>>>> ???????? idmap config HOME : backend = rid
>>>>>
>>>>> Try the join again and if it joins, then start winbind
followed by
>>>>> smbd and nmbd.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> I'm afraid it is the same problem:
>>>>
>>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>>> Enter winadmin's password:
>>>> Failed to join domain: failed to find DC for domain HOME - The 
>>>> object was not found.
>>>>
>>>> I don't know if it is of interest but changing "client
min protocol
>>>> = NT1" to "client max protocol = NT1" gave:
>>>>
>>>> [root at proxmox106 ~]# net rpc join -U winadmin
>>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02.
>>>> Enter winadmin's password:
>>>> Failed to join domain: failed to find DC for domain HOME - The 
>>>> object was not found.
>>>>
>>>> Has NT1/SMB1 been removed from this version of Samba and could
that
>>>> be a problem? The server was running with "server min
protocol =
>>>> SMB2" and I changed it to allow SMB1 when I changed the
min
>>>> protocol to max protocol.
>>>>
>>>
>>> No, SMBv1 (Samba calls it NT1) hasn't been removed, it will
still be
>>> in 4.14.0 when it is shortly released, but who knows about 4.15.0 ?
>>>
>>> It was turned off by default at 4.11.0? but is still available for 
>>> use by setting 'client min protocol = NT1' for connections
to a
>>> server that uses it and setting 'server min protocol = NT1'
to make
>>> a server use it. A Samba machine can be both a client and a server.
>>> There should be no reason to set 'client max protocol' or
'server
>>> max protocol', they are both set to SMBv3 and will negotiate
the
>>> best protocol to use.
>>>
>>> You could try adding '-S PDC_NAME' or '-I PDC_IP'
to your join command.
>>>
>>> Rowland
>>>
>>>
>>>
>> Success (sort of):
>> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server
>> Enter winadmin's password:
>> Failed to join domain: failed to join domain 'HOME' over rpc:
The
>> specified account does not exist.
>> [root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1
>> Enter winadmin's password:
>> Failed to join domain: failed to find DC for domain HOME - The object 
>> was not found.
>> [root at proxmox106 ~]# net rpc join -U winadmin -v -S
server.howitts.co.uk
>> Enter winadmin's password:
>> Using short domain name -- HOME
>> Joined 'PROXMOX106' to domain 'HOME'
>>
>> Doesn't that indicate a DNS issue, but, if so what?
>
>
> well, it would suggest a dns problem, except a PDC uses netbios, so is 
> a 'wins server running on the PDC ? Do you have 'wins support =
yes'
> in the PDC's smb.conf ?
Yes, it is there
>
> Try adding 'wins server = PDC_IP' in the clients smb.conf
I'll try that.
>
> The line you had in the clients smb.conf:
>
> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s 
> /bin/false -M %u
>
> Should be in the PDC's smb.conf.
The PDC has:
add machine script = /usr/sbin/samba-add-machine "%u"
>
>>
>> FWIW home.server.howitts.co.uk also resolves to the same IP and the 
>> join by IP failed.
>>
>> Smb, nmb and winbind now start so that is good.
>
>
> Well, at least you are getting somewhere ?
Yes. Chuffed at that, thanks.
>
>
>>
>> Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf 
>> now reads:
>>
>> [root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf
>> passwd:???? sss files systemd
>> group:????? sss files systemd
>> netgroup:?? sss files
>> automount:? sss files
>> services:?? sss files
>> shadow:???? files sss
>> hosts:????? files dns myhostname
>> aliases:??? files
>> ethers:???? files
>> gshadow:??? files
>> networks:?? files dns
>> protocols:? files
>> publickey:? files
>> rpc:??????? files
>>
>> I assume it needs to reference winbind at least, instead of sss. The 
>> documentation I had said to do:
>>
>> passwd:???????? compat winbind
>> group:????????? compat winbind
>> shadow:???????? compat winbind
>> hosts:????????? files dns wins
>> networks:?????? files
>> protocols:????? db files
>> services:?????? db files
>> ethers:???????? db files
>> rpc:??????????? db files
>> netgroup:?????? nis
>>
>> But the documentation is very old.
>>
>
> And still valid, don't forget NT4-style domains are very old.
Great
>
> Rowland
>
>
>

-- 
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus