I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP. I would like to add another server, and have it authenticate users against openLDAP. I thought I had to add the new server to the domain with "net rpc join", but that seems to think I want to join an AD domain, and fails: # net rpc join -U root%mypassword No realm has been specified! Do you really want to join an Active Directory server? Failed to join domain: failed to lookup DC info for domain 'MYDOMAIN' over rpc: This error indicates that the requested operation cannot be completed due to a catastrophic media failure or an on-disk data structure corruption. Before that, I tried to configure it just as a standalone server with LDAP, but that didn't work either (it didn't find the user accounts) Would someone know how to add a plain file server to a Samba 4 domain, and have the file server authenticate the LDAP users? Below is my current config which gives the "net rpc join" error above: # testparm -s Load smb config files from /etc/samba/smb.conf Processing section "[backups]" Processing section "[diskimages]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] workgroup = MYDOMAIN server role = standalone server security = DOMAIN map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:"ldap://localhost ldap://ldap.mydomain.lan ldap://ldap2.mydomaini.lan" pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 4000 dns proxy = No wins server = 192.168.44.10 ldap admin dn = "cn=admin,dc=mydomain,dc=lan" ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap suffix = dc=mydomain,dc=lan ldap ssl = no ldap user suffix = ou=People usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [backups] ... In case it matters, this is the PDC config: # testparm -s Load smb config files from /etc/samba/smb.conf ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /etc/ldap/ldap.conf ldap_init: using /etc/ldap/ldap.conf ldap_url_parse_ext(ldapi://) ldap_url_parse_ext(ldap://) ldap_init: HOME env is /root ldap_init: trying /root/ldaprc ldap_init: trying /root/.ldaprc ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL Processing section "[netlogon]" ... Loaded services file OK. Server role: ROLE_DOMAIN_PDC [global] workgroup = MYDOMAIN netbios name = JANUS server string = %h server interfaces = 127.0.0.0/8, 192.168.44.10/24, 10.44.0.0/24 server role = classic primary domain controller map to guest = Bad User passdb backend = ldapsam syslog = 0 log file = /var/log/samba/log.%m server max protocol = NT1 time server = Yes unix extensions = No load printers = No printcap name = /dev/null disable spoolss = Yes show add printer wizard = No add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = logon-%a.bat logon path = \\%N\%U\profile-%a logon drive = H: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = "cn=admin,dc=mydomain,dc=lan" ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=frenetic,dc=lan ldap ssl = no ldap user suffix = ou=People ldap debug level = 1 panic action = /usr/share/samba/panic-action %d ldapsam:trusted = yes idmap config * : backend = tdb acl allow execute always = Yes create mask = 0775 directory mask = 02775 force unknown acl user = Yes print notify backchannel = No printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j veto oplock files = /*.doc*/*.DOC*/*.xls*/*.XLS*/*.mdb/*.MDB/~$*/ csc policy = disable [netlogon] ...
On 28/04/16 15:16, MI wrote:> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP. > > I would like to add another server, and have it authenticate users > against openLDAP. I thought I had to add the new server to the domain > with "net rpc join", but that seems to think I want to join an AD > domain, and fails: > > # net rpc join -U root%mypassword > No realm has been specified! Do you really want to join an Active > Directory server? > Failed to join domain: failed to lookup DC info for domain > 'MYDOMAIN' over rpc: This error indicates that the requested > operation cannot be completed due to a catastrophic media failure > or an on-disk data structure corruption. >I did something similar last week in a test domain and had a similar problem, I got it to work by using 'administrator' instead of 'root'. It still complained about active directory, I think somebody changed 'net' without considering NT-4 style domains. Rowland
Isn't this problem connected too to badlock patches? I have encountered this after upgrade of fileserver from 4.1.17 to 4.2.10 (Debian). Although it could have happened anytime between these two versions... Dňa 28.04.2016 o 17:14 Rowland penny napísal(a):> On 28/04/16 15:16, MI wrote: >> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP. >> >> I would like to add another server, and have it authenticate users >> against openLDAP. I thought I had to add the new server to the domain >> with "net rpc join", but that seems to think I want to join an AD >> domain, and fails: >> >> # net rpc join -U root%mypassword >> No realm has been specified! Do you really want to join an Active >> Directory server? >> Failed to join domain: failed to lookup DC info for domain >> 'MYDOMAIN' over rpc: This error indicates that the requested >> operation cannot be completed due to a catastrophic media failure >> or an on-disk data structure corruption. >> > > I did something similar last week in a test domain and had a similar > problem, I got it to work by using 'administrator' instead of 'root'. > It still complained about active directory, I think somebody changed > 'net' without considering NT-4 style domains. > > Rowland > > >
Marcio Vogel Merlone dos Santos
2016-May-04 19:16 UTC
[Samba] Cannot join server to Samba4 NT4 domain
Em 28-04-2016 12:14, Rowland penny escreveu:> On 28/04/16 15:16, MI wrote: >> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP. >> >> I would like to add another server, and have it authenticate users >> against openLDAP. I thought I had to add the new server to the domain >> with "net rpc join", but that seems to think I want to join an AD >> domain, and fails: >> >> # net rpc join -U root%mypassword >> No realm has been specified! Do you really want to join an Active >> Directory server? >> Failed to join domain: failed to lookup DC info for domain >> 'MYDOMAIN' over rpc: This error indicates that the requested >> operation cannot be completed due to a catastrophic media failure >> or an on-disk data structure corruption. >> > > I did something similar last week in a test domain and had a similar > problem, I got it to work by using 'administrator' instead of 'root'. > It still complained about active directory, I think somebody changed > 'net' without considering NT-4 style domains.Sorry to say just "me too". Trying to join my Mint 17.3 Desktop (samba 2:4.3.9+dfsg-0ubuntu0.14.04.1) as a NT4-style domain member of an old 3.4 samba PDC (2:3.4.7~dfsg-1ubuntu3.15) I get this: mic-158 samba # net rpc join -S pdc -U administrador No realm has been specified! Do you really want to join an Active Directory server? Enter administrador's password: smb_signing_good: BAD SIG: seq 1 Failed to join domain: failed to lookup DC info for domain 'DOM' over rpc: Access denied mic-158 samba # Log from server: [2016/05/04 14:51:15, 2] lib/smbldap.c:890(smbldap_open_connection) smbldap_open_connection: connection opened [2016/05/04 14:51:15, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap) init_group_from_ldap: Entry found for group: 5144 [2016/05/04 14:51:15, 0] rpc_server/srv_netlog_nt.c:336(get_md4pw) get_md4pw: Workstation MIC-158$: no account in domain [2016/05/04 14:51:15, 0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account MIC-158$: NT_STATUS_ACCESS_DENIED [2016/05/04 14:51:15, 0] rpc_server/srv_netlog_nt.c:336(get_md4pw) get_md4pw: Workstation MIC-158$: no account in domain [2016/05/04 14:51:15, 0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account MIC-158$: NT_STATUS_ACCESS_DENIED Frozen hell: no problem to add Windows XP, 7, 8.x, 10 machines to domain. Just another samba. Found any workaround? Tks, best regards. -- *Marcio Merlone*
In case it helps someone, the only way I found to add this server and have it use LDAP for authentication, was with a weird hack which I found here: http://lapsz.eu/blog/2013/09/04/standalone-samba-server-with-ldap-authentication/ Basically, I changed the sambaSID of that other server in the LDAP entry it had created under "dn: sambaDomainName=FILESERVER,dc=mydomain,dc=lan" to be the domain SID. That now works, and users can authenticate, but I have a duplicate SID, which doesn't seem right. That server's config is now (excerpts): # testparm -s ... Server role: ROLE_STANDALONE [global] workgroup = MYDOMAIN map to guest = Bad User password server = myPDC.mydomain.lan passdb backend = ldapsam:"ldap://ldap.mydomain.lan ldap://ldap2.mydomain.lan" preferred master = No local master = No domain master = No dns proxy = No wins server = 192.168.44.10 ldap admin dn = "cn=admin,dc=mydomain,dc=lan" ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers ldap suffix = dc=mydomain,dc=lan ldap ssl = no ldap user suffix = ou=People idmap config * : backend = tdb .... My previous tests with "server role = member server", or "netbios backup domain controller" or "classic backup domain controller" and "security = domain" and "net rpc JOIN" all failed. "net rpc info" would tell me "Connection failed: NT_STATUS_INTERNAL_DB_CORRUPTION" (when using the right user/password. With a wrong user/password, the error was different.) Anyway, while it sort-of-works now, I have a strong feeling that this is not quite right, and I really should upgrade to AD. I avoided it until now because I saw only unneeded added complexity, and no benefit (for a single small network). But maybe it's unavoidable...
Possibly Parallel Threads
- Cannot join server to Samba4 NT4 domain
- Samba 4.7 and Editposix/Trusted Ldapsam extension support.
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl
- samba net ads join windows active directory with ldap ssl