I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP.
I would like to add another server, and have it authenticate users against
openLDAP.
I thought I had to add the new server to the domain with "net rpc
join", but that
seems to think I want to join an AD domain, and fails:
     # net rpc join -U root%mypassword
     No realm has been specified! Do you really want to join an Active Directory
server?
     Failed to join domain: failed to lookup DC info for domain
'MYDOMAIN' over rpc:
This error indicates that the requested
     operation cannot be completed due to a catastrophic media failure or an
on-disk
data structure corruption.
Before that, I tried to configure it just as a standalone server with LDAP, but
that
didn't work either (it didn't find the user accounts)
Would someone know how to add a plain file server to a Samba 4 domain, and have
the
file server authenticate the LDAP users?
Below is my current config which gives the "net rpc join" error above:
# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[backups]"
Processing section "[diskimages]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
     workgroup = MYDOMAIN
     server role = standalone server
     security = DOMAIN
     map to guest = Bad User
     obey pam restrictions = Yes
     passdb backend = ldapsam:"ldap://localhost ldap://ldap.mydomain.lan 
ldap://ldap2.mydomaini.lan"
     pam password change = Yes
     passwd program = /usr/bin/passwd %u
     passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n
*password\supdated\ssuccessfully* .
     unix password sync = Yes
     syslog = 0
     log file = /var/log/samba/log.%m
     max log size = 4000
     dns proxy = No
     wins server = 192.168.44.10
     ldap admin dn = "cn=admin,dc=mydomain,dc=lan"
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers
     ldap suffix = dc=mydomain,dc=lan
     ldap ssl = no
     ldap user suffix = ou=People
     usershare allow guests = Yes
     panic action = /usr/share/samba/panic-action %d
     idmap config * : backend = tdb
[backups]
...
In case it matters, this is the PDC config:
# testparm -s
Load smb config files from /etc/samba/smb.conf
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_url_parse_ext(ldapi://)
ldap_url_parse_ext(ldap://)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Processing section "[netlogon]"
...
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
[global]
     workgroup = MYDOMAIN
     netbios name = JANUS
     server string = %h server
     interfaces = 127.0.0.0/8, 192.168.44.10/24, 10.44.0.0/24
     server role = classic primary domain controller
     map to guest = Bad User
     passdb backend = ldapsam
     syslog = 0
     log file = /var/log/samba/log.%m
     server max protocol = NT1
     time server = Yes
     unix extensions = No
     load printers = No
     printcap name = /dev/null
     disable spoolss = Yes
     show add printer wizard = No
     add machine script = /usr/sbin/smbldap-useradd -w "%u"
     logon script = logon-%a.bat
     logon path = \\%N\%U\profile-%a
     logon drive = H:
     domain logons = Yes
     os level = 64
     preferred master = Yes
     domain master = Yes
     wins support = Yes
     ldap admin dn = "cn=admin,dc=mydomain,dc=lan"
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers
     ldap passwd sync = yes
     ldap suffix = dc=frenetic,dc=lan
     ldap ssl = no
     ldap user suffix = ou=People
     ldap debug level = 1
     panic action = /usr/share/samba/panic-action %d
     ldapsam:trusted = yes
     idmap config * : backend = tdb
     acl allow execute always = Yes
     create mask = 0775
     directory mask = 02775
     force unknown acl user = Yes
     print notify backchannel = No
     printing = bsd
     print command = lpr -r -P'%p' %s
     lpq command = lpq -P'%p'
     lprm command = lprm -P'%p' %j
     veto oplock files = /*.doc*/*.DOC*/*.xls*/*.XLS*/*.mdb/*.MDB/~$*/
     csc policy = disable
[netlogon]
...
On 28/04/16 15:16, MI wrote:> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP. > > I would like to add another server, and have it authenticate users > against openLDAP. I thought I had to add the new server to the domain > with "net rpc join", but that seems to think I want to join an AD > domain, and fails: > > # net rpc join -U root%mypassword > No realm has been specified! Do you really want to join an Active > Directory server? > Failed to join domain: failed to lookup DC info for domain > 'MYDOMAIN' over rpc: This error indicates that the requested > operation cannot be completed due to a catastrophic media failure > or an on-disk data structure corruption. >I did something similar last week in a test domain and had a similar problem, I got it to work by using 'administrator' instead of 'root'. It still complained about active directory, I think somebody changed 'net' without considering NT-4 style domains. Rowland
Isn't this problem connected too to badlock patches? I have encountered this after upgrade of fileserver from 4.1.17 to 4.2.10 (Debian). Although it could have happened anytime between these two versions... Dňa 28.04.2016 o 17:14 Rowland penny napísal(a):> On 28/04/16 15:16, MI wrote: >> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP. >> >> I would like to add another server, and have it authenticate users >> against openLDAP. I thought I had to add the new server to the domain >> with "net rpc join", but that seems to think I want to join an AD >> domain, and fails: >> >> # net rpc join -U root%mypassword >> No realm has been specified! Do you really want to join an Active >> Directory server? >> Failed to join domain: failed to lookup DC info for domain >> 'MYDOMAIN' over rpc: This error indicates that the requested >> operation cannot be completed due to a catastrophic media failure >> or an on-disk data structure corruption. >> > > I did something similar last week in a test domain and had a similar > problem, I got it to work by using 'administrator' instead of 'root'. > It still complained about active directory, I think somebody changed > 'net' without considering NT-4 style domains. > > Rowland > > >
Marcio Vogel Merlone dos Santos
2016-May-04  19:16 UTC
[Samba] Cannot join server to Samba4 NT4 domain
Em 28-04-2016 12:14, Rowland penny escreveu:> On 28/04/16 15:16, MI wrote: >> I have a Samba 4 NT4 PDC (Version 4.1.17-Debian) with openLDAP. >> >> I would like to add another server, and have it authenticate users >> against openLDAP. I thought I had to add the new server to the domain >> with "net rpc join", but that seems to think I want to join an AD >> domain, and fails: >> >> # net rpc join -U root%mypassword >> No realm has been specified! Do you really want to join an Active >> Directory server? >> Failed to join domain: failed to lookup DC info for domain >> 'MYDOMAIN' over rpc: This error indicates that the requested >> operation cannot be completed due to a catastrophic media failure >> or an on-disk data structure corruption. >> > > I did something similar last week in a test domain and had a similar > problem, I got it to work by using 'administrator' instead of 'root'. > It still complained about active directory, I think somebody changed > 'net' without considering NT-4 style domains.Sorry to say just "me too". Trying to join my Mint 17.3 Desktop (samba 2:4.3.9+dfsg-0ubuntu0.14.04.1) as a NT4-style domain member of an old 3.4 samba PDC (2:3.4.7~dfsg-1ubuntu3.15) I get this: mic-158 samba # net rpc join -S pdc -U administrador No realm has been specified! Do you really want to join an Active Directory server? Enter administrador's password: smb_signing_good: BAD SIG: seq 1 Failed to join domain: failed to lookup DC info for domain 'DOM' over rpc: Access denied mic-158 samba # Log from server: [2016/05/04 14:51:15, 2] lib/smbldap.c:890(smbldap_open_connection) smbldap_open_connection: connection opened [2016/05/04 14:51:15, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap) init_group_from_ldap: Entry found for group: 5144 [2016/05/04 14:51:15, 0] rpc_server/srv_netlog_nt.c:336(get_md4pw) get_md4pw: Workstation MIC-158$: no account in domain [2016/05/04 14:51:15, 0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account MIC-158$: NT_STATUS_ACCESS_DENIED [2016/05/04 14:51:15, 0] rpc_server/srv_netlog_nt.c:336(get_md4pw) get_md4pw: Workstation MIC-158$: no account in domain [2016/05/04 14:51:15, 0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account MIC-158$: NT_STATUS_ACCESS_DENIED Frozen hell: no problem to add Windows XP, 7, 8.x, 10 machines to domain. Just another samba. Found any workaround? Tks, best regards. -- *Marcio Merlone*
In case it helps someone, the only way I found to add this server and have it
use
LDAP for authentication, was with a weird hack which I found here:
http://lapsz.eu/blog/2013/09/04/standalone-samba-server-with-ldap-authentication/
Basically, I changed the sambaSID of that other server in the LDAP entry it had 
created under "dn: sambaDomainName=FILESERVER,dc=mydomain,dc=lan" to
be the domain SID.
That now works, and users can authenticate, but I have a duplicate SID, which
doesn't
seem right. That server's config is now (excerpts):
# testparm -s
...
Server role: ROLE_STANDALONE
[global]
     workgroup = MYDOMAIN
     map to guest = Bad User
     password server = myPDC.mydomain.lan
     passdb backend = ldapsam:"ldap://ldap.mydomain.lan
ldap://ldap2.mydomain.lan"
     preferred master = No
     local master = No
     domain master = No
     dns proxy = No
     wins server = 192.168.44.10
     ldap admin dn = "cn=admin,dc=mydomain,dc=lan"
     ldap group suffix = ou=Groups
     ldap idmap suffix = ou=idmap
     ldap machine suffix = ou=Computers
     ldap suffix = dc=mydomain,dc=lan
     ldap ssl = no
     ldap user suffix = ou=People
     idmap config * : backend = tdb
....
My previous tests with "server role = member server", or "netbios
backup domain
controller" or "classic backup domain controller" and
"security = domain" and "net
rpc JOIN" all failed.
"net rpc info" would tell me "Connection failed:
NT_STATUS_INTERNAL_DB_CORRUPTION"
(when using the right user/password. With a wrong user/password, the error was 
different.)
Anyway, while it sort-of-works now, I have a strong feeling that this is not
quite
right, and I really should upgrade to AD. I avoided it until now because I saw
only
unneeded added complexity, and no benefit (for a single small network). But
maybe
it's unavoidable...