Hernan Saltiel
2016-Jun-10 04:37 UTC
[Samba] Mixed Samba 3 & 4 Versions - Issue joining Samba 3 domain with a Samba 4 client
Hello, everybody.
I'm trying to use a Debian 8.5.0 client machine (with hostname
PCSCD850, 10.100.109.5 is its IP) joining an old Samba 3.6.23 tdbsam
based PDC (hostname DSSC01, SCDOM is the NetBIOS domain name, 10.200.0.5
its IP).
The machine was added to the PDC using useradd (unix) and smbpasswd
-a -m (samba). Because there is a group used for the machines
("puestos", in Spanish, for the unix group, and "Puestos",
for the Samba
group), the commands used to add that machine were:
useradd -g puestos -d /home/PCSCD850$ -m -c “PCSCD850” -s /bin/false
PCSCD850$
smbpasswd -a -m PCSCD850$
net rpc user setprimarygroup PCSCD850$ "Puestos"
Debian 8.5.0 installs Samba 4, installed with:
apt-get install winbind samba libpam-winbind
After installation, my /etc/samba/smb.conf was modified to have this:
[global]
workgroup = SCDOM
server string = %h server
wins server = 10.200.0.5
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = domain
netbios name = PCSC1999
password server = 10.200.0.5
winbind use default domain = yes
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
/bin/false -M %u
domain master = no
idmap uid = 10000000-19999999
idmap gid = 10000000-19999999
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
On that machine, I create the directory to host the homedirs:
mkdir /home/SCDOM
Then I modified /etc/nsswitch.conf to have this:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The I modified /etc/pam.d/common-account to have *ONLY* the next
two lines:
account sufficient pam_winbind.so
account required pam_unix.so
/etc/pam.d/common-auth has *ONLY* this:
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
In /etc/pam.d/common-password I modified the next line to have this:
password [success=2 default=ignore] pam_unix.so obscure sha512 min=4 max=50
Finally, I modified /etc/pam.d/common-session to *ADD* the
following line:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
After rebooting PCSCD850, the client machine, I try to join the
domain executing (as I did with previous Debian 6 distro):
net rpc join -U root
And I receive a strange message, pointing out to an access issue:
Unknown parameter encountered: "passwd backend"
Ignoring unknown parameter "passwd backend"
No realm has been specified! Do you really want to join an Active
Directory server?
Enter root's password:
smb_signing_good: BAD SIG: seq 1
Failed to join domain: failed to lookup DC info for domain 'SCDOM' over
rpc: Access denied
This is what happens on the client side. On the server side,
looking for the pcscd850.log file, I see this:
[2016/06/10 01:35:06.365031, 2, effective(0, 0), real(0, 0)]
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
Returning domain sid for domain SCDOM ->
S-1-5-21-394484452-176286797-1126986195
[2016/06/10 01:35:06.366012, 2, effective(99, 99), real(0, 0)]
../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal)
credentials check failed
[2016/06/10 01:35:06.366072, 0, effective(99, 99), real(0, 0)]
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client PCSCD850 machine account PCSCD850$
[2016/06/10 01:35:06.415496, 2, effective(0, 0), real(0, 0)]
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
Returning domain sid for domain SCDOM ->
S-1-5-21-394484452-176286797-1126986195
[2016/06/10 01:35:09.179484, 2, effective(0, 0), real(0, 0)]
auth/auth.c:320(check_ntlm_password)
check_ntlm_password: authentication for user [root] -> [root] ->
[root] succeeded
[2016/06/10 01:35:09.180364, 1, effective(0, 0), real(0, 0)]
smbd/session.c:86(session_claim)
Re-using invalid record
[2016/06/10 01:35:09.185607, 2, effective(0, 0), real(0, 0)]
smbd/utmp.c:439(sys_utmp_update)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
[2016/06/10 01:35:09.211072, 2, effective(0, 0), real(0, 0)]
smbd/utmp.c:439(sys_utmp_update)
utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
I googled a lot for this, but I'm only getting some information
about Windows clients, pointing out to some registry changes.
Does anybody have any clue or idea about what is this issue about,
and how can I join a Samba 3 domain when the client is a Samba 4
(4.2.10) one?
Thanks a lot in advance for your attention.
Best regards,
HeCSa.
Gaiseric Vandal
2016-Jun-10 13:29 UTC
[Samba] Mixed Samba 3 & 4 Versions - Issue joining Samba 3 domain with a Samba 4 client
Can you double check your samba version? If you are running Samba
4.4.2, 4.3.8 and 4.2.11 or later, your version has been patched for
BADLOCK which means the client will not be compatible with an unpatched
3.x domain controller. You may need to roll back to a non-patched
version, ie previous to Samba 4.4.2, 4.3.8 and 4.2.11. (I had this on
several machines and despite various config changes could not make it
work.) The recommended solution is probably to patch your or upgrade
the samba software on your domain domain controller.
You may also want to set
client signing = No
server signing = No
or
signing = No
server signing = No
and verify with "testparm -v | grep sign"
On 06/10/16 00:37, Hernan Saltiel wrote:> Hello, everybody.
>
> I'm trying to use a Debian 8.5.0 client machine (with hostname
> PCSCD850, 10.100.109.5 is its IP) joining an old Samba 3.6.23 tdbsam
> based PDC (hostname DSSC01, SCDOM is the NetBIOS domain name,
> 10.200.0.5 its IP).
>
> The machine was added to the PDC using useradd (unix) and
> smbpasswd -a -m (samba). Because there is a group used for the
> machines ("puestos", in Spanish, for the unix group, and
"Puestos",
> for the Samba group), the commands used to add that machine were:
>
> useradd -g puestos -d /home/PCSCD850$ -m -c “PCSCD850” -s /bin/false
> PCSCD850$
>
> smbpasswd -a -m PCSCD850$
>
> net rpc user setprimarygroup PCSCD850$ "Puestos"
>
> Debian 8.5.0 installs Samba 4, installed with:
>
> apt-get install winbind samba libpam-winbind
>
> After installation, my /etc/samba/smb.conf was modified to have this:
>
> [global]
> workgroup = SCDOM
> server string = %h server
> wins server = 10.200.0.5
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> security = domain
> netbios name = PCSC1999
> password server = 10.200.0.5
> winbind use default domain = yes
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
> /bin/false -M %u
> domain master = no
> idmap uid = 10000000-19999999
> idmap gid = 10000000-19999999
> template shell = /bin/bash
> template homedir = /home/%D/%U
> winbind enum groups = yes
> winbind enum users = yes
> [homes]
> comment = Home Directories
> browseable = no
> read only = yes
> create mask = 0700
> directory mask = 0700
> valid users = %S
> [printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
>
> On that machine, I create the directory to host the homedirs:
>
> mkdir /home/SCDOM
>
> Then I modified /etc/nsswitch.conf to have this:
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat winbind
> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
>
> The I modified /etc/pam.d/common-account to have *ONLY* the next
> two lines:
>
> account sufficient pam_winbind.so
>
> account required pam_unix.so
>
> /etc/pam.d/common-auth has *ONLY* this:
>
> auth sufficient pam_winbind.so
>
> auth required pam_unix.so nullok_secure use_first_pass
>
> In /etc/pam.d/common-password I modified the next line to have this:
>
> password [success=2 default=ignore] pam_unix.so obscure sha512 min=4
> max=50
>
> Finally, I modified /etc/pam.d/common-session to *ADD* the
> following line:
>
> session required pam_mkhomedir.so umask=0022 skel=/etc/skel
>
> After rebooting PCSCD850, the client machine, I try to join the
> domain executing (as I did with previous Debian 6 distro):
>
> net rpc join -U root
>
> And I receive a strange message, pointing out to an access issue:
>
> Unknown parameter encountered: "passwd backend"
> Ignoring unknown parameter "passwd backend"
> No realm has been specified! Do you really want to join an Active
> Directory server?
> Enter root's password:
> smb_signing_good: BAD SIG: seq 1
> Failed to join domain: failed to lookup DC info for domain 'SCDOM'
> over rpc: Access denied
>
> This is what happens on the client side. On the server side,
> looking for the pcscd850.log file, I see this:
>
> [2016/06/10 01:35:06.365031, 2, effective(0, 0), real(0, 0)]
> rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
> Returning domain sid for domain SCDOM ->
> S-1-5-21-394484452-176286797-1126986195
> [2016/06/10 01:35:06.366012, 2, effective(99, 99), real(0, 0)]
> ../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal)
> credentials check failed
> [2016/06/10 01:35:06.366072, 0, effective(99, 99), real(0, 0)]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client PCSCD850 machine account PCSCD850$
> [2016/06/10 01:35:06.415496, 2, effective(0, 0), real(0, 0)]
> rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
> Returning domain sid for domain SCDOM ->
> S-1-5-21-394484452-176286797-1126986195
> [2016/06/10 01:35:09.179484, 2, effective(0, 0), real(0, 0)]
> auth/auth.c:320(check_ntlm_password)
> check_ntlm_password: authentication for user [root] -> [root] ->
> [root] succeeded
> [2016/06/10 01:35:09.180364, 1, effective(0, 0), real(0, 0)]
> smbd/session.c:86(session_claim)
> Re-using invalid record
> [2016/06/10 01:35:09.185607, 2, effective(0, 0), real(0, 0)]
> smbd/utmp.c:439(sys_utmp_update)
> utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
> [2016/06/10 01:35:09.211072, 2, effective(0, 0), real(0, 0)]
> smbd/utmp.c:439(sys_utmp_update)
> utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
>
> I googled a lot for this, but I'm only getting some information
> about Windows clients, pointing out to some registry changes.
>
> Does anybody have any clue or idea about what is this issue about,
> and how can I join a Samba 3 domain when the client is a Samba 4
> (4.2.10) one?
>
> Thanks a lot in advance for your attention.
>
> Best regards,
>
> HeCSa.
>