Hernan Saltiel
2016-Jun-10 04:37 UTC
[Samba] Mixed Samba 3 & 4 Versions - Issue joining Samba 3 domain with a Samba 4 client
Hello, everybody. I'm trying to use a Debian 8.5.0 client machine (with hostname PCSCD850, 10.100.109.5 is its IP) joining an old Samba 3.6.23 tdbsam based PDC (hostname DSSC01, SCDOM is the NetBIOS domain name, 10.200.0.5 its IP). The machine was added to the PDC using useradd (unix) and smbpasswd -a -m (samba). Because there is a group used for the machines ("puestos", in Spanish, for the unix group, and "Puestos", for the Samba group), the commands used to add that machine were: useradd -g puestos -d /home/PCSCD850$ -m -c “PCSCD850” -s /bin/false PCSCD850$ smbpasswd -a -m PCSCD850$ net rpc user setprimarygroup PCSCD850$ "Puestos" Debian 8.5.0 installs Samba 4, installed with: apt-get install winbind samba libpam-winbind After installation, my /etc/samba/smb.conf was modified to have this: [global] workgroup = SCDOM server string = %h server wins server = 10.200.0.5 dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = domain netbios name = PCSC1999 password server = 10.200.0.5 winbind use default domain = yes encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u domain master = no idmap uid = 10000000-19999999 idmap gid = 10000000-19999999 template shell = /bin/bash template homedir = /home/%D/%U winbind enum groups = yes winbind enum users = yes [homes] comment = Home Directories browseable = no read only = yes create mask = 0700 directory mask = 0700 valid users = %S [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no On that machine, I create the directory to host the homedirs: mkdir /home/SCDOM Then I modified /etc/nsswitch.conf to have this: passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis The I modified /etc/pam.d/common-account to have *ONLY* the next two lines: account sufficient pam_winbind.so account required pam_unix.so /etc/pam.d/common-auth has *ONLY* this: auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass In /etc/pam.d/common-password I modified the next line to have this: password [success=2 default=ignore] pam_unix.so obscure sha512 min=4 max=50 Finally, I modified /etc/pam.d/common-session to *ADD* the following line: session required pam_mkhomedir.so umask=0022 skel=/etc/skel After rebooting PCSCD850, the client machine, I try to join the domain executing (as I did with previous Debian 6 distro): net rpc join -U root And I receive a strange message, pointing out to an access issue: Unknown parameter encountered: "passwd backend" Ignoring unknown parameter "passwd backend" No realm has been specified! Do you really want to join an Active Directory server? Enter root's password: smb_signing_good: BAD SIG: seq 1 Failed to join domain: failed to lookup DC info for domain 'SCDOM' over rpc: Access denied This is what happens on the client side. On the server side, looking for the pcscd850.log file, I see this: [2016/06/10 01:35:06.365031, 2, effective(0, 0), real(0, 0)] rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain) Returning domain sid for domain SCDOM -> S-1-5-21-394484452-176286797-1126986195 [2016/06/10 01:35:06.366012, 2, effective(99, 99), real(0, 0)] ../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal) credentials check failed [2016/06/10 01:35:06.366072, 0, effective(99, 99), real(0, 0)] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PCSCD850 machine account PCSCD850$ [2016/06/10 01:35:06.415496, 2, effective(0, 0), real(0, 0)] rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain) Returning domain sid for domain SCDOM -> S-1-5-21-394484452-176286797-1126986195 [2016/06/10 01:35:09.179484, 2, effective(0, 0), real(0, 0)] auth/auth.c:320(check_ntlm_password) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2016/06/10 01:35:09.180364, 1, effective(0, 0), real(0, 0)] smbd/session.c:86(session_claim) Re-using invalid record [2016/06/10 01:35:09.185607, 2, effective(0, 0), real(0, 0)] smbd/utmp.c:439(sys_utmp_update) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp [2016/06/10 01:35:09.211072, 2, effective(0, 0), real(0, 0)] smbd/utmp.c:439(sys_utmp_update) utmp_update: uname:/var/run/utmp wname:/var/log/wtmp I googled a lot for this, but I'm only getting some information about Windows clients, pointing out to some registry changes. Does anybody have any clue or idea about what is this issue about, and how can I join a Samba 3 domain when the client is a Samba 4 (4.2.10) one? Thanks a lot in advance for your attention. Best regards, HeCSa.
Gaiseric Vandal
2016-Jun-10 13:29 UTC
[Samba] Mixed Samba 3 & 4 Versions - Issue joining Samba 3 domain with a Samba 4 client
Can you double check your samba version? If you are running Samba 4.4.2, 4.3.8 and 4.2.11 or later, your version has been patched for BADLOCK which means the client will not be compatible with an unpatched 3.x domain controller. You may need to roll back to a non-patched version, ie previous to Samba 4.4.2, 4.3.8 and 4.2.11. (I had this on several machines and despite various config changes could not make it work.) The recommended solution is probably to patch your or upgrade the samba software on your domain domain controller. You may also want to set client signing = No server signing = No or signing = No server signing = No and verify with "testparm -v | grep sign" On 06/10/16 00:37, Hernan Saltiel wrote:> Hello, everybody. > > I'm trying to use a Debian 8.5.0 client machine (with hostname > PCSCD850, 10.100.109.5 is its IP) joining an old Samba 3.6.23 tdbsam > based PDC (hostname DSSC01, SCDOM is the NetBIOS domain name, > 10.200.0.5 its IP). > > The machine was added to the PDC using useradd (unix) and > smbpasswd -a -m (samba). Because there is a group used for the > machines ("puestos", in Spanish, for the unix group, and "Puestos", > for the Samba group), the commands used to add that machine were: > > useradd -g puestos -d /home/PCSCD850$ -m -c “PCSCD850” -s /bin/false > PCSCD850$ > > smbpasswd -a -m PCSCD850$ > > net rpc user setprimarygroup PCSCD850$ "Puestos" > > Debian 8.5.0 installs Samba 4, installed with: > > apt-get install winbind samba libpam-winbind > > After installation, my /etc/samba/smb.conf was modified to have this: > > [global] > workgroup = SCDOM > server string = %h server > wins server = 10.200.0.5 > dns proxy = no > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > security = domain > netbios name = PCSC1999 > password server = 10.200.0.5 > winbind use default domain = yes > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes > add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s > /bin/false -M %u > domain master = no > idmap uid = 10000000-19999999 > idmap gid = 10000000-19999999 > template shell = /bin/bash > template homedir = /home/%D/%U > winbind enum groups = yes > winbind enum users = yes > [homes] > comment = Home Directories > browseable = no > read only = yes > create mask = 0700 > directory mask = 0700 > valid users = %S > [printers] > comment = All Printers > browseable = no > path = /var/spool/samba > printable = yes > guest ok = no > read only = yes > create mask = 0700 > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > browseable = yes > read only = yes > guest ok = no > > On that machine, I create the directory to host the homedirs: > > mkdir /home/SCDOM > > Then I modified /etc/nsswitch.conf to have this: > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins > networks: files > protocols: db files > services: db files > ethers: db files > rpc: db files > netgroup: nis > > The I modified /etc/pam.d/common-account to have *ONLY* the next > two lines: > > account sufficient pam_winbind.so > > account required pam_unix.so > > /etc/pam.d/common-auth has *ONLY* this: > > auth sufficient pam_winbind.so > > auth required pam_unix.so nullok_secure use_first_pass > > In /etc/pam.d/common-password I modified the next line to have this: > > password [success=2 default=ignore] pam_unix.so obscure sha512 min=4 > max=50 > > Finally, I modified /etc/pam.d/common-session to *ADD* the > following line: > > session required pam_mkhomedir.so umask=0022 skel=/etc/skel > > After rebooting PCSCD850, the client machine, I try to join the > domain executing (as I did with previous Debian 6 distro): > > net rpc join -U root > > And I receive a strange message, pointing out to an access issue: > > Unknown parameter encountered: "passwd backend" > Ignoring unknown parameter "passwd backend" > No realm has been specified! Do you really want to join an Active > Directory server? > Enter root's password: > smb_signing_good: BAD SIG: seq 1 > Failed to join domain: failed to lookup DC info for domain 'SCDOM' > over rpc: Access denied > > This is what happens on the client side. On the server side, > looking for the pcscd850.log file, I see this: > > [2016/06/10 01:35:06.365031, 2, effective(0, 0), real(0, 0)] > rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain) > Returning domain sid for domain SCDOM -> > S-1-5-21-394484452-176286797-1126986195 > [2016/06/10 01:35:06.366012, 2, effective(99, 99), real(0, 0)] > ../libcli/auth/credentials.c:308(netlogon_creds_server_check_internal) > credentials check failed > [2016/06/10 01:35:06.366072, 0, effective(99, 99), real(0, 0)] > rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client PCSCD850 machine account PCSCD850$ > [2016/06/10 01:35:06.415496, 2, effective(0, 0), real(0, 0)] > rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain) > Returning domain sid for domain SCDOM -> > S-1-5-21-394484452-176286797-1126986195 > [2016/06/10 01:35:09.179484, 2, effective(0, 0), real(0, 0)] > auth/auth.c:320(check_ntlm_password) > check_ntlm_password: authentication for user [root] -> [root] -> > [root] succeeded > [2016/06/10 01:35:09.180364, 1, effective(0, 0), real(0, 0)] > smbd/session.c:86(session_claim) > Re-using invalid record > [2016/06/10 01:35:09.185607, 2, effective(0, 0), real(0, 0)] > smbd/utmp.c:439(sys_utmp_update) > utmp_update: uname:/var/run/utmp wname:/var/log/wtmp > [2016/06/10 01:35:09.211072, 2, effective(0, 0), real(0, 0)] > smbd/utmp.c:439(sys_utmp_update) > utmp_update: uname:/var/run/utmp wname:/var/log/wtmp > > I googled a lot for this, but I'm only getting some information > about Windows clients, pointing out to some registry changes. > > Does anybody have any clue or idea about what is this issue about, > and how can I join a Samba 3 domain when the client is a Samba 4 > (4.2.10) one? > > Thanks a lot in advance for your attention. > > Best regards, > > HeCSa. >