samba - Oct 2016 - Samba domain join issues

Hi All,

I am having an issue with Samba joining an active directory domain.

When I run 'net ads join -S mydomaincontrollerFQDN -U adminuser command I
get this error:
Failed to join domain: failed to lookup DC info for domain
'MYDOMAIN.COM'
over rpc:                         Logon failure

The credentials we entered are for sure correct but if we see our domain
controller it count it as a bad password. I see an event logged 4625 with
unknown username or bad password.

Samba version is 3.6.4 and active directory is running on both 2008 R2 and
2012 R2 OS (with DFL/FFL as 2008 R2). I have tried with both versions of
domain controllers without any success.

I have also tried changing LmCompatibilityLevel on domain controllers from
0 till 5 but issue still persist. We initially thought this is because
of MS16-077 patch but we uninstalled it from all our 2008 R2 domain
controllers and 2012 R2 domain didn't have this patch at all.

An example of our smb.conf file is here:

[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        netbios name = samba-server
        server string = Samba Server
        security =  DOMAIN
        password server = myDomainControllerName.mydomain.com
        client ntlmv2 auth = yes
        encrypt passwords = yes
        max protocol = smb2
        restrict anonymous = 1
        log level = 2
        username map = /etc/samba/smbusers
        log file = /var/samba/log/log.%m
        debug pid = Yes
        debug uid = Yes
        max xmit = 65535
        name resolve order = host wins bcast lmhosts
        max ttl = 5000
        deadtime = 5
        hostname lookups = Yes
        os level = 20
        local master = No
        domain master = No
        wins server = <ip address of WINS server>
        host msdfs = No
        idmap config * : range = 10000-200000
        idmap config * : backend = tdb
        map archive = No
        map hidden = No
        map system = No
        case sensitive = Yes
        read only = No
        create mask = 0775
        directory mask = 0775
        hide dot files = No
        oplocks = No
        level2 oplocks = No
        strict locking = Yes

Any help or pointers will be appreciated. Thanks in advance.



Thanks

On Mon, 31 Oct 2016 22:36:55 +0530
Pradeep Rawat via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> I am having an issue with Samba joining an active directory domain.
> 
> When I run 'net ads join -S mydomaincontrollerFQDN -U adminuser
> command I get this error:
> Failed to join domain: failed to lookup DC info for domain
> 'MYDOMAIN.COM' over rpc:                         Logon failure
> 
> The credentials we entered are for sure correct but if we see our
> domain controller it count it as a bad password. I see an event
> logged 4625 with unknown username or bad password.
> 
> Samba version is 3.6.4 and active directory is running on both 2008
> R2 and 2012 R2 OS (with DFL/FFL as 2008 R2). I have tried with both
> versions of domain controllers without any success.
> 
> I have also tried changing LmCompatibilityLevel on domain controllers
> from 0 till 5 but issue still persist. We initially thought this is
> because of MS16-077 patch but we uninstalled it from all our 2008 R2
> domain controllers and 2012 R2 domain didn't have this patch at all.
> 
> An example of our smb.conf file is here:
> 
> [global]
>         workgroup = MYDOMAIN
>         realm = MYDOMAIN.COM
>         netbios name = samba-server
>         server string = Samba Server
>         security =  DOMAIN
>         password server = myDomainControllerName.mydomain.com
>         client ntlmv2 auth = yes
>         encrypt passwords = yes
>         max protocol = smb2
>         restrict anonymous = 1
>         log level = 2
>         username map = /etc/samba/smbusers
>         log file = /var/samba/log/log.%m
>         debug pid = Yes
>         debug uid = Yes
>         max xmit = 65535
>         name resolve order = host wins bcast lmhosts
>         max ttl = 5000
>         deadtime = 5
>         hostname lookups = Yes
>         os level = 20
>         local master = No
>         domain master = No
>         wins server = <ip address of WINS server>
>         host msdfs = No
>         idmap config * : range = 10000-200000
>         idmap config * : backend = tdb
>         map archive = No
>         map hidden = No
>         map system = No
>         case sensitive = Yes
>         read only = No
>         create mask = 0775
>         directory mask = 0775
>         hide dot files = No
>         oplocks = No
>         level2 oplocks = No
>         strict locking = Yes
> 
> Any help or pointers will be appreciated. Thanks in advance.
> 
> 
> 
> Thanks
Try replacing 'security =  DOMAIN' with 'security = ADS'

Rowland

On Mon, 31 Oct 2016 23:36:16 +0530
Pradeep Rawat <pradeeprawat85 at gmail.com> wrote:
> Tried that, same error.
> 
> Enter adminuser's password:
> Failed to join domain: failed to lookup DC info for domain
> 'MYDOMAIN.COM' over rpc:Logon failure
> 
> On Mon, Oct 31, 2016 at 11:25 PM, Rowland Penny <rpenny at samba.org>
> wrote:
> 
> > On Mon, 31 Oct 2016 22:36:55 +0530
> > Pradeep Rawat via samba <samba at lists.samba.org> wrote:
> >
> > > Hi All,
> > >
> > > I am having an issue with Samba joining an active directory
> > > domain.
> > >
> > > When I run 'net ads join -S mydomaincontrollerFQDN -U
adminuser
> > > command I get this error:
> > > Failed to join domain: failed to lookup DC info for domain
> > > 'MYDOMAIN.COM' over rpc:                         Logon
failure
> > >
> > > The credentials we entered are for sure correct but if we see our
> > > domain controller it count it as a bad password. I see an event
> > > logged 4625 with unknown username or bad password.
> > >
> > > Samba version is 3.6.4 and active directory is running on both
> > > 2008 R2 and 2012 R2 OS (with DFL/FFL as 2008 R2). I have tried
> > > with both versions of domain controllers without any success.
> > >
> > > I have also tried changing LmCompatibilityLevel on domain
> > > controllers from 0 till 5 but issue still persist. We initially
> > > thought this is because of MS16-077 patch but we uninstalled it
> > > from all our 2008 R2 domain controllers and 2012 R2 domain
didn't
> > > have this patch at all.
> > >
> > > An example of our smb.conf file is here:
> > >
> > > [global]
> > >         workgroup = MYDOMAIN
> > >         realm = MYDOMAIN.COM
> > >         netbios name = samba-server
> > >         server string = Samba Server
> > >         security =  DOMAIN
> > >         password server = myDomainControllerName.mydomain.com
> > >         client ntlmv2 auth = yes
> > >         encrypt passwords = yes
> > >         max protocol = smb2
> > >         restrict anonymous = 1
> > >         log level = 2
> > >         username map = /etc/samba/smbusers
> > >         log file = /var/samba/log/log.%m
> > >         debug pid = Yes
> > >         debug uid = Yes
> > >         max xmit = 65535
> > >         name resolve order = host wins bcast lmhosts
> > >         max ttl = 5000
> > >         deadtime = 5
> > >         hostname lookups = Yes
> > >         os level = 20
> > >         local master = No
> > >         domain master = No
> > >         wins server = <ip address of WINS server>
> > >         host msdfs = No
> > >         idmap config * : range = 10000-200000
> > >         idmap config * : backend = tdb
> > >         map archive = No
> > >         map hidden = No
> > >         map system = No
> > >         case sensitive = Yes
> > >         read only = No
> > >         create mask = 0775
> > >         directory mask = 0775
> > >         hide dot files = No
> > >         oplocks = No
> > >         level2 oplocks = No
> > >         strict locking = Yes
> > >
> > > Any help or pointers will be appreciated. Thanks in advance.
> > >
> > >
> > >
> > > Thanks
> >
> > Try replacing 'security =  DOMAIN' with 'security =
ADS'
> >
> > Rowland
> >
> 
> 
> 
OK, try this smb.conf:

[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        netbios name = samba-server
        server string = Samba Server
        security =  ADS
        restrict anonymous = 1
        log level = 2
        username map = /etc/samba/smbusers
        log file = /var/samba/log/log.%m
        max xmit = 65535
        max ttl = 5000
        deadtime = 5
        os level = 20
        local master = No
        domain master = No
        host msdfs = No
        idmap config * : range = 2000-9999
        idmap config * : backend = tdb
        idmap config MYDOMAIN : range = 10000-200000
        idmap config MYDOMAIN : backend = rid
        map archive = No
        map hidden = No
        hide dot files = No
        oplocks = No
        level2 oplocks = No
        strict locking = Yes

the 'username map' should only have a mapping from 'root' to
'Administrator'

Your /etc/resolv.conf should use one of the DCs as its nameserver

/etc/hosts should contain a line '127.0.0.1 localhost' and a line for
the domain member e.g.

127.0.0.1 localhost
192.168.0.4 samba-server.mydomain.com samba-server

If the domain member gets its ipaddress via dhcp, you don't need the
last line.

If there is a line that starts '127.0.1.1', remove it.

'hostname -s' should display 'samba-server'
'hostname -d' should display 'mydomain.com'

If everything is ok, try joining the machine to the domain:

net ads join -Uadministrator

Rowland

On Tue, 1 Nov 2016 01:45:24 +0530
Pradeep Rawat <pradeeprawat85 at gmail.com> wrote:
> I tried to use the smb.conf you mentioned but got same error.
> We don't use Microsoft DNS (they just host underscore zones which
> then gets transferred to *nix based DNS appliances) so is it required
> to have the DC IP entry in /etc/resolv.conf? However, I tried adding
> DC IP as well but no luck.
Active directory needs to use dns to find the DCs etc, so what ever you
use for dns needs to hold all the active directory records and your
domain member needs to use whatever is holding the AD records as its
nameserver.
> 
> Also, when I run hostname -s or hostname -d, nothing returns.
What OS are you running the domain member on ?

Normally if you don't get anything from those commands you don't have a
FQDN.
> 
> If I return *net ads info* I get this:
> LDAP server: <IP Address of domain controller>
> LDAP server name: myDC.mydomain.com
> Realm: MYDOMAIN.COM
> Bind Path: dc=MYDOMAIN,dc=COM
> LDAP port: 389
> Server time: Mon, 31 Oct 2016 16:04:43 EDT
> KDC server: <IP Address of domain controller>
> Server time offset: 0
> 
> I ran the net ads join command with -d 10 and seeing this at the end:
> 
>
----------------------------------------------------------------------------------------------------------------------
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_NTLM2
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> smb_signing_sign_pdu: sent SMB signature of
> [0000] 42 53 52 53 50 59 4C 20 BSRSPYL
> SPNEGO login failed: Logon failure
> failed session setup with NT_STATUS_LOGON_FAILURE
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : NULL
>             dns_domain_name          : NULL
>             forest_name              : NULL
>             dn                       : NULL
>             domain_sid               : NULL
>                 domain_sid               : (NULL SID)
>             modified_config          : 0x00 (0)
>             error_string             : 'failed to lookup DC info for
> domain 'MYDOMAIN.COM' over rpc: Logon failure'
>             domain_is_ad             : 0x00 (0)
>             result                   : WERR_LOGON_FAILURE
> Failed to join domain: failed to lookup DC info for domain
> 'MYDOMAIN.COM' over rpc: Logon failure
> return code = -1
>
----------------------------------------------------------------------------------------------------------------------
> 
> 
You appear to have dns problems, I would double check everthing, such
as, can you ping the DC from the domain member with its hostname i.e.
ping -c1 myDC.mydomain.com

Rowland

Still looking for some suggestions, recommendations or pointers on this
issue. Kinda stuck with it. It was working well couple of months back and
suddenly stopped working. No known changes were happned on both sides
except installing and then uninstalling MS16-077 patch.

Thanks,
Pradeep


On Tuesday, November 1, 2016, Pradeep Rawat <pradeeprawat85 at gmail.com>
wrote:
> We are running Solaris 10 on the domain member.
> ------------------------------------
> Oracle Solaris 10 8/11 s10x_u10wos_17b X86
>   Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights
> reserved.
>                             Assembled 23 August 2011
> ------------------------------------
>
> How do you I ensure that I get FQDN? The domain member have a static
> record in DNS and I can resolve it without any issues.
>
> I am able to ping domain controllers as well and nslookup domainame on
> solaris domain member does return all IP addresses of our domain.
> I can telnet domain controller over port 445 and 139 ports as well.
>
> Are there any specific configurations related to domain join process that
> I can look for like krb5.conf? kinit works well too and I get a ticket
> issues to adminuser.
>
> On Tue, Nov 1, 2016 at 1:59 AM, Rowland Penny via samba <
> samba at lists.samba.org
> <javascript:_e(%7B%7D,'cvml','samba at
lists.samba.org');>> wrote:
>
>> On Tue, 1 Nov 2016 01:45:24 +0530
>> Pradeep Rawat <pradeeprawat85 at gmail.com
>> <javascript:_e(%7B%7D,'cvml','pradeeprawat85 at
gmail.com');>> wrote:
>>
>> > I tried to use the smb.conf you mentioned but got same error.
>> > We don't use Microsoft DNS (they just host underscore zones
which
>> > then gets transferred to *nix based DNS appliances) so is it
required
>> > to have the DC IP entry in /etc/resolv.conf? However, I tried
adding
>> > DC IP as well but no luck.
>>
>> Active directory needs to use dns to find the DCs etc, so what ever you
>> use for dns needs to hold all the active directory records and your
>> domain member needs to use whatever is holding the AD records as its
>> nameserver.
>>
>> >
>> > Also, when I run hostname -s or hostname -d, nothing returns.
>>
>> What OS are you running the domain member on ?
>>
>> Normally if you don't get anything from those commands you
don't have a
>> FQDN.
>>
>> >
>> > If I return *net ads info* I get this:
>> > LDAP server: <IP Address of domain controller>
>> > LDAP server name: myDC.mydomain.com
>> > Realm: MYDOMAIN.COM
>> > Bind Path: dc=MYDOMAIN,dc=COM
>> > LDAP port: 389
>> > Server time: Mon, 31 Oct 2016 16:04:43 EDT
>> > KDC server: <IP Address of domain controller>
>> > Server time offset: 0
>> >
>> > I ran the net ads join command with -d 10 and seeing this at the
end:
>> >
>> > ------------------------------------------------------------
>> ----------------------------------------------------------
>> > NTLMSSP Sign/Seal - Initialising with flags:
>> > Got NTLMSSP neg_flags=0x60088215
>> >   NTLMSSP_NEGOTIATE_UNICODE
>> >   NTLMSSP_REQUEST_TARGET
>> >   NTLMSSP_NEGOTIATE_SIGN
>> >   NTLMSSP_NEGOTIATE_NTLM
>> >   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> >   NTLMSSP_NEGOTIATE_NTLM2
>> >   NTLMSSP_NEGOTIATE_128
>> >   NTLMSSP_NEGOTIATE_KEY_EXCH
>> > smb_signing_sign_pdu: sent SMB signature of
>> > [0000] 42 53 52 53 50 59 4C 20 BSRSPYL
>> > SPNEGO login failed: Logon failure
>> > failed session setup with NT_STATUS_LOGON_FAILURE
>> > libnet_Join:
>> >     libnet_JoinCtx: struct libnet_JoinCtx
>> >         out: struct libnet_JoinCtx
>> >             account_name             : NULL
>> >             netbios_domain_name      : NULL
>> >             dns_domain_name          : NULL
>> >             forest_name              : NULL
>> >             dn                       : NULL
>> >             domain_sid               : NULL
>> >                 domain_sid               : (NULL SID)
>> >             modified_config          : 0x00 (0)
>> >             error_string             : 'failed to lookup DC
info for
>> > domain 'MYDOMAIN.COM' over rpc: Logon failure'
>> >             domain_is_ad             : 0x00 (0)
>> >             result                   : WERR_LOGON_FAILURE
>> > Failed to join domain: failed to lookup DC info for domain
>> > 'MYDOMAIN.COM' over rpc: Logon failure
>> > return code = -1
>> > ------------------------------------------------------------
>> ----------------------------------------------------------
>> >
>> >
>>
>> You appear to have dns problems, I would double check everthing, such
>> as, can you ping the DC from the domain member with its hostname i.e.
>> ping -c1 myDC.mydomain.com
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> Thanks,
> Pradeep Rawat
>

-- 
Pradeep Rawat

Sent from Gmail Mobile

On 10/31/2016 1:06 PM, Pradeep Rawat via samba wrote:
> Hi All,
>
> I am having an issue with Samba joining an active directory domain.
>
> When I run 'net ads join -S mydomaincontrollerFQDN -U adminuser command
I
> get this error:
> Failed to join domain: failed to lookup DC info for domain
'MYDOMAIN.COM'
> over rpc:                         Logon failure
>
> The credentials we entered are for sure correct but if we see our domain
> controller it count it as a bad password. I see an event logged 4625 with
> unknown username or bad password.
>
> Samba version is 3.6.4 and active directory is running on both 2008 R2 and
> 2012 R2 OS (with DFL/FFL as 2008 R2). I have tried with both versions of
> domain controllers without any success.
>
> I have also tried changing LmCompatibilityLevel on domain controllers from
> 0 till 5 but issue still persist. We initially thought this is because
> of MS16-077 patch but we uninstalled it from all our 2008 R2 domain
> controllers and 2012 R2 domain didn't have this patch at all.
>
> An example of our smb.conf file is here:
>
> [global]
>          workgroup = MYDOMAIN
>          realm = MYDOMAIN.COM
>          netbios name = samba-server
>          server string = Samba Server
>          security =  DOMAIN
>          password server = myDomainControllerName.mydomain.com
>          client ntlmv2 auth = yes
>          encrypt passwords = yes
>          max protocol = smb2
>          restrict anonymous = 1
>          log level = 2
>          username map = /etc/samba/smbusers
>          log file = /var/samba/log/log.%m
>          debug pid = Yes
>          debug uid = Yes
>          max xmit = 65535
>          name resolve order = host wins bcast lmhosts
>          max ttl = 5000
>          deadtime = 5
>          hostname lookups = Yes
>          os level = 20
>          local master = No
>          domain master = No
>          wins server = <ip address of WINS server>
>          host msdfs = No
>          idmap config * : range = 10000-200000
>          idmap config * : backend = tdb
>          map archive = No
>          map hidden = No
>          map system = No
>          case sensitive = Yes
>          read only = No
>          create mask = 0775
>          directory mask = 0775
>          hide dot files = No
>          oplocks = No
>          level2 oplocks = No
>          strict locking = Yes
>
> Any help or pointers will be appreciated. Thanks in advance.
>
>
>
> Thanks
Shouldn't the parameter 'security = DOMAIN' be 'security =
ADS'? I
thought DOMAIN was for authenticating against a NT domain and ADS was 
for Active Directory?

-- 
- James