samba - Sep 2018 - samba4.8.x machine account authentication using NetJoinDomain faled

Hi all,
I tried samba 4.8.3, 4.8.4 and 4.8.5 to build a domain. In the domain I firstly
create a machine acconut and set it's password. Then I get a computer that
own this machine account's name. I use the mechod NetJoinDomain to get this
computer authencated to the domain. It failed with returncode 1326.
Besides, all the process above is avaliable in samba 4.5.16. So does any default
setting change from 4.5.x to 4.8.x? What can I do to make it work again? Hope
for help~
 
Here’s the smb.conf. I’ve tried to add  winbind offline logon = yes in the
global section, but doesn’t work either.
[global]
        bind interfaces only = Yes
        interfaces = 8.22.127.121 127.0.0.1
        log file = /var/FusionAccess/LiteAD/log.samba
        log level = 2
        max log size = 15000
        netbios name = SUSE-2
        realm = 0904.HUAWEI.COM
        server role = active directory domain controller
        workgroup = 0904
        'idmap_ldb:use rfc2307  = yes'
 
        ldap server require strong auth = no
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
 
[netlogon]
        path = /var/lib/samba/sysvol/0904.huawei.com/scripts
        read only = No
        reject md5 clients = yes
 
[sysvol]
       path = /var/lib/samba/sysvol
        read only = No
 
 
In my program, I use the following command to get authenticated with the domain.
But the ret is 1326.
 
ret = NetJoinDomain(server, domain, OU, account, password,
(JoinOptions.NETSETUP_JOIN_DOMAIN | JoinOptions.NETSETUP_JOIN_UNSECURE
|JoinOptions.NETSETUP_DOMAIN_JOIN_IF_JOINED |
JoinOptions.NETSETUP_MACHINE_PWD_PASSED));
 
 
Here’s the log in log.samba:
[2018/09/13 11:20:18.975729,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam authentication for user [0904\LC001$] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/13 11:20:18.975922,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,NTLMSSP] user [0904]\[LC001$] at [Thu, 13 Sep 2018 11:20:18.975877
CST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [LC001] remote
host [ipv4:8.22.127.165:49158] mapped to [0904]\[LC001$]. local host
[ipv4:8.22.127.120:445]
[2018/09/13 11:20:21.903399,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam authentication for user [0904\N] FAILED with
error NT_STATUS_NO_SUCH_USER, authoritative=1
[2018/09/13 11:20:21.903624,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [LDAP,NTLMSSP] user [0904]\[N] at [Thu, 13 Sep 2018 11:20:21.903563 CST]
with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [SUSE-1] remote host
[ipv4:127.0.0.1:54318] mapped to [0904]\[N]. local host [ipv4:127.0.0.1:389]
[2018/09/13 11:20:23.243049,  2]
../source4/dsdb/repl/replicated_objects.c:1021(dsdb_replicated_objects_commit)
  Replicated 1 objects (0 linked attributes) for DC=0904,DC=huawei,DC=com
[2018/09/13 11:20:23.943577,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam authentication for user [0904\LC001$] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/13 11:20:23.943813,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,NTLMSSP] user [0904]\[LC001$] at [Thu, 13 Sep 2018 11:20:23.943754
CST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [LC001] remote
host [ipv4:8.22.127.165:49184] mapped to [0904]\[LC001$]. local host
[ipv4:8.22.127.120:445]
[2018/09/13 11:20:24.501393,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam authentication for user [0904\LC001$] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/13 11:20:24.501715,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,NTLMSSP] user [0904]\[LC001$] at [Thu, 13 Sep 2018 11:20:24.501653
CST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [LC001] remote
host [ipv4:8.22.127.165:49187] mapped to [0904]\[LC001$]. local host
[ipv4:8.22.127.120:445]
[2018/09/13 11:20:26.546651,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam authentication for user [0904\LC001$] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/13 11:20:26.546928,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [LDAP,NTLMSSP] user [0904]\[LC001$] at [Thu, 13 Sep 2018 11:20:26.546877
CST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [LC001] remote
host [ipv4:8.22.127.165:49217] mapped to [0904]\[LC001$]. local host
[ipv4:8.22.127.120:389]
[2018/09/13 11:20:27.568714,  2]
../source4/dns_server/dns_update.c:773(dns_server_process_update)
  Got a dns update request.
[2018/09/13 11:20:27.569268,  2]
../source4/dns_server/dns_update.c:730(dns_update_allowed)
  Update not allowed for unsigned packet.
[2018/09/13 11:20:27.727230,  2]
../source4/dns_server/dns_update.c:773(dns_server_process_update)
  Got a dns update request.
[2018/09/13 11:20:27.727631,  2]
../source4/dns_server/dns_update.c:730(dns_update_allowed)
  Update not allowed for unsigned packet.
[2018/09/13 11:20:27.975980,  1]
../source4/dsdb/common/util.c:5357(dsdb_update_bad_pwd_count)
  Locked out user CN=LC001,CN=Computers,DC=0904,DC=huawei,DC=com after 5 wrong
passwords
[2018/09/13 11:20:28.023048,  2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
  auth_check_password_recv: sam authentication for user [0904\LC001$] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1

On Fri, 14 Sep 2018 15:07:07 +0800 (CST)
Ryan via samba <samba at lists.samba.org> wrote:
> Hi all,
> I tried samba 4.8.3, 4.8.4 and 4.8.5 to build a domain. In the domain
> I firstly create a machine acconut and set it's password. Then I get
> a computer that own this machine account's name. I use the mechod
> NetJoinDomain to get this computer authencated to the domain. It
> failed with returncode 1326. Besides, all the process above is
> avaliable in samba 4.5.16. So does any default setting change from
> 4.5.x to 4.8.x? What can I do to make it work again? Hope for help~
> Here’s the smb.conf. I’ve tried to add  winbind offline logon = yes
> in the global section, but doesn’t work either. [global] bind
> interfaces only = Yes interfaces = 8.22.127.121 127.0.0.1 log file
> = /var/FusionAccess/LiteAD/log.samba log level = 2 max log size > 15000
netbios name = SUSE-2 realm = 0904.HUAWEI.COM
>         server role = active directory domain controller
>         workgroup = 0904
>         'idmap_ldb:use rfc2307  = yes'
>  
Why are there single quotes around the line above ?

The big one though is, your workgroup name is illegal.

If you go here:

https://support.microsoft.com/en-gb/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

Under 'NetBIOS domain names'

You will find:

In Windows 2000 and in later versions of Windows, computers that are
members of an Active Directory domain cannot have names that are
composed completely of numbers. This restriction is because of DNS
restrictions. 

I think you may have been lucky that it worked previously, there has
recently been work to get this sort of thing to do what you need, try
again with 4.9.0, but lose the all numeric workgroup name ;-)

Rowland

Actually 0904.huawei.com is just one of my test domain. I also built domain
naned vds.huawei.com.  Same problem exsts. Besides, samba 4.5.16 doesn't
have this issue.
I still doubt that some setting changed, such as encrypt method permission...
After all, the log renainds password is wrong.Do you have any other clue?

>On Fri, 14 Sep 2018 15:07:07 +0800 (CST)
>Ryan via samba <samba at lists.samba.org> wrote:
>
>> Hi all,
>> I tried samba 4.8.3, 4.8.4 and 4.8.5 to build a domain. In the domain
>> I firstly create a machine acconut and set it's password. Then I
get
>> a computer that own this machine account's name. I use the mechod
>> NetJoinDomain to get this computer authencated to the domain. It
>> failed with returncode 1326. Besides, all the process above is
>> avaliable in samba 4.5.16. So does any default setting change from
>> 4.5.x to 4.8.x? What can I do to make it work again? Hope for help~
>> Here’s the smb.conf. I’ve tried to add  winbind offline logon = yes
>> in the global section, but doesn’t work either. [global] bind
>> interfaces only = Yes interfaces = 8.22.127.121 127.0.0.1 log file
>> = /var/FusionAccess/LiteAD/log.samba log level = 2 max log size
>> 15000 netbios name = SUSE-2 realm = 0904.HUAWEI.COM
>>         server role = active directory domain controller
>>         workgroup = 0904
>>         'idmap_ldb:use rfc2307  = yes'
>>  
>
>Why are there single quotes around the line above ?
>
>The big one though is, your workgroup name is illegal.
>
>If you go here:
>
>https://support.microsoft.com/en-gb/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
>
>Under 'NetBIOS domain names'
>
>You will find:
>
>In Windows 2000 and in later versions of Windows, computers that are
>members of an Active Directory domain cannot have names that are
>composed completely of numbers. This restriction is because of DNS
>restrictions. 
>
>I think you may have been lucky that it worked previously, there has
>recently been work to get this sort of thing to do what you need, try
>again with 4.9.0, but lose the all numeric workgroup name ;-)
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba