samba - May 2019 - debian 10: I can not integrate a linux machine into a Samba Ad

Hai, 

Im reposting this in the normal samba list, these are config errors, not
software errors.
Please continue there.

Your seeing these problems because your mixing domain member and AD-DC settings
in smb.conf

The DC config by example. 
       workgroup = LENZSPITZE
       realm = LENZSPITZE.CALAIS.FE
       netbios name = NORDEND
       server role = active directory domain controller
       server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,winbindd, ntp_signd, kcc
       log level = 1
       log file = /var/log/samba/log.%m
       max log size = 1000
       template shell=/bin/bash
       idmap_ldb:use rfc2307 = yes


I suggest you read these to start with. 
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
And  https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
Your member settings are also wrong, these are using absolete settings. 

The member config by example. 
 [global]
       security = ADS
       realm = LENZSPITZE.CALAIS.FE
       workgroup = LENZSPITZE
       netbios name = TESTBURGERS

	 idmap config LENZSPITZE : backend = rid
       idmap config LENZSPITZE : schema_mode = rfc2307
       idmap config LENZSPITZE : range = 10000-3999999
       idmap config LENZSPITZE : unix_nss_info = yes

       template homedir =/etudiants/%U
       template shell =/bin/bash

       winbind nss info = rfc2307

       kerberos method = secrets and keytab
       dedicated keytab file = /etc/krb5.keytab
       # renew the kerberos ticket
       winbind refresh tickets = yes       winbind use default domain = yes

 	 # user Administrator workaround, without it you are unable to set privileges
  	 # not needed if you only run winbind
 	 # Set on member and DC.
  	 username map = /etc/samba/samba_usermapping

    # For ACL support on member servers with shares
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes


Read through these howtos, these are optimized for Debian. 
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-2.0-samba-minimal-ad.txt
That shows howto setup a DC, its getting old and needs an update but it still
correct.
This shows the setup of a AD-backend not RID, the difference can be found in the
wiki link above.

And for a member 
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-3.2-samba-member-fileserver.txt



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens 
> nathalie ramat via samba-technical
> Verzonden: donderdag 9 mei 2019 9:29
> Aan: samba-technical at lists.samba.org
> Onderwerp: debian 10: I can not integrate a linux machine 
> into a Samba Ad
> 
> Hello
> 
> 
> 
> I have a old version of samba which communicate with users 
> windows 7 and user debian Linux.I have to integrate new 
> machines under Windows 10.
> 
> I am testing the samba version 4.9.5.
> I am use the packages of debian testing (debian 10) for a 
> server and the user.
> 
> 
> I want to use samba as AD. I have generated my AD with the 
> following command : samba-tool domain provision --use-rfc2307 
> --interactive
> everything was generated correctly apparently
> 
> 
> But when I execute the commande samba -i I have the following errors :
> 
> /usr/sbin/smbd: pid_to_procid: messaging_dgm_get_unique failed: Aucun
> fichier ou dossier de ce type
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 16162 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: pid_to_procid: messaging_dgm_get_unique failed: Aucun
> fichier ou dossier de ce type
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 24980 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: pid_to_procid: messaging_dgm_get_unique failed: Aucun
> fichier ou dossier de ce type
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 16173 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> /usr/sbin/smbd: pid_to_procid: messaging_dgm_get_unique failed: Aucun
> fichier ou dossier de ce type
> /usr/sbin/smbd: send_all_fn: messaging_send_buf to 31019 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> 
> 
> 
> 
>   Nevertheless, I can to integrate my windows machines (7 and 
> 10) into my domain.
> 
> 
> But for my linux machines - impossible
> 
> if I use  the command net rpc join -S 
> nordend.LENZSPITZE.CALAIS.FR -U administrator  .The client 
> wait and doesn't ask the password
> 
> or  if i use net ads join -S nordend.LENZSPITZE.CALAIS.FR -U 
> administrator the linux client asks for the password - and  
> wait for the answer of the server
> 
> In the logs of the server , I realized that he was trying to 
> identify the machine via the kerberos database.
> 
> However, the machine could not generate a kerberos ticket 
> because I can 
> not join her to the domain.
> 
> 
> Kerberos: AS-REQTESTBUGSTER$@LENZSPITZE.CALAIS.FR  from
> ipv4:192.168.22.xxx:59861 for
> krbtgt/LENZSPITZE.CALAIS.FR at LENZSPITZE.CALAIS.FR
> Kerberos: UNKNOWN --TESTBUGSTER$@LENZSPITZE.CALAIS.FR: no such entry
> found in hdb
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[TESTBUGSTER$@LENZSPITZE.CALAIS.FR] at [Fri, 26 Apr 2019
> 12:39:14.537545 CEST] with [(null)] status [NT_STATUS_NO_SUCH_USER]
> workstation [(null)] remote host [ipv4:192.168.22.xxx:59861] mapped to
> [(null)]\[(null)]. local host [NULL]
> {"timestamp": "2019-04-26T12:39:14.537598+0200",
"type":
> "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> 0}, "status": "NT_STATUS_NO_SUCH_USER",
"localAddress": null,
> "remoteAddress": "ipv4:192.168.22.xx:59861",
"serviceDescription":
> "Kerberos KDC", "authDescription": "ENC-TS
Pre-authentication",
> "clientDomain": null, "clientAccount":
> "TESTBUGSTER$@LENZSPITZE.CALAIS.FR", "workstation":
null,
> "becameAccount": null, "becameDomain": null,
"becameSid": null,
> "mappedAccount": null, "mappedDomain": null,
"netlogonComputer": null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
> "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> "passwordType": null, "duration": 2589}}
> 
> /usr/sbin/smbd: ldb_wrap open of secrets.ldb
> /usr/sbin/smbd: Got NTLMSSP neg_flags=0x62088215
> /usr/sbin/smbd: Got user=[TESTBUGSTER$] domain=[LENZSPITZE]
> workstation=[TESTBUGSTER] len1=24 len2=356
> /usr/sbin/smbd: auth_check_password_send: Checking password 
> for unmapped
> user [LENZSPITZE]\[TESTBUGSTER$]@[TESTBUGSTER]
> /usr/sbin/smbd: auth_check_password_send: user is:
> [LENZSPITZE]\[TESTBUGSTER$]@[TESTBUGSTER]
> /usr/sbin/smbd: sam_search_user: Couldn't find user [TESTBUGSTER$] in
> samdb, under DC=lenzspitze,DC=calais,DC=fr
> /usr/sbin/smbd: auth_check_password_recv: sam authentication for user
> [LENZSPITZE\TESTBUGSTER$] FAILED with error NT_STATUS_NO_SUCH_USER,
> authoritative=1
> /usr/sbin/smbd: Auth: [SMB2,NTLMSSP] user 
> [LENZSPITZE]\[TESTBUGSTER$] at
> [ven., 26 avril 2019 12:39:14.561942 CEST] with [NTLMv2] status
> [NT_STATUS_NO_SUCH_USER] workstation [TESTBUGSTER] remote host
> [ipv4:192.168.22.xxx:58998] mapped to 
> [LENZSPITZE]\[TESTBUGSTER$]. local
> host [ipv4:192.168.22.xxx:445]
> /usr/sbin/smbd: {"timestamp": 
> "2019-04-26T12:39:14.562671+0200", "type":
> "Authentication", "Authentication":
{"version": {"major": 1, "minor":
> 0}, "status": "NT_STATUS_NO_SUCH_USER",
"localAddress":
> "ipv4:192.168.22.xxx:445", "remoteAddress": 
> "ipv4:192.168.22.xxx:58998",
> "serviceDescription": "SMB2",
"authDescription": "NTLMSSP",
> "clientDomain": "LENZSPITZE",
"clientAccount": "TESTBUGSTER$",
> "workstation": "TESTBUGSTER",
"becameAccount": null, "becameDomain":
> null, "becameSid": null, "mappedAccount":
"TESTBUGSTER$",
> "mappedDomain": "LENZSPITZE",
"netlogonComputer": null,
> "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
> "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
> "passwordType": "NTLMv2", "duration": 11627}}
> /usr/sbin/smbd: gensec_spnego_server_negTokenTarg_step: 
> SPNEGO(ntlmssp)
> login failed: NT_STATUS_NO_SUCH_USER
> 
> When I execute on the server : smbclient -L localhost -U administrator
> 
> I get the following answer
> 
> Sharename       Type      Comment
>       ---------       ----      -------
>       homes           Disk
>       profiles        Disk
>       print$          Disk      Printer Drivers
>       IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
>       Administrator   Disk      Home directory of 
> LENZSPITZE/Administrator
> Reconnecting with SMB1 for workgroup listing.
> 
>       Server               Comment
>       ---------            -------
>       NORDEND              Samba 4.9.5-Debian
> 
>       Workgroup            Master
>       ---------            -------
>       LENZSPITZE
> 
> 
> I think the client and the server do not use the same protocols 
> communications  (net rpc --> SMB1/CIFS ? ).
> How can I add my linux Machine to my AD ?
> 
> 
> 
> I configured smb.conf at my server :
> 
> 
> # global parameters
> [global]
>       workgroup = LENZSPITZE
>       realm = lenzspitze.calais.fr
>       netbios name = NORDEND
>       server role = active directory domain controller
>       server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl,winbindd, ntp_signd, kcc
>       log level = 3
>       log file = /var/log/samba/log.%m
>       max log size = 1000
>       template shell=/bin/bash
>       idmap_ldb:use rfc2307 = yes
>       winbind enum users = yes
>       winbind enum groups = yes
>       winbind use default domain = yes
>       winbind separator = /
>       idmap config *:backend = tdb
>       idmap config *:range = 1000-19000éré correctement semble-t-il.
>       host msdfs = no
>       security = user
>       name resolve order = host
> #    ntlm auth = yes
> #     raw NTLMV2 auth = yes
> #    lanman auth =yes
> #    vfs objects = acl_xattr
>       map acl inherit = Yes
> #    store dos attributes = Yes
> 
> 
> [netlogon]
>       path = 
> /var/lib/samba/var/locks/sysvol/lenzspitze.calais.fr/scripts
>       read only = no
>       browsable = no
> 
> [sysvol]
>       path= /var/lib/samba/var/locks/sysvol
>       read only = no
>       browsable = no
> 
> [homes]
>       path=/home/%G/%U
>       read only = no
>       writable = yes
> 
> 
> [profiles]
>       path=/resultats/profiles
>       read only = no
>       writable =yes
> 
> 
> [printers]
>      comment = All Printers
>      browseable = no
>      path = /var/spool/samba
>      printable = yes
>      guest ok = no
>      read only = yes
>      create mask = 0700
> 
> # Windows clients look for this share name as a source of downloadable
> # printer drivers
> [print$]
>      comment = Printer Drivers
>      path = /var/lib/samba/printers
>      browseable = yes
>      read only = yes
>      guest ok = no
> 
> 
> 
> and my linux user :
> 
> 
> [global]
>       security = ads
>       realm = lenzspitze.calais.fr
>       workgroup = LENZSPITZE
>       netbios name = testbugster
>       winbind separator = /
>       ntlm auth = yes
>       idmap uid = 0-50000
>       idmap gid = 0-50000
>       winbind enum users = yes
>       winbind enum groups = yes
>       idmap config LENZSPITZE : backend = rid
>       idmap config LENZSPITZE : base_rid = 0
>       template homedir =/etudiants/%U
>       template shell =/bin/bash
>       encrypt passwords = yes
>       winbind nss info = rfc2307
>       kerberos method =  secrets and keytab
>       winbind use default domain = yes
>       log file =/var/log/samba/log.%m
>       log level = 3
> 
> 
> 
> Thank you for your help
> 
> 
> Sincerely yours
> 
> -- 
> Nathalie RAMAT-LECLERCQ
> 
> Service Informatique
> 
> Universite du Littoral-Côte d'Opale
> SCoSI - Service Commun du Système d'Information
> Pôle Systèmes et réseaux
> 
> Centre de Gestion Universitaire de Calais
> 50 rue ferdinand Buisson
> C.S 80699
> 62228 CALAIS CEDEX
> 
> 
> 
> 
> 
>