Hi I actually have troubles to join a samba4 machine into an old samba3 domain. I know I know most of you will yell reading this, but i have to deal with a customer's very old environment :) They're thinking about migrating fully in samba4, but it will take some times so for now let's focus on the situation we have Configuration: - Samba3 PDC :3.5.18-28 - Samba4 client Debian 8.7 (samba 4.2.14) Here is the samba4 smb.conf: [global] # OPTIONS TO JOIN SAMBA3 NT DOMAIN max protocol = NT1 client ipc signing = No client signing = No server signing = No #### panic action = /usr/share/samba/panic-action %d workgroup = MYDOMAIN netbios name = MYSERVER admin users= @"Domain Admins" name resolve order = wins lmhosts hosts bcast wide links = Yes follow symlinks = Yes remote announce = 192.168.255.255/MYDOMAIN remote browse sync = 192.168.255.255 interfaces = 192.168.X.X/255.255.254.0 bind interfaces only = no unix charset = CP850 server string = FileserverMYSERVER security = DOMAIN encrypt passwords = true log level = 1 syslog = 0 log file = /var/log/samba/%m.log max log size = 100000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 domain logons = No os level = 99 preferred master = No domain master = No wins server = X.X.X.X idmap backend = nss passdb backend = ldapsam:ldap://ds.domain.com:389/ ldap admin dn = cn=Directory Manager,dc=domain,dc=com ldap suffix = dc=domain,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap ssl = No winbind cache time = 5 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes Here is what i get when trying to join the domain net rpc join -Uadministrateur No realm has been specified! Do you really want to join an Active Directory server? Enter administrateur's password: No realm has been specified! Do you really want to join an Active Directory server? User root with invalid SID S-1-5-21-2287936477-1870703456-424640392-1001 in passdb Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR. cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error NT_STATUS_RPC_PROTOCOL_ERROR libnet_join_ok: failed to open schannel session on netlogon pipe to server PDC for domain MYDOMAIN. Error was NT_STATUS_RPC_PROTOCOL_ERROR Failed to join domain: failed to verify domain membership after joining: An RPC protocol error occurred. The fact is that i succeed in getting domain info: net rpc info -Uadministrateur Enter administrateur's password: Domain Name: MYDOMAIN Domain SID: S-1-5-21-2143421583-854681893-XXXXXXXXXX Sequence number: 1558533247 Num users: 2479 Num domain groups: 276 Num local groups: 0 I don't know how to deal with this problem (first time i see that..) Thanks for your help
L.P.H. van Belle
2019-May-22 14:19 UTC
[Samba] Samba4 machine fails to join in samba3 domain
Hai Julien, My advice.. setup a new AD-DC, configure it. Make sure you use the same users/passwords in the new AD. Then in GPO, make the mapping to the old server. Using OLDOMAIN\%username% That works if you keep the loginnames and pass the same. Now you can login on AD and use the old server. Because joining that samba4 into samba3, well, this will give more problem then you want, really. And that is something im not spending(waisting) time on.. and same should you. There are really to many changes in windows samba etc to even try to support it. I have 0 problem with helping setup a new AD-DOM.. But this is all soo out dated. Its asking for more problems. If someone else wants to help and try it, fine, but not me. Really sorry,.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Julien TEHERY via samba > Verzonden: woensdag 22 mei 2019 16:03 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba4 machine fails to join in samba3 domain > > Hi > > I actually have troubles to join a samba4 machine into an old > samba3 domain. > I know I know most of you will yell reading this, but i have to deal > with a customer's very old environment :) > They're thinking about migrating fully in samba4, but it will > take some > times so for now let's focus on the situation we have > > Configuration: > - Samba3 PDC :3.5.18-28 > - Samba4 client Debian 8.7 (samba 4.2.14) > > Here is the samba4 smb.conf: > > [global] > # OPTIONS TO JOIN SAMBA3 NT DOMAIN > max protocol = NT1 > client ipc signing = No > client signing = No > server signing = No > #### > > panic action = /usr/share/samba/panic-action %d > workgroup = MYDOMAIN > netbios name = MYSERVER > admin users= @"Domain Admins" > name resolve order = wins lmhosts hosts bcast > wide links = Yes > follow symlinks = Yes > > remote announce = 192.168.255.255/MYDOMAIN > remote browse sync = 192.168.255.255 > interfaces = 192.168.X.X/255.255.254.0 > bind interfaces only = no > unix charset = CP850 > server string = FileserverMYSERVER > security = DOMAIN > encrypt passwords = true > > log level = 1 > syslog = 0 > log file = /var/log/samba/%m.log > max log size = 100000 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > mangling method = hash2 > > domain logons = No > os level = 99 > preferred master = No > domain master = No > wins server = X.X.X.X > idmap backend = nss > passdb backend = ldapsam:ldap://ds.domain.com:389/ > ldap admin dn = cn=Directory Manager,dc=domain,dc=com > ldap suffix = dc=domain,dc=com > ldap group suffix = ou=Groups > ldap user suffix = ou=Users > ldap machine suffix = ou=Computers > ldap ssl = No > > winbind cache time = 5 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > > > > > > Here is what i get when trying to join the domain > > net rpc join -Uadministrateur > No realm has been specified! Do you really want to join an Active > Directory server? > Enter administrateur's password: > No realm has been specified! Do you really want to join an Active > Directory server? > User root with invalid SID > S-1-5-21-2287936477-1870703456-424640392-1001 > in passdb > Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR. > cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error > NT_STATUS_RPC_PROTOCOL_ERROR > libnet_join_ok: failed to open schannel session on netlogon pipe to > server PDC for domain MYDOMAIN. Error was NT_STATUS_RPC_PROTOCOL_ERROR > Failed to join domain: failed to verify domain membership > after joining: > An RPC protocol error occurred. > > The fact is that i succeed in getting domain info: > > > net rpc info -Uadministrateur > Enter administrateur's password: > Domain Name: MYDOMAIN > Domain SID: S-1-5-21-2143421583-854681893-XXXXXXXXXX > Sequence number: 1558533247 > Num users: 2479 > Num domain groups: 276 > Num local groups: 0 > > > I don't know how to deal with this problem (first time i see that..) > > Thanks for your help > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 22/05/2019 15:02, Julien TEHERY via samba wrote:> Hi > > I actually have troubles to join a samba4 machine into an old samba3 > domain. > I know I know most of you will yell reading this, but i have to deal > with a customer's very old environment :) > They're thinking about migrating fully in samba4, but it will take > some times so for now let's focus on the situation we have > > Configuration: > - Samba3 PDC :3.5.18-28 > - Samba4 client Debian 8.7 (samba 4.2.14) > > Here is the samba4 smb.conf: > > [global] > # OPTIONS TO JOIN SAMBA3 NT DOMAIN > max protocol = NT1 > client ipc signing = No > client signing = No > server signing = No > #### > > panic action = /usr/share/samba/panic-action %d > workgroup = MYDOMAIN > netbios name = MYSERVER > admin users= @"Domain Admins" > name resolve order = wins lmhosts hosts bcast > wide links = Yes > follow symlinks = Yes > > remote announce = 192.168.255.255/MYDOMAIN > remote browse sync = 192.168.255.255 > interfaces = 192.168.X.X/255.255.254.0 > bind interfaces only = no > unix charset = CP850 > server string = FileserverMYSERVER > security = DOMAIN > encrypt passwords = true > > log level = 1 > syslog = 0 > log file = /var/log/samba/%m.log > max log size = 100000 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > mangling method = hash2 > > domain logons = No > os level = 99 > preferred master = No > domain master = No > wins server = X.X.X.X > idmap backend = nss > passdb backend = ldapsam:ldap://ds.domain.com:389/ > ldap admin dn = cn=Directory Manager,dc=domain,dc=com > ldap suffix = dc=domain,dc=com > ldap group suffix = ou=Groups > ldap user suffix = ou=Users > ldap machine suffix = ou=Computers > ldap ssl = No > > winbind cache time = 5 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > > > > > > Here is what i get when trying to join the domain > > net rpc join -Uadministrateur > No realm has been specified! Do you really want to join an Active > Directory server? > Enter administrateur's password: > No realm has been specified! Do you really want to join an Active > Directory server? > User root with invalid SID > S-1-5-21-2287936477-1870703456-424640392-1001 in passdb > Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR. > cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error > NT_STATUS_RPC_PROTOCOL_ERROR > libnet_join_ok: failed to open schannel session on netlogon pipe to > server PDC for domain MYDOMAIN. Error was NT_STATUS_RPC_PROTOCOL_ERROR > Failed to join domain: failed to verify domain membership after > joining: An RPC protocol error occurred. > > The fact is that i succeed in getting domain info: > > > net rpc info -Uadministrateur > Enter administrateur's password: > Domain Name: MYDOMAIN > Domain SID: S-1-5-21-2143421583-854681893-XXXXXXXXXX > Sequence number: 1558533247 > Num users: 2479 > Num domain groups: 276 > Num local groups: 0 > > > I don't know how to deal with this problem (first time i see that..) > > Thanks for your helpLouis is right, you should upgrade, but, in the meantime, try adding 'ntlm auth = yes' to your smb.conf, see if that helps. Also try running the following commands: net getlocalsid net getdomainsid Rowland
Louis is right, you should upgrade, but, in the meantime, try adding 'ntlm auth = yes' to your smb.conf, see if that helps.> > Also try running the following commands: > > net getlocalsid > > net getdomainsid > > Rowland >Yes they should upgrade, I totally agree. I've allready migrated samba3 domain to samba4 domain , but in this case the samba4 one is only a fileserver that was joined in a microsoft/AD domain. People from the samba3 domain used to access their home on it through bidirectionnal approbation approval between the microsoft domain and samba3 domain. Now they have to break this approval to upgrade their forest functionnal level. That's why we try to integrate this samba4 fileserver into the old samba3 domain, so that users can still have access to their homes. I tried with the ntlm_auth option whitout success. I won't bother your with samba3 problems, but can somebody explain what root's SID has to deal with the "net rpc join" command? I precise this SID does exists in the samba3 (target) domain and the SID is the same as shown in my first email.