Rowland penny
2021-Feb-23 19:51 UTC
[Samba] How do I join an Centos8 workstation to an NT4 domain?
On 23/02/2021 17:17, Nick via samba wrote:> > > On 23/02/2021 16:29, Rowland penny via samba wrote: >> >> On 23/02/2021 14:19, Nick Howitt via samba wrote: >>> Please don't ream me for using an NT4 domain, but that is the beast >>> I am stuck with. >> >> >> You might think you are stuck with it, but unless you plan to upgrade >> to Samba AD, you might find you are stuck without it. NT4-style >> domains are going away, in fact they were deprecated at 4.13.0 >> >> It is your decision, but I felt that I should warn you. >> >>> >>> I am trying to join a Centos 8 workstation to an NT4 domain and the >>> only notes I have are not really applicable - >>> https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain. >>> It references Ubuntu and its PAM configuration is irrelevant. In any >>> case I believe the join is falling down before PAM even comes into >>> play. >> >> >> Ensure that all the Samba daemons are stopped, then try this >> '[global]' section of the smb.conf: >> >> [global] >> ???????? domain master = No >> ???????? security = DOMAIN >> ???????? client min protocol = NT1 >> ???????? template shell = /bin/bash >> ???????? winbind use default domain = Yes >> ???????? workgroup = HOME >> ???????? idmap config * : range = 3000-7999 >> ???????? idmap config * : backend = tdb >> ???????? idmap config HOME : range = 10000000-19999999 >> ???????? idmap config HOME : backend = rid >> >> Try the join again and if it joins, then start winbind followed by >> smbd and nmbd. >> >> Rowland >> >> >> > I'm afraid it is the same problem: > > [root at proxmox106 ~]# net rpc join -U winadmin > Enter winadmin's password: > Failed to join domain: failed to find DC for domain HOME - The object > was not found. > > I don't know if it is of interest but changing "client min protocol = > NT1" to "client max protocol = NT1" gave: > > [root at proxmox106 ~]# net rpc join -U winadmin > lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02. > lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02. > Enter winadmin's password: > Failed to join domain: failed to find DC for domain HOME - The object > was not found. > > Has NT1/SMB1 been removed from this version of Samba and could that be > a problem? The server was running with "server min protocol = SMB2" > and I changed it to allow SMB1 when I changed the min protocol to max > protocol. >No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still be in 4.14.0 when it is shortly released, but who knows about 4.15.0 ? It was turned off by default at 4.11.0? but is still available for use by setting 'client min protocol = NT1' for connections to a server that uses it and setting 'server min protocol = NT1' to make a server use it. A Samba machine can be both a client and a server. There should be no reason to set 'client max protocol' or 'server max protocol', they are both set to SMBv3 and will negotiate the best protocol to use. You could try adding '-S PDC_NAME' or '-I PDC_IP' to your join command. Rowland
On 23/02/2021 19:51, Rowland penny via samba wrote:> > On 23/02/2021 17:17, Nick via samba wrote: >> >> >> On 23/02/2021 16:29, Rowland penny via samba wrote: >>> >>> On 23/02/2021 14:19, Nick Howitt via samba wrote: >>>> Please don't ream me for using an NT4 domain, but that is the beast >>>> I am stuck with. >>> >>> >>> You might think you are stuck with it, but unless you plan to upgrade >>> to Samba AD, you might find you are stuck without it. NT4-style >>> domains are going away, in fact they were deprecated at 4.13.0 >>> >>> It is your decision, but I felt that I should warn you. >>> >>>> >>>> I am trying to join a Centos 8 workstation to an NT4 domain and the >>>> only notes I have are not really applicable - >>>> https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain. >>>> It references Ubuntu and its PAM configuration is irrelevant. In any >>>> case I believe the join is falling down before PAM even comes into >>>> play. >>> >>> >>> Ensure that all the Samba daemons are stopped, then try this >>> '[global]' section of the smb.conf: >>> >>> [global] >>> ???????? domain master = No >>> ???????? security = DOMAIN >>> ???????? client min protocol = NT1 >>> ???????? template shell = /bin/bash >>> ???????? winbind use default domain = Yes >>> ???????? workgroup = HOME >>> ???????? idmap config * : range = 3000-7999 >>> ???????? idmap config * : backend = tdb >>> ???????? idmap config HOME : range = 10000000-19999999 >>> ???????? idmap config HOME : backend = rid >>> >>> Try the join again and if it joins, then start winbind followed by >>> smbd and nmbd. >>> >>> Rowland >>> >>> >>> >> I'm afraid it is the same problem: >> >> [root at proxmox106 ~]# net rpc join -U winadmin >> Enter winadmin's password: >> Failed to join domain: failed to find DC for domain HOME - The object >> was not found. >> >> I don't know if it is of interest but changing "client min protocol = >> NT1" to "client max protocol = NT1" gave: >> >> [root at proxmox106 ~]# net rpc join -U winadmin >> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02. >> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02. >> Enter winadmin's password: >> Failed to join domain: failed to find DC for domain HOME - The object >> was not found. >> >> Has NT1/SMB1 been removed from this version of Samba and could that be >> a problem? The server was running with "server min protocol = SMB2" >> and I changed it to allow SMB1 when I changed the min protocol to max >> protocol. >> > > No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still be in > 4.14.0 when it is shortly released, but who knows about 4.15.0 ? > > It was turned off by default at 4.11.0? but is still available for use > by setting 'client min protocol = NT1' for connections to a server that > uses it and setting 'server min protocol = NT1' to make a server use it. > A Samba machine can be both a client and a server. There should be no > reason to set 'client max protocol' or 'server max protocol', they are > both set to SMBv3 and will negotiate the best protocol to use. > > You could try adding '-S PDC_NAME' or '-I PDC_IP' to your join command. > > Rowland > > >Success (sort of): [root at proxmox106 ~]# net rpc join -U winadmin -v -S server Enter winadmin's password: Failed to join domain: failed to join domain 'HOME' over rpc: The specified account does not exist. [root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1 Enter winadmin's password: Failed to join domain: failed to find DC for domain HOME - The object was not found. [root at proxmox106 ~]# net rpc join -U winadmin -v -S server.howitts.co.uk Enter winadmin's password: Using short domain name -- HOME Joined 'PROXMOX106' to domain 'HOME' Doesn't that indicate a DNS issue, but, if so what? FWIW home.server.howitts.co.uk also resolves to the same IP and the join by IP failed. Smb, nmb and winbind now start so that is good. Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf now reads: [root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf passwd: sss files systemd group: sss files systemd netgroup: sss files automount: sss files services: sss files shadow: files sss hosts: files dns myhostname aliases: files ethers: files gshadow: files networks: files dns protocols: files publickey: files rpc: files I assume it needs to reference winbind at least, instead of sss. The documentation I had said to do: passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis But the documentation is very old. -- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus