On 23/02/2021 20:49, Rowland penny via samba wrote:> > On 23/02/2021 20:11, Nick via samba wrote: >> >> >> On 23/02/2021 19:51, Rowland penny via samba wrote: >>> >>> On 23/02/2021 17:17, Nick via samba wrote: >>>> >>>> >>>> On 23/02/2021 16:29, Rowland penny via samba wrote: >>>>> >>>>> On 23/02/2021 14:19, Nick Howitt via samba wrote: >>>>>> Please don't ream me for using an NT4 domain, but that is the >>>>>> beast I am stuck with. >>>>> >>>>> >>>>> You might think you are stuck with it, but unless you plan to >>>>> upgrade to Samba AD, you might find you are stuck without it. >>>>> NT4-style domains are going away, in fact they were deprecated at >>>>> 4.13.0 >>>>> >>>>> It is your decision, but I felt that I should warn you. >>>>> >>>>>> >>>>>> I am trying to join a Centos 8 workstation to an NT4 domain and >>>>>> the only notes I have are not really applicable - >>>>>> https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain. >>>>>> It references Ubuntu and its PAM configuration is irrelevant. In >>>>>> any case I believe the join is falling down before PAM even comes >>>>>> into play. >>>>> >>>>> >>>>> Ensure that all the Samba daemons are stopped, then try this >>>>> '[global]' section of the smb.conf: >>>>> >>>>> [global] >>>>> ???????? domain master = No >>>>> ???????? security = DOMAIN >>>>> ???????? client min protocol = NT1 >>>>> ???????? template shell = /bin/bash >>>>> ???????? winbind use default domain = Yes >>>>> ???????? workgroup = HOME >>>>> ???????? idmap config * : range = 3000-7999 >>>>> ???????? idmap config * : backend = tdb >>>>> ???????? idmap config HOME : range = 10000000-19999999 >>>>> ???????? idmap config HOME : backend = rid >>>>> >>>>> Try the join again and if it joins, then start winbind followed by >>>>> smbd and nmbd. >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> I'm afraid it is the same problem: >>>> >>>> [root at proxmox106 ~]# net rpc join -U winadmin >>>> Enter winadmin's password: >>>> Failed to join domain: failed to find DC for domain HOME - The >>>> object was not found. >>>> >>>> I don't know if it is of interest but changing "client min protocol >>>> = NT1" to "client max protocol = NT1" gave: >>>> >>>> [root at proxmox106 ~]# net rpc join -U winadmin >>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02. >>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02. >>>> Enter winadmin's password: >>>> Failed to join domain: failed to find DC for domain HOME - The >>>> object was not found. >>>> >>>> Has NT1/SMB1 been removed from this version of Samba and could that >>>> be a problem? The server was running with "server min protocol = >>>> SMB2" and I changed it to allow SMB1 when I changed the min >>>> protocol to max protocol. >>>> >>> >>> No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still be >>> in 4.14.0 when it is shortly released, but who knows about 4.15.0 ? >>> >>> It was turned off by default at 4.11.0? but is still available for >>> use by setting 'client min protocol = NT1' for connections to a >>> server that uses it and setting 'server min protocol = NT1' to make >>> a server use it. A Samba machine can be both a client and a server. >>> There should be no reason to set 'client max protocol' or 'server >>> max protocol', they are both set to SMBv3 and will negotiate the >>> best protocol to use. >>> >>> You could try adding '-S PDC_NAME' or '-I PDC_IP' to your join command. >>> >>> Rowland >>> >>> >>> >> Success (sort of): >> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server >> Enter winadmin's password: >> Failed to join domain: failed to join domain 'HOME' over rpc: The >> specified account does not exist. >> [root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1 >> Enter winadmin's password: >> Failed to join domain: failed to find DC for domain HOME - The object >> was not found. >> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server.howitts.co.uk >> Enter winadmin's password: >> Using short domain name -- HOME >> Joined 'PROXMOX106' to domain 'HOME' >> >> Doesn't that indicate a DNS issue, but, if so what? > > > well, it would suggest a dns problem, except a PDC uses netbios, so is > a 'wins server running on the PDC ? Do you have 'wins support = yes' > in the PDC's smb.conf ?Yes, it is there> > Try adding 'wins server = PDC_IP' in the clients smb.confI'll try that.> > The line you had in the clients smb.conf: > > add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s > /bin/false -M %u > > Should be in the PDC's smb.conf.The PDC has: add machine script = /usr/sbin/samba-add-machine "%u"> >> >> FWIW home.server.howitts.co.uk also resolves to the same IP and the >> join by IP failed. >> >> Smb, nmb and winbind now start so that is good. > > > Well, at least you are getting somewhere ?Yes. Chuffed at that, thanks.> > >> >> Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf >> now reads: >> >> [root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf >> passwd:???? sss files systemd >> group:????? sss files systemd >> netgroup:?? sss files >> automount:? sss files >> services:?? sss files >> shadow:???? files sss >> hosts:????? files dns myhostname >> aliases:??? files >> ethers:???? files >> gshadow:??? files >> networks:?? files dns >> protocols:? files >> publickey:? files >> rpc:??????? files >> >> I assume it needs to reference winbind at least, instead of sss. The >> documentation I had said to do: >> >> passwd:???????? compat winbind >> group:????????? compat winbind >> shadow:???????? compat winbind >> hosts:????????? files dns wins >> networks:?????? files >> protocols:????? db files >> services:?????? db files >> ethers:???????? db files >> rpc:??????????? db files >> netgroup:?????? nis >> >> But the documentation is very old. >> > > And still valid, don't forget NT4-style domains are very old.Great> > Rowland > > >-- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Nick Howitt
2021-Feb-24 10:25 UTC
[Samba] How do I join an Centos8 workstation to an NT4 domain?
On 23/02/2021 21:27, Nick via samba wrote:> > > > On 23/02/2021 20:49, Rowland penny via samba wrote: >> >> On 23/02/2021 20:11, Nick via samba wrote: >>> >>> >>> On 23/02/2021 19:51, Rowland penny via samba wrote: >>>> >>>> On 23/02/2021 17:17, Nick via samba wrote: >>>>> >>>>> >>>>> On 23/02/2021 16:29, Rowland penny via samba wrote: >>>>>> >>>>>> On 23/02/2021 14:19, Nick Howitt via samba wrote: >>>>>>> Please don't ream me for using an NT4 domain, but that is the >>>>>>> beast I am stuck with. >>>>>> >>>>>> >>>>>> You might think you are stuck with it, but unless you plan to >>>>>> upgrade to Samba AD, you might find you are stuck without it. >>>>>> NT4-style domains are going away, in fact they were deprecated at >>>>>> 4.13.0 >>>>>> >>>>>> It is your decision, but I felt that I should warn you. >>>>>> >>>>>>> >>>>>>> I am trying to join a Centos 8 workstation to an NT4 domain and >>>>>>> the only notes I have are not really applicable - >>>>>>> https://documentation.clearos.com/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain. >>>>>>> It references Ubuntu and its PAM configuration is irrelevant. In >>>>>>> any case I believe the join is falling down before PAM even comes >>>>>>> into play. >>>>>> >>>>>> >>>>>> Ensure that all the Samba daemons are stopped, then try this >>>>>> '[global]' section of the smb.conf: >>>>>> >>>>>> [global] >>>>>> ???????? domain master = No >>>>>> ???????? security = DOMAIN >>>>>> ???????? client min protocol = NT1 >>>>>> ???????? template shell = /bin/bash >>>>>> ???????? winbind use default domain = Yes >>>>>> ???????? workgroup = HOME >>>>>> ???????? idmap config * : range = 3000-7999 >>>>>> ???????? idmap config * : backend = tdb >>>>>> ???????? idmap config HOME : range = 10000000-19999999 >>>>>> ???????? idmap config HOME : backend = rid >>>>>> >>>>>> Try the join again and if it joins, then start winbind followed by >>>>>> smbd and nmbd. >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>>> >>>>> I'm afraid it is the same problem: >>>>> >>>>> [root at proxmox106 ~]# net rpc join -U winadmin >>>>> Enter winadmin's password: >>>>> Failed to join domain: failed to find DC for domain HOME - The >>>>> object was not found. >>>>> >>>>> I don't know if it is of interest but changing "client min protocol >>>>> = NT1" to "client max protocol = NT1" gave: >>>>> >>>>> [root at proxmox106 ~]# net rpc join -U winadmin >>>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02. >>>>> lp_load_ex: Max protocol NT1 is less than min protocol SMB2_02. >>>>> Enter winadmin's password: >>>>> Failed to join domain: failed to find DC for domain HOME - The >>>>> object was not found. >>>>> >>>>> Has NT1/SMB1 been removed from this version of Samba and could that >>>>> be a problem? The server was running with "server min protocol = >>>>> SMB2" and I changed it to allow SMB1 when I changed the min >>>>> protocol to max protocol. >>>>> >>>> >>>> No, SMBv1 (Samba calls it NT1) hasn't been removed, it will still be >>>> in 4.14.0 when it is shortly released, but who knows about 4.15.0 ? >>>> >>>> It was turned off by default at 4.11.0? but is still available for >>>> use by setting 'client min protocol = NT1' for connections to a >>>> server that uses it and setting 'server min protocol = NT1' to make >>>> a server use it. A Samba machine can be both a client and a server. >>>> There should be no reason to set 'client max protocol' or 'server >>>> max protocol', they are both set to SMBv3 and will negotiate the >>>> best protocol to use. >>>> >>>> You could try adding '-S PDC_NAME' or '-I PDC_IP' to your join command. >>>> >>>> Rowland >>>> >>>> >>>> >>> Success (sort of): >>> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server >>> Enter winadmin's password: >>> Failed to join domain: failed to join domain 'HOME' over rpc: The >>> specified account does not exist. >>> [root at proxmox106 ~]# net rpc join -U winadmin -v -I 172.17.2.1 >>> Enter winadmin's password: >>> Failed to join domain: failed to find DC for domain HOME - The object >>> was not found. >>> [root at proxmox106 ~]# net rpc join -U winadmin -v -S server.howitts.co.uk >>> Enter winadmin's password: >>> Using short domain name -- HOME >>> Joined 'PROXMOX106' to domain 'HOME' >>> >>> Doesn't that indicate a DNS issue, but, if so what? >> >> >> well, it would suggest a dns problem, except a PDC uses netbios, so is >> a 'wins server running on the PDC ? Do you have 'wins support = yes' >> in the PDC's smb.conf ? > Yes, it is there >> >> Try adding 'wins server = PDC_IP' in the clients smb.conf > I'll try that. >> >> The line you had in the clients smb.conf: >> >> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s >> /bin/false -M %u >> >> Should be in the PDC's smb.conf. > The PDC has: > add machine script = /usr/sbin/samba-add-machine "%u" > >> >>> >>> FWIW home.server.howitts.co.uk also resolves to the same IP and the >>> join by IP failed. >>> >>> Smb, nmb and winbind now start so that is good. >> >> >> Well, at least you are getting somewhere ? > Yes. Chuffed at that, thanks. >> >> >>> >>> Also do I now need to do any PAM and nsswitch fixups? nsswitch.conf >>> now reads: >>> >>> [root at proxmox106 ~]# grep '^\w' /etc/nsswitch.conf >>> passwd:???? sss files systemd >>> group:????? sss files systemd >>> netgroup:?? sss files >>> automount:? sss files >>> services:?? sss files >>> shadow:???? files sss >>> hosts:????? files dns myhostname >>> aliases:??? files >>> ethers:???? files >>> gshadow:??? files >>> networks:?? files dns >>> protocols:? files >>> publickey:? files >>> rpc:??????? files >>> >>> I assume it needs to reference winbind at least, instead of sss. The >>> documentation I had said to do: >>> >>> passwd:???????? compat winbind >>> group:????????? compat winbind >>> shadow:???????? compat winbind >>> hosts:????????? files dns wins >>> networks:?????? files >>> protocols:????? db files >>> services:?????? db files >>> ethers:???????? db files >>> rpc:??????????? db files >>> netgroup:?????? nis >>> >>> But the documentation is very old. >>> >> >> And still valid, don't forget NT4-style domains are very old. > Great >> >> Rowland >> >> >> > >Is there a way to leave a domain with "net ..." so I can test a rejoin? I added the 'wins server' line to smb.conf and the join went OK without specifying the -S, but it was already joined at that point. I've made the nsswitch.conf changes but still cannot log in as domain user as password validation fails: Feb 24 10:10:48 proxmox106 gdm-password][3498]: pam_unix(gdm-password:auth): check pass; user unknown Feb 24 10:10:48 proxmox106 gdm-password][3498]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhostFeb 24 10:10:48 proxmox106 gdm-password][3498]: gkr-pam: error looking up user information Feb 24 10:10:59 proxmox106 gdm-password][3503]: pam_unix(gdm-password:auth): check pass; user unknown Feb 24 10:10:59 proxmox106 gdm-password][3503]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhostFeb 24 10:10:59 proxmox106 gdm-password][3503]: gkr-pam: error looking up user information Do I now need to adjust the pam configuration. Again the notes I have suggest so but the files mentioned don't exist in Centos 8.