samba - Nov 2021 - "Incorrectly formatted request" from NT4, "Network responded incorrectly" from SAMBA 'net', trying to join NT4 domain on 4.13, 4.15

Re "is winbind running" bit of a catch-22 there. winbind gives me this
error:

  Could not find our SID. Did we join?

And then quits. Which means I can't actually have it running while
attempting to join.

That said, changing to NT1 and adding the idmap bits did at least change the
error I'm receiving. Now it's this:

  Failed to join domain: failed to lookup DC info for domain 'OLDSEP'
over rpc: [Access Denied] A process has requested access to an object but has
not been granted those access rights.

And in the event log on the PDC:

  The session startup for the computer FILESRV failed because these is no trust
account in the security database for this computer. The name of the account
referenced in the security database is FILESRV$.

So it's still failing to do something right, because JOIN should be
*creating* the trust account. Thanks for the help though, we're on the right
track.
Worst comes to worst and I can't figure out how to get them to talk to each
other I supposed I can compile 4.7 since that's before these changes you
mentioned.
Apologies for the lack of proper quoting, I'm using digest mode and I
don't know how to do quote blocks on Thunderbird. Can you tell I don't
use mailing lists much?

Dylan M

On Mon, 2021-11-08 at 14:10 +0000, Dylan J. Morrison via samba
wrote:
> Re "is winbind running" bit of a catch-22 there. winbind gives me
> this error:
> 
>   Could not find our SID. Did we join?
> 
> And then quits. Which means I can't actually have it running while
> attempting to join.
You shouldn't have any Samba daemons running before the join, you start
them afterwards. Since Samba 4.8.0 you must have winbind running if
security = domain or security = ads.
> 
> That said, changing to NT1 and adding the idmap bits did at least
> change the error I'm receiving. Now it's this:
> 
>   Failed to join domain: failed to lookup DC info for domain
'OLDSEP'
> over rpc: [Access Denied] A process has requested access to an object
> but has not been granted those access rights.
Does 'net rpc testjoin' show that the join is okay ?
> 
> And in the event log on the PDC:
> 
>   The session startup for the computer FILESRV failed because these
> is no trust account in the security database for this computer. The
> name of the account referenced in the security database is FILESRV$.
> 
> So it's still failing to do something right, because JOIN should be
> *creating* the trust account. Thanks for the help though, we're on
> the right track.
It looks like you haven't joined.
> Worst comes to worst and I can't figure out how to get them to talk
> to each other I supposed I can compile 4.7 since that's before these
> changes you mentioned.
That might be an idea.

Rowland

Hi Dylan,

Here is a sorted smb.conf file which works with Samba version 4.7.6-Ubuntu.
I had the same error :  
"Failed to join domain: failed to lookup DC info for domain
'DOMAIN' over
rpc: [Access Denied]
A process has requested access to an object but has not been granted those
access rights."
Now it works but I don't know which parameters are mandatory.
You can add '-d 5' to debug your command 'net -d 5 rpc join -S PDC
-U
myadmin%mypwd'.

[global]
    allow dns updates = disabled
    bind interfaces only = No
    cldap port = 0
    client ipc signing = auto
    client ldap sasl wrapping = plain
    client max protocol = NT1
    client min protocol = CORE
    client min protocol = NT1
    client schannel = Auto
    client use spnego = No
    ctdbd socket = /var/run/ctdb/ctdbd.socket
    dcerpc endpoint servers     debug timestamp = Yes
    dgram port = 0
    dns proxy = no
    dns update command     domain logons = yes
    domain master = no
    encrypt passwords = true
    force create mode = 00
    force directory mode = 00
    hosts allow = 192.168.1. 192.168.2. 192.168.3. 192.168.4. 127.
    hosts allow = 192.168.1., 192.168.2., 192.168.3., 192.168.4., 127.
    idmap gid = 10000-20000
    idmap uid = 10000-20000
    inherit owner = No
    kpasswd port = 0
    krb5 port = 0
    ldap page size = 1024
    load printers = no
    local master = no
    log file = /var/log/samba/samba.log
    log level = 3
    logon path     mangled names = Yes
    map to guest = bad user
    max open files = 16404
    name resolve order = wins bcast host
    name resolve order = wins, bcast, host
    nbt port = 0
    netbios name = MYNAME
    nsupdate command     ntlm auth = Yes
    ntp signd socket directory     ntvfs handler     os level = 64
    passdb backend = tdbsam
    preferred master = no
    preload     print notify backchannel = Yes
    print ok = No
    require strong key = No
    rndc command     samba kcc command     security = domain
    server string     share backend     show add printer wizard = no
    smb2 max read = 1048576
    smb2 max trans = 1048576
    smb2 max write = 1048576
    smb ports = 445, 139
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    spn update command     strict sync = No
    tls cafile     tls certfile     tls enabled = No
    tls keyfile     username map = /etc/samba/smbusers
    web port = 0
    winbind enum groups = yes
    winbind enum groups = Yes
    winbind enum users = yes
    winbind enum users = Yes
    winbind expand groups = 1
    winbind rpc only = No
    winbind rpc only = yes
    winbind sealed pipes = No
    winbind sealed pipes = No
    winbind separator = /
    winbind use default domain = yes
    winbind use default domain = Yes
    wins proxy = no
    wins server = 192.168.4.212
    wins support = no
    workgroup = DOMAIN

Hope it helps you
Gerard

De?: samba [mailto:samba-bounces at lists.samba.org] De la part de Dylan J.
Morrison via samba
Envoy??: lundi 8 novembre 2021 15:11 ??: samba at lists.samba.org
Objet?: Re: [Samba] "Incorrectly formatted request" from NT4,
"Network
responded incorrectly" from SAMBA 'net', trying to join NT4 domain
on 4.13,
4.15

Re "is winbind running" bit of a catch-22 there. winbind gives me this
error:

  Could not find our SID. Did we join?

And then quits. Which means I can't actually have it running while
attempting to join.

That said, changing to NT1 and adding the idmap bits did at least change the
error I'm receiving. Now it's this:

  Failed to join domain: failed to lookup DC info for domain 'OLDSEP'
over
rpc: [Access Denied] A process has requested access to an object but has not
been granted those access rights.

And in the event log on the PDC:

  The session startup for the computer FILESRV failed because these is no
trust account in the security database for this computer. The name of the
account referenced in the security database is FILESRV$.

So it's still failing to do something right, because JOIN should be
*creating* the trust account. Thanks for the help though, we're on the right
track.
Worst comes to worst and I can't figure out how to get them to talk to each
other I supposed I can compile 4.7 since that's before these changes you
mentioned.
Apologies for the lack of proper quoting, I'm using digest mode and I
don't
know how to do quote blocks on Thunderbird. Can you tell I don't use mailing
lists much?

Dylan M
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba