samba - May 2023 - samba+winbindd problem joining Ubuntu 20+ to windows 2000 domain

Hi, people. How are you?. I hope you are very well

Could you help us, please?. We've a problem with Ubuntu+samba+winbindd 
joining an old Windows 2000 Active Directory domain (we are testing 
migrate our domain to SAMBA4 but, for now, we must continue using the 
current domain).

We have no problems joining Ubuntu 18 and, in the past, we've joined 
Ubuntu 20 PCs. It seems to be some update in libraries or packages 
involved in interactions winbindd/samba-Windows 2000 AD has broken 
something in our environment and now, join an updated Ubuntu 20 can't be 
done. We can install ubuntu 18, join the PC to domain and then, update 
to Ubuntu 20 but is a pain because we are planning go to ubuntu 22.

*In the PC (ubuntu 20) we are trying to join:*

a) Result of net ads:

sudo net ads join -U Administrador
[sudo] contrase?a para sistemas:
Password for [OUR\Administrador]:
ads_print_error: AD LDAP ERROR: 53 (Server is unwilling to perform): 
00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT_PERFORM), data 0

connect_to_domain_password_server: unable to open the domain client 
session to machine mailsrv.OUR.REALM. Flags[0x00000000] Error was : 
NT_STATUS_ACCESS_DENIED.
Failed to join domain: failed to verify domain membership after joining: 
{Access Denied} A process has requested access to an object but has not 
been granted those access rights.

c) After that, winbindd can't be started. In winbind logs:

[2023/05/31 08:51:46.501656,? 0] 
../../source3/winbindd/winbindd.c:1722(main)
 ? winbindd version 4.15.13-Ubuntu started.
 ? Copyright Andrew Tridgell and the Samba Team 1992-2021
[2023/05/31 08:51:46.505271,? 0] 
../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
 ? initialize_winbindd_cache: clearing cache and re-creating with 
version number 2
[2023/05/31 08:51:46.507658,? 0] 
../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
 ? Could not fetch our SID - did we join?
[2023/05/31 08:51:46.507681,? 0] 
../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
 ? unable to initialize domain list

b) Result of testparm -v:

# Global parameters
[global]
 ?? ?abort shutdown script  ?? ?add group script  ?? ?additional dns hostnames 
?? ?add machine script  ?? ?addport command  ?? ?addprinter command  ?? ?add
share command  ?? ?add user script  ?? ?add user to group script  ?? ?afs token
lifetime = 604800
 ?? ?afs username map  ?? ?aio max threads = 100
 ?? ?algorithmic rid base = 1000
 ?? ?allow dcerpc auth level connect = No
 ?? ?allow dns updates = secure only
 ?? ?allow insecure wide links = No
 ?? ?allow nt4 crypto = No
 ?? ?allow trusted domains = Yes
 ?? ?allow unsafe cluster upgrade = No
 ?? ?apply group policies = No
 ?? ?async dns timeout = 10
 ?? ?async smb echo handler = No
 ?? ?auth event notification = No
 ?? ?auto services  ?? ?binddns dir = /var/lib/samba/bind-dns
 ?? ?bind interfaces only = No
 ?? ?browse list = Yes
 ?? ?cache directory = /var/cache/samba
 ?? ?change notify = Yes
 ?? ?change share command  ?? ?check password script  ?? ?cldap port = 389
 ?? ?client ipc max protocol = default
 ?? ?client ipc min protocol = NT1
 ?? ?client ipc signing = default
 ?? ?client lanman auth = No
 ?? ?client ldap sasl wrapping = sign
 ?? ?client max protocol = NT1
 ?? ?client min protocol = NT1
 ?? ?client NTLMv2 auth = Yes
 ?? ?client plaintext auth = No
 ?? ?client protection = default
 ?? ?client schannel = Yes
 ?? ?client signing = default
 ?? ?client smb encrypt = default
 ?? ?client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, 
AES-256-GCM, AES-256-CCM
 ?? ?client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, 
HMAC-SHA256
 ?? ?client use kerberos = desired
 ?? ?client use spnego principal = No
 ?? ?client use spnego = Yes
 ?? ?cluster addresses  ?? ?clustering = No
 ?? ?config backend = file
 ?? ?config file  ?? ?create krb5 conf = Yes
 ?? ?ctdbd socket  ?? ?ctdb locktime warn threshold = 0
 ?? ?ctdb timeout = 0
 ?? ?cups connection timeout = 30
 ?? ?cups encrypt = No
 ?? ?cups server  ?? ?dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, 
backupkey, dnsserver
 ?? ?deadtime = 10080
 ?? ?debug class = No
 ?? ?debug encryption = No
 ?? ?debug hires timestamp = Yes
 ?? ?debug pid = No
 ?? ?debug prefix timestamp = No
 ?? ?debug uid = No
 ?? ?dedicated keytab file  ?? ?default service  ?? ?defer sharing violations =
Yes
 ?? ?delete group script  ?? ?deleteprinter command  ?? ?delete share command 
?? ?delete user from group script  ?? ?delete user script  ?? ?dgram port = 138
 ?? ?disable netbios = No
 ?? ?disable spoolss = No
 ?? ?dns forwarder  ?? ?dns proxy = Yes
 ?? ?dns update command = /usr/sbin/samba_dnsupdate
 ?? ?dns zone scavenging = No
 ?? ?dns zone transfer clients allow  ?? ?dns zone transfer clients deny  ??
?domain logons = No
 ?? ?domain master = Auto
 ?? ?dos charset = CP850
 ?? ?dsdb event notification = No
 ?? ?dsdb group change notification = No
 ?? ?dsdb password event notification = No
 ?? ?enable asu support = No
 ?? ?enable core files = Yes
 ?? ?enable privileges = Yes
 ?? ?encrypt passwords = Yes
 ?? ?enhanced browsing = Yes
 ?? ?enumports command  ?? ?eventlog list  ?? ?get quota command  ?? ?getwd
cache = Yes
 ?? ?gpo update command = /usr/sbin/samba-gpupdate
 ?? ?guest account = nobody
 ?? ?host msdfs = Yes
 ?? ?hostname lookups = No
 ?? ?idmap backend = tdb
 ?? ?idmap cache time = 604800
 ?? ?idmap gid  ?? ?idmap negative cache time = 120
 ?? ?idmap uid  ?? ?include system krb5 conf = Yes
 ?? ?init logon delay = 100
 ?? ?init logon delayed hosts  ?? ?interfaces  ?? ?iprint server  ?? ?kdc
default domain supported enctypes = 0
 ?? ?kdc force enable rc4 weak session keys = No
 ?? ?kdc supported enctypes = 0
 ?? ?keepalive = 300
 ?? ?kerberos encryption types = all
 ?? ?kerberos method = default
 ?? ?kernel change notify = Yes
 ?? ?kpasswd port = 464
 ?? ?krb5 port = 88
 ?? ?lanman auth = No
 ?? ?large readwrite = Yes
 ?? ?ldap admin dn  ?? ?ldap connection timeout = 2
 ?? ?ldap debug level = 0
 ?? ?ldap debug threshold = 10
 ?? ?ldap delete dn = No
 ?? ?ldap deref = auto
 ?? ?ldap follow referral = Auto
 ?? ?ldap group suffix  ?? ?ldap idmap suffix  ?? ?ldap machine suffix  ?? ?ldap
max anonymous request size = 256000
 ?? ?ldap max authenticated request size = 16777216
 ?? ?ldap max search request size = 256000
 ?? ?ldap page size = 1000
 ?? ?ldap passwd sync = no
 ?? ?ldap replication sleep = 1000
 ?? ?ldap server require strong auth = Yes
 ?? ?ldap ssl = start tls
 ?? ?ldap suffix  ?? ?ldap timeout = 15
 ?? ?ldap user suffix  ?? ?lm announce = Auto
 ?? ?lm interval = 60
 ?? ?load printers = Yes
 ?? ?local master = Yes
 ?? ?lock directory = /run/samba
 ?? ?lock spin time = 200
 ?? ?log file = /var/log/samba/log.%m
 ?? ?logging = file
 ?? ?log level = 1
 ?? ?log nt token command  ?? ?logon drive  ?? ?logon home = \\%N\%U
 ?? ?logon path = \\%N\%U\profile
 ?? ?logon script  ?? ?log writeable files on exit = No
 ?? ?lpq cache time = 30
 ?? ?lsa over netlogon = No
 ?? ?machine password timeout = 604800
 ?? ?mangle prefix = 1
 ?? ?mangling method = hash2
 ?? ?map to guest = Bad User
 ?? ?max disk size = 0
 ?? ?max log size = 1000
 ?? ?max mux = 50
 ?? ?max open files = 16384
 ?? ?max smbd processes = 0
 ?? ?max stat cache size = 512
 ?? ?max ttl = 259200
 ?? ?max wins ttl = 518400
 ?? ?max xmit = 16644
 ?? ?mdns name = netbios
 ?? ?message command  ?? ?min domain uid = 1000
 ?? ?min receivefile size = 0
 ?? ?min wins ttl = 21600
 ?? ?mit kdc command  ?? ?multicast dns register = Yes
 ?? ?name cache timeout = 660
 ?? ?name resolve order = lmhosts wins host bcast
 ?? ?nbt client socket address = 0.0.0.0
 ?? ?nbt port = 137
 ?? ?ncalrpc dir = /var/run/samba/ncalrpc
 ?? ?netbios aliases  ?? ?netbios name = UB-PC00092
 ?? ?netbios scope  ?? ?neutralize nt4 emulation = No
 ?? ?nmbd bind explicit broadcast = Yes
 ?? ?nsupdate command = /usr/bin/nsupdate -g
 ?? ?ntlm auth = ntlmv2-only
 ?? ?nt pipe support = Yes
 ?? ?ntp signd socket directory = /var/lib/samba/ntp_signd
 ?? ?nt status support = Yes
 ?? ?null passwords = No
 ?? ?obey pam restrictions = Yes
 ?? ?old password allowed period = 60
 ?? ?oplock break wait time = 0
 ?? ?os2 driver map  ?? ?os level = 20
 ?? ?pam password change = Yes
 ?? ?panic action = /usr/share/samba/panic-action %d
 ?? ?passdb backend = tdbsam
 ?? ?passdb expand explicit = No
 ?? ?passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 ?? ?passwd chat debug = No
 ?? ?passwd chat timeout = 2
 ?? ?passwd program = /usr/bin/passwd %u
 ?? ?password hash gpg key ids  ?? ?password hash userPassword schemes  ??
?password server = *
 ?? ?perfcount module  ?? ?pid directory = /run/samba
 ?? ?preferred master = Auto
 ?? ?prefork backoff increment = 10
 ?? ?prefork children = 4
 ?? ?prefork maximum backoff = 120
 ?? ?preload modules  ?? ?printcap cache time = 750
 ?? ?printcap name  ?? ?private dir = /var/lib/samba/private
 ?? ?raw NTLMv2 auth = No
 ?? ?read raw = Yes
 ?? ?realm = OUR.REALM
 ?? ?registry shares = No
 ?? ?reject md5 clients = Yes
 ?? ?reject md5 servers = Yes
 ?? ?remote announce  ?? ?remote browse sync  ?? ?rename user script  ??
?require strong key = Yes
 ?? ?reset on zero vc = No
 ?? ?restrict anonymous = 0
 ?? ?root directory  ?? ?rpc big endian = No
 ?? ?rpc server dynamic port range = 49152-65535
 ?? ?rpc server port = 0
 ?? ?samba kcc command = /usr/sbin/samba_kcc
 ?? ?security = ADS
 ?? ?server max protocol = SMB3
 ?? ?server min protocol = SMB2_02
 ?? ?server multi channel support = Yes
 ?? ?server role = standalone server
 ?? ?server schannel = Yes
 ?? ?server schannel require seal = Yes
 ?? ?server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate, dns
 ?? ?server signing = default
 ?? ?server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, 
AES-256-GCM, AES-256-CCM
 ?? ?server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, 
HMAC-SHA256
 ?? ?server string = %h server (Samba, Ubuntu)
 ?? ?set primary group script  ?? ?set quota command  ?? ?show add printer
wizard = Yes
 ?? ?shutdown script  ?? ?smb2 disable lock sequence checking = No
 ?? ?smb2 disable oplock break retry = No
 ?? ?smb2 leases = Yes
 ?? ?smb2 max credits = 8192
 ?? ?smb2 max read = 8388608
 ?? ?smb2 max trans = 8388608
 ?? ?smb2 max write = 8388608
 ?? ?smbd profiling level = off
 ?? ?smb passwd file = /etc/samba/smbpasswd
 ?? ?smb ports = 445 139
 ?? ?socket options = TCP_NODELAY
 ?? ?spn update command = /usr/sbin/samba_spnupdate
 ?? ?stat cache = Yes
 ?? ?state directory = /var/lib/samba
 ?? ?svcctl list  ?? ?syslog = 1
 ?? ?syslog only = No
 ?? ?template homedir = /home/%D/%U
 ?? ?template shell = /bin/bash
 ?? ?time server = No
 ?? ?timestamp logs = Yes
 ?? ?tls cafile = tls/ca.pem
 ?? ?tls certfile = tls/cert.pem
 ?? ?tls crlfile  ?? ?tls dh params file  ?? ?tls enabled = Yes
 ?? ?tls keyfile = tls/key.pem
 ?? ?tls priority = NORMAL:-VERS-SSL3.0
 ?? ?tls verify peer = as_strict_as_possible
 ?? ?unicode = Yes
 ?? ?unix charset = UTF-8
 ?? ?unix extensions = Yes
 ?? ?unix password sync = Yes
 ?? ?use mmap = Yes
 ?? ?username level = 0
 ?? ?username map  ?? ?username map cache time = 0
 ?? ?username map script  ?? ?usershare allow guests = Yes
 ?? ?usershare max shares = 100
 ?? ?usershare owner only = Yes
 ?? ?usershare path = /var/lib/samba/usershares
 ?? ?usershare prefix allow list  ?? ?usershare prefix deny list  ?? ?usershare
template share  ?? ?utmp = No
 ?? ?utmp directory  ?? ?winbind cache time = 300
 ?? ?winbindd socket directory = /var/run/samba/winbindd
 ?? ?winbind enum groups = No
 ?? ?winbind enum users = No
 ?? ?winbind expand groups = 0
 ?? ?winbind max clients = 200
 ?? ?winbind max domain connections = 1
 ?? ?winbind nested groups = Yes
 ?? ?winbind normalize names = No
 ?? ?winbind nss info = template
 ?? ?winbind offline logon = No
 ?? ?winbind reconnect delay = 30
 ?? ?winbind refresh tickets = No
 ?? ?winbind request timeout = 60
 ?? ?winbind rpc only = No
 ?? ?winbind scan trusted domains = No
 ?? ?winbind sealed pipes = Yes
 ?? ?winbind separator = \
 ?? ?winbind use default domain = Yes
 ?? ?winbind use krb5 enterprise principals = Yes
 ?? ?wins hook  ?? ?wins proxy = No
 ?? ?wins server  ?? ?wins support = No
 ?? ?workgroup = OUR
 ?? ?write raw = Yes
 ?? ?wtmp directory  ?? ?idmap config our : range = 16777220-33554431
 ?? ?idmap config our : backend = rid
 ?? ?idmap config * : range = 5000-16777200
 ?? ?idmap config * : backend = tdb
 ?? ?access based share enum = No
 ?? ?acl allow execute always = No
 ?? ?acl check permissions = Yes
 ?? ?acl flag inherited canonicalization = Yes
 ?? ?acl group control = No
 ?? ?acl map full control = Yes
 ?? ?administrative share = No
 ?? ?admin users  ?? ?afs share = No
 ?? ?aio read size = 1
 ?? ?aio write behind  ?? ?aio write size = 1
 ?? ?allocation roundup size = 0
 ?? ?available = Yes
 ?? ?blocking locks = Yes
 ?? ?block size = 1024
 ?? ?browseable = Yes
 ?? ?case sensitive = Auto
 ?? ?check parent directory delete on close = No
 ?? ?comment  ?? ?copy  ?? ?create mask = 0744
 ?? ?csc policy = manual
 ?? ?cups options  ?? ?default case = lower
 ?? ?default devmode = Yes
 ?? ?delete readonly = No
 ?? ?delete veto files = No
 ?? ?dfree cache time = 0
 ?? ?dfree command  ?? ?directory mask = 0755
 ?? ?directory name cache size = 100
 ?? ?dmapi support = No
 ?? ?dont descend  ?? ?dos filemode = No
 ?? ?dos filetime resolution = No
 ?? ?dos filetimes = Yes
 ?? ?durable handles = Yes
 ?? ?ea support = Yes
 ?? ?fake directory create times = No
 ?? ?fake oplocks = No
 ?? ?follow symlinks = Yes
 ?? ?smbd force process locks = No
 ?? ?force create mode = 0000
 ?? ?force directory mode = 0000
 ?? ?force group  ?? ?force printername = No
 ?? ?force unknown acl user = No
 ?? ?force user  ?? ?fstype = NTFS
 ?? ?guest ok = No
 ?? ?guest only = No
 ?? ?hide dot files = Yes
 ?? ?hide files  ?? ?hide new files timeout = 0
 ?? ?hide special files = No
 ?? ?hide unreadable = No
 ?? ?hide unwriteable files = No
 ?? ?honor change notify privilege = No
 ?? ?hosts allow  ?? ?hosts deny  ?? ?include  ?? ?inherit acls = No
 ?? ?inherit owner = no
 ?? ?inherit permissions = No
 ?? ?invalid users  ?? ?kernel oplocks = No
 ?? ?kernel share modes = Yes
 ?? ?level2 oplocks = Yes
 ?? ?locking = Yes
 ?? ?lppause command  ?? ?lpq command = %p
 ?? ?lpresume command  ?? ?lprm command  ?? ?magic output  ?? ?magic script  ??
?mangled names = illegal
 ?? ?mangling char = ~
 ?? ?map acl inherit = No
 ?? ?map archive = Yes
 ?? ?map hidden = No
 ?? ?map readonly = no
 ?? ?map system = No
 ?? ?max connections = 0
 ?? ?max print jobs = 1000
 ?? ?max reported print jobs = 0
 ?? ?min print space = 0
 ?? ?msdfs proxy  ?? ?msdfs root = No
 ?? ?msdfs shuffle referrals = No
 ?? ?nt acl support = Yes
 ?? ?ntvfs handler = unixuid, default
 ?? ?oplocks = Yes
 ?? ?path  ?? ?posix locking = Yes
 ?? ?postexec  ?? ?preexec  ?? ?preexec close = No
 ?? ?preserve case = Yes
 ?? ?printable = No
 ?? ?print command  ?? ?printer name  ?? ?printing = cups
 ?? ?printjob username = %U
 ?? ?print notify backchannel = No
 ?? ?queuepause command  ?? ?queueresume command  ?? ?read list  ?? ?read only =
Yes
 ?? ?root postexec  ?? ?root preexec  ?? ?root preexec close = No
 ?? ?server smb encrypt = default
 ?? ?short preserve case = Yes
 ?? ?smbd async dosmode = No
 ?? ?smbd getinfo ask sharemode = Yes
 ?? ?smbd max async dosmode = 0
 ?? ?smbd max xattr size = 65536
 ?? ?smbd search ask sharemode = Yes
 ?? ?spotlight = No
 ?? ?spotlight backend = noindex
 ?? ?store dos attributes = Yes
 ?? ?strict allocate = No
 ?? ?strict locking = Auto
 ?? ?strict rename = No
 ?? ?strict sync = Yes
 ?? ?sync always = No
 ?? ?use client driver = No
 ?? ?use sendfile = No
 ?? ?valid users  ?? ?veto files  ?? ?veto oplock files  ?? ?vfs objects  ??
?volume  ?? ?wide links = No
 ?? ?write list 

[printers]
 ?? ?browseable = No
 ?? ?comment = All Printers
 ?? ?create mask = 0700
 ?? ?path = /var/spool/samba
 ?? ?printable = Yes


[print$]
 ?? ?comment = Printer Drivers
 ?? ?path = /var/lib/samba/printers



c) result of dpkg -l |grep -E 
"winbind|libpam-winbind|libnss-winbind|krb5-config|smb"
dpkg -l |grep -E
"winbind|libpam-winbind|libnss-winbind|krb5-config|smb"
ii? krb5-config 2.6ubuntu1 all????????? Configuration files for Kerberos 
Version 5
ii? libnss-winbind:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64??????? 
Samba nameservice integration plugins
ii? libpam-winbind:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64??????? 
Windows domain authentication integration plugin
ii? libsmbclient:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64??????? 
shared library for communication with SMB/CIFS servers
ii? libsmbios-c2 2.4.3-1 amd64??????? Provide access to (SM)BIOS 
information -- dynamic library
ii? libwbclient0:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64??????? 
Samba winbind client library
ii? winbind 2:4.15.13+dfsg-0ubuntu0.20.04.1 amd64??????? service to 
resolve user and group information from Windows NT servers5d4
< ??? additional dns hostnames 22,23d20
< ??? apply group policies = No
< ??? async dns timeout = 10
25a23
 > ??? auth methods 27d24
< ??? binddns dir = /var/lib/samba/bind-dns
41c38
< ??? client min protocol = NT1
---
 > ??? client min protocol = CORE
44d40
< ??? client protection = default
47,50d42
< ??? client smb encrypt = default
< ??? client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, 
AES-256-GCM, AES-256-CCM
< ??? client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, 
HMAC-SHA256
< ??? client use kerberos = desired
65c57
< ??? deadtime = 10080
---
 > ??? deadtime = 0
67d58
< ??? debug encryption = No
84c75
< ??? dns proxy = Yes
---
 > ??? dns proxy = No
86,88d76
< ??? dns zone scavenging = No
< ??? dns zone transfer clients allow < ??? dns zone transfer clients deny
92,94d79
< ??? dsdb event notification = No
< ??? dsdb group change notification = No
< ??? dsdb password event notification = No
104d88
< ??? gpo update command = /usr/sbin/samba-gpupdate
105a90
 > ??? homedir map = auto.home
118,120d102
< ??? kdc default domain supported enctypes = 0
< ??? kdc force enable rc4 weak session keys = No
< ??? kdc supported enctypes = 0
146a129
 > ??? ldap ssl ads = No
154c137
< ??? lock directory = /run/samba
---
 > ??? lock directory = /var/run/samba
157,158c140,141
< ??? logging = file
< ??? log level = 1
---
 > ??? logging  > ??? log level = 2
170a154
 > ??? map untrusted to domain = Auto
176c160
< ??? max stat cache size = 512
---
 > ??? max stat cache size = 256
180d163
< ??? mdns name = netbios
193c176
< ??? netbios name = UB-PC00092
---
 > ??? netbios name = UB-PC00162
195a179
 > ??? NIS homedir = No
220c204
< ??? pid directory = /run/samba
---
 > ??? pid directory = /var/run/samba
222,224d205
< ??? prefork backoff increment = 10
< ??? prefork children = 4
< ??? prefork maximum backoff = 120
231c212
< ??? realm = OUR.REALM
---
 > ??? realm = SANTAFE.ENRESS.GOV.AR
233,234c214,215
< ??? reject md5 clients = Yes
< ??? reject md5 servers = Yes
---
 > ??? reject md5 clients = No
 > ??? reject md5 servers = No
240a222
 > ??? rndc command = /usr/sbin/rndc
248,249c230,231
< ??? server min protocol = SMB2_02
< ??? server multi channel support = Yes
---
 > ??? server min protocol = LANMAN1
 > ??? server multi channel support = No
252d233
< ??? server schannel require seal = Yes
255,256d235
< ??? server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, 
AES-256-GCM, AES-256-CCM
< ??? server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, 
HMAC-SHA256
259a239
 > ??? share backend = classic
262,263d241
< ??? smb2 disable lock sequence checking = No
< ??? smb2 disable oplock break retry = No
277c255
< ??? syslog = 1
---
 > ??? syslog = 0
306a285
 > ??? use spnego = Yes
308a288
 > ??? web port = 901
324d303
< ??? winbind scan trusted domains = No
326a306
 > ??? winbind trusted domains only = No
328d307
< ??? winbind use krb5 enterprise principals = Yes
333c312
< ??? workgroup = OUR
---
 > ??? workgroup = SANTAFE
336,337c315,316
< ??? idmap config our : range = 16777220-33554431
< ??? idmap config our : backend = rid
---
 > ??? idmap config santafe : range = 16777220-33554431
 > ??? idmap config santafe : backend = rid
343d321
< ??? acl flag inherited canonicalization = Yes
349c327
< ??? aio read size = 1
---
 > ??? aio read size = 0
351,352c329,330
< ??? aio write size = 1
< ??? allocation roundup size = 0
---
 > ??? aio write size = 0
 > ??? allocation roundup size = 1048576
358d335
< ??? check parent directory delete on close = No
378c355
< ??? ea support = Yes
---
 > ??? ea support = No
382d358
< ??? smbd force process locks = No
394d369
< ??? hide new files timeout = 0
398d372
< ??? honor change notify privilege = No
416c390
< ??? mangled names = illegal
---
 > ??? mangled names = yes
421c395
< ??? map readonly = no
---
 > ??? map readonly = yes
431a406
 > ??? oplock contention limit = 2
444a420
 > ??? profile acls = No
452d427
< ??? server smb encrypt = default
454,458c429
< ??? smbd async dosmode = No
< ??? smbd getinfo ask sharemode = Yes
< ??? smbd max async dosmode = 0
< ??? smbd max xattr size = 65536
< ??? smbd search ask sharemode = Yes
---
 > ??? smb encrypt = default
460,461c431
< ??? spotlight backend = noindex
< ??? store dos attributes = Yes
---
 > ??? store dos attributes = No
474a445
 > ??? write cache size = 0

*
*

*In Windows 2000 Domain Controller:*

  * The Computer Object is created in Active Directory but is marked
    with a red cross (blocked?)
  * The Event? 5772 from NETLOGON is logged

      * Tipo de suceso:??? Error
        Origen del suceso:??? NETLOGON
        Categor?a del suceso:??? Ninguno
        Id. del suceso:??? 5722
        Fecha:??? ??? 31/05/2023
        Hora:??? ??? 6:54:01
        Usuario:??? ??? No disponible
        Equipo:??? MAILSRV
        Descripci?n:
        No se puede autenticar la configuraci?n de sesi?n desde el
        equipo UB-PC00092. El nombre de la cuenta a la que se hace
        referencia en la base de datos de seguridad es UB-PC00092$. Error:
        Acceso denegado.
        Datos:
        0000: 22 00 00 c0?????????????? "..?

*Additional Info; may be important:*

      * We noted the event 5772 is also logged intermitently for other
        PCs already joined to the domain, all of them with Ubuntu 20. We
        think this log happens when the pc tries to change its password.
        Those PCs are running ok in domain but may be this event is the
        tip of an iceberg.
      * May be event 5722 is logged also when joining Ubutnu 20 to
        domain because PCs is trying to establish its password in that
        moment?.

Thanks in advance.

Iv?n

On 31/05/2023 14:40, Ivan Lopez via samba wrote:
> Hi, people. How are you?. I hope you are very well
> 
> Could you help us, please?. We've a problem with Ubuntu+samba+winbindd 
> joining an old Windows 2000 Active Directory domain (we are testing 
> migrate our domain to SAMBA4 but, for now, we must continue using the 
> current domain).
> 
> We have no problems joining Ubuntu 18 and, in the past, we've joined 
> Ubuntu 20 PCs. It seems to be some update in libraries or packages 
> involved in interactions winbindd/samba-Windows 2000 AD has broken 
> something in our environment and now, join an updated Ubuntu 20 can't
be
> done. We can install ubuntu 18, join the PC to domain and then, update 
> to Ubuntu 20 but is a pain because we are planning go to ubuntu 22.
> 
> *In the PC (ubuntu 20) we are trying to join:*
> 
> a) Result of net ads:
> 
> sudo net ads join -U Administrador
> [sudo] contrase?a para sistemas:
> Password for [OUR\Administrador]:
> ads_print_error: AD LDAP ERROR: 53 (Server is unwilling to perform): 
> 00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT_PERFORM), data 0
> 
> connect_to_domain_password_server: unable to open the domain client 
> session to machine mailsrv.OUR.REALM. Flags[0x00000000] Error was : 
> NT_STATUS_ACCESS_DENIED.
> Failed to join domain: failed to verify domain membership after joining: 
> {Access Denied} A process has requested access to an object but has not 
> been granted those access rights.
> 
> c) After that, winbindd can't be started. In winbind logs:
> 
> [2023/05/31 08:51:46.501656,? 0] 
> ../../source3/winbindd/winbindd.c:1722(main)
>  ? winbindd version 4.15.13-Ubuntu started.
>  ? Copyright Andrew Tridgell and the Samba Team 1992-2021
> [2023/05/31 08:51:46.505271,? 0] 
> ../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
>  ? initialize_winbindd_cache: clearing cache and re-creating with 
> version number 2
> [2023/05/31 08:51:46.507658,? 0] 
> ../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
>  ? Could not fetch our SID - did we join?
> [2023/05/31 08:51:46.507681,? 0] 
> ../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
>  ? unable to initialize domain list
> 
> b) Result of testparm -v:
Before we go any further, can you run that command again, but replace 
the '-v' with '-s'

Rowland