samba - May 2023 - samba+winbindd problem joining Ubuntu 20+ to windows 2000 domain

On 31/05/2023 14:40, Ivan Lopez via samba wrote:
> Hi, people. How are you?. I hope you are very well
> 
> Could you help us, please?. We've a problem with Ubuntu+samba+winbindd 
> joining an old Windows 2000 Active Directory domain (we are testing 
> migrate our domain to SAMBA4 but, for now, we must continue using the 
> current domain).
> 
> We have no problems joining Ubuntu 18 and, in the past, we've joined 
> Ubuntu 20 PCs. It seems to be some update in libraries or packages 
> involved in interactions winbindd/samba-Windows 2000 AD has broken 
> something in our environment and now, join an updated Ubuntu 20 can't
be
> done. We can install ubuntu 18, join the PC to domain and then, update 
> to Ubuntu 20 but is a pain because we are planning go to ubuntu 22.
> 
> *In the PC (ubuntu 20) we are trying to join:*
> 
> a) Result of net ads:
> 
> sudo net ads join -U Administrador
> [sudo] contrase?a para sistemas:
> Password for [OUR\Administrador]:
> ads_print_error: AD LDAP ERROR: 53 (Server is unwilling to perform): 
> 00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT_PERFORM), data 0
> 
> connect_to_domain_password_server: unable to open the domain client 
> session to machine mailsrv.OUR.REALM. Flags[0x00000000] Error was : 
> NT_STATUS_ACCESS_DENIED.
> Failed to join domain: failed to verify domain membership after joining: 
> {Access Denied} A process has requested access to an object but has not 
> been granted those access rights.
> 
> c) After that, winbindd can't be started. In winbind logs:
> 
> [2023/05/31 08:51:46.501656,? 0] 
> ../../source3/winbindd/winbindd.c:1722(main)
>  ? winbindd version 4.15.13-Ubuntu started.
>  ? Copyright Andrew Tridgell and the Samba Team 1992-2021
> [2023/05/31 08:51:46.505271,? 0] 
> ../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
>  ? initialize_winbindd_cache: clearing cache and re-creating with 
> version number 2
> [2023/05/31 08:51:46.507658,? 0] 
> ../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
>  ? Could not fetch our SID - did we join?
> [2023/05/31 08:51:46.507681,? 0] 
> ../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
>  ? unable to initialize domain list
> 
> b) Result of testparm -v:
Before we go any further, can you run that command again, but replace 
the '-v' with '-s'

Rowland

Hi, Rowland. Thanks for your answer. There is the result of testparm -s 
in Ubuntu 20. I've send the result of testparm -v because I thought that 
some default could have changed between versions.

#sudo testparm -s
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
 ?? ?client ipc min protocol = NT1

 ??? client min protocol = NT1

 ??? client max protocol = NT1
 ?? ?dns proxy = No
 ?? ?log file = /var/log/samba/log.%m
 ?? ?map to guest = Bad User
 ?? ?max log size = 1000
 ?? ?obey pam restrictions = Yes
 ?? ?pam password change = Yes
 ?? ?panic action = /usr/share/samba/panic-action %d
 ?? ?passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 ?? ?passwd program = /usr/bin/passwd %u
 ?? ?realm = OUR.REALM
 ?? ?security = ADS
 ?? ?server role = standalone server
 ?? ?server string = %h server (Samba, Ubuntu)
 ?? ?syslog = 0
 ?? ?template shell = /bin/bash
 ?? ?unix password sync = Yes
 ?? ?usershare allow guests = Yes
 ?? ?winbind use default domain = Yes
 ?? ?workgroup = OUR
 ?? ?idmap config our : range = 16777220-33554431
 ?? ?idmap config our : backend = rid
 ?? ?idmap config * : range = 5000-16777200
 ?? ?idmap config * : backend = tdb


[printers]
 ?? ?browseable = No
 ?? ?comment = All Printers
 ?? ?create mask = 0700
 ?? ?path = /var/spool/samba
 ?? ?printable = Yes


[print$]
 ?? ?comment = Printer Drivers
 ?? ?path = /var/lib/samba/printers

Thanks.
Iv?n

El 31/5/23 a las 11:13, Rowland Penny via samba
escribi?:
>
>
> On 31/05/2023 14:40, Ivan Lopez via samba wrote:
>> Hi, people. How are you?. I hope you are very well
>>
>> Could you help us, please?. We've a problem with 
>> Ubuntu+samba+winbindd joining an old Windows 2000 Active Directory 
>> domain (we are testing migrate our domain to SAMBA4 but, for now, we 
>> must continue using the current domain).
>>
>> We have no problems joining Ubuntu 18 and, in the past, we've
joined
>> Ubuntu 20 PCs. It seems to be some update in libraries or packages 
>> involved in interactions winbindd/samba-Windows 2000 AD has broken 
>> something in our environment and now, join an updated Ubuntu 20
can't
>> be done. We can install ubuntu 18, join the PC to domain and then, 
>> update to Ubuntu 20 but is a pain because we are planning go to 
>> ubuntu 22.
>>
>> *In the PC (ubuntu 20) we are trying to join:*
>>
>> a) Result of net ads:
>>
>> sudo net ads join -U Administrador
>> [sudo] contrase?a para sistemas:
>> Password for [OUR\Administrador]:
>> ads_print_error: AD LDAP ERROR: 53 (Server is unwilling to perform): 
>> 00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT_PERFORM), data
0
>>
>> connect_to_domain_password_server: unable to open the domain client 
>> session to machine mailsrv.OUR.REALM. Flags[0x00000000] Error was : 
>> NT_STATUS_ACCESS_DENIED.
>> Failed to join domain: failed to verify domain membership after 
>> joining: {Access Denied} A process has requested access to an object 
>> but has not been granted those access rights.
>>
>> c) After that, winbindd can't be started. In winbind logs:
>>
>> [2023/05/31 08:51:46.501656,? 0] 
>> ../../source3/winbindd/winbindd.c:1722(main)
>> ?? winbindd version 4.15.13-Ubuntu started.
>> ?? Copyright Andrew Tridgell and the Samba Team 1992-2021
>> [2023/05/31 08:51:46.505271,? 0] 
>> ../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
>> ?? initialize_winbindd_cache: clearing cache and re-creating with 
>> version number 2
>> [2023/05/31 08:51:46.507658,? 0] 
>> ../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
>> ?? Could not fetch our SID - did we join?
>> [2023/05/31 08:51:46.507681,? 0] 
>> ../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
>> ?? unable to initialize domain list
>>
>> b) Result of testparm -v:
>
> Before we go any further, can you run that command again, but replace 
> the '-v' with '-s'
>
> Rowland
>