samba - May 2023 - samba+winbindd problem joining Ubuntu 20+ to windows 2000 domain

Hi, Rowland. Thanks for your answer. There is the result of testparm -s 
in Ubuntu 20. I've send the result of testparm -v because I thought that 
some default could have changed between versions.

#sudo testparm -s
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
 ?? ?client ipc min protocol = NT1

 ??? client min protocol = NT1

 ??? client max protocol = NT1
 ?? ?dns proxy = No
 ?? ?log file = /var/log/samba/log.%m
 ?? ?map to guest = Bad User
 ?? ?max log size = 1000
 ?? ?obey pam restrictions = Yes
 ?? ?pam password change = Yes
 ?? ?panic action = /usr/share/samba/panic-action %d
 ?? ?passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 ?? ?passwd program = /usr/bin/passwd %u
 ?? ?realm = OUR.REALM
 ?? ?security = ADS
 ?? ?server role = standalone server
 ?? ?server string = %h server (Samba, Ubuntu)
 ?? ?syslog = 0
 ?? ?template shell = /bin/bash
 ?? ?unix password sync = Yes
 ?? ?usershare allow guests = Yes
 ?? ?winbind use default domain = Yes
 ?? ?workgroup = OUR
 ?? ?idmap config our : range = 16777220-33554431
 ?? ?idmap config our : backend = rid
 ?? ?idmap config * : range = 5000-16777200
 ?? ?idmap config * : backend = tdb


[printers]
 ?? ?browseable = No
 ?? ?comment = All Printers
 ?? ?create mask = 0700
 ?? ?path = /var/spool/samba
 ?? ?printable = Yes


[print$]
 ?? ?comment = Printer Drivers
 ?? ?path = /var/lib/samba/printers

Thanks.
Iv?n

El 31/5/23 a las 11:13, Rowland Penny via samba
escribi?:
>
>
> On 31/05/2023 14:40, Ivan Lopez via samba wrote:
>> Hi, people. How are you?. I hope you are very well
>>
>> Could you help us, please?. We've a problem with 
>> Ubuntu+samba+winbindd joining an old Windows 2000 Active Directory 
>> domain (we are testing migrate our domain to SAMBA4 but, for now, we 
>> must continue using the current domain).
>>
>> We have no problems joining Ubuntu 18 and, in the past, we've
joined
>> Ubuntu 20 PCs. It seems to be some update in libraries or packages 
>> involved in interactions winbindd/samba-Windows 2000 AD has broken 
>> something in our environment and now, join an updated Ubuntu 20
can't
>> be done. We can install ubuntu 18, join the PC to domain and then, 
>> update to Ubuntu 20 but is a pain because we are planning go to 
>> ubuntu 22.
>>
>> *In the PC (ubuntu 20) we are trying to join:*
>>
>> a) Result of net ads:
>>
>> sudo net ads join -U Administrador
>> [sudo] contrase?a para sistemas:
>> Password for [OUR\Administrador]:
>> ads_print_error: AD LDAP ERROR: 53 (Server is unwilling to perform): 
>> 00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT_PERFORM), data
0
>>
>> connect_to_domain_password_server: unable to open the domain client 
>> session to machine mailsrv.OUR.REALM. Flags[0x00000000] Error was : 
>> NT_STATUS_ACCESS_DENIED.
>> Failed to join domain: failed to verify domain membership after 
>> joining: {Access Denied} A process has requested access to an object 
>> but has not been granted those access rights.
>>
>> c) After that, winbindd can't be started. In winbind logs:
>>
>> [2023/05/31 08:51:46.501656,? 0] 
>> ../../source3/winbindd/winbindd.c:1722(main)
>> ?? winbindd version 4.15.13-Ubuntu started.
>> ?? Copyright Andrew Tridgell and the Samba Team 1992-2021
>> [2023/05/31 08:51:46.505271,? 0] 
>> ../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
>> ?? initialize_winbindd_cache: clearing cache and re-creating with 
>> version number 2
>> [2023/05/31 08:51:46.507658,? 0] 
>> ../../source3/winbindd/winbindd_util.c:1376(init_domain_list)
>> ?? Could not fetch our SID - did we join?
>> [2023/05/31 08:51:46.507681,? 0] 
>> ../../source3/winbindd/winbindd.c:1460(winbindd_register_handlers)
>> ?? unable to initialize domain list
>>
>> b) Result of testparm -v:
>
> Before we go any further, can you run that command again, but replace 
> the '-v' with '-s'
>
> Rowland
>

On 31/05/2023 16:44, Ivan Lopez via samba wrote:
> Hi, Rowland. Thanks for your answer. There is the result of testparm -s 
> in Ubuntu 20. I've send the result of testparm -v because I thought
that
> some default could have changed between versions.
There may have been changes between versions, but it is what you are 
running now that counts, your very long smb.conf was off putting to say 
the least.
> 
> #sudo testparm -s
> Load smb config files from /etc/samba/smb.conf
> lpcfg_do_global_parameter: WARNING: The "syslog" option is
deprecated
> Loaded services file OK.
> Weak crypto is allowed
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
>  ?? ?client ipc min protocol = NT1
> 
>  ??? client min protocol = NT1
> 
>  ??? client max protocol = NT1
>  ?? ?dns proxy = No
>  ?? ?log file = /var/log/samba/log.%m
>  ?? ?map to guest = Bad User
>  ?? ?max log size = 1000
>  ?? ?obey pam restrictions = Yes
>  ?? ?pam password change = Yes
>  ?? ?panic action = /usr/share/samba/panic-action %d
>  ?? ?passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>  ?? ?passwd program = /usr/bin/passwd %u
>  ?? ?realm = OUR.REALM
>  ?? ?security = ADS
>  ?? ?server role = standalone server
I would remove that, it isn't a standalone server.
>  ?? ?server string = %h server (Samba, Ubuntu)
>  ?? ?syslog = 0
>  ?? ?template shell = /bin/bash
>  ?? ?unix password sync = Yes
You do need to remove that, you do not sync local users to domain users, 
you map domain users to be Unix users.
>  ?? ?usershare allow guests = Yes
>  ?? ?winbind use default domain = Yes
>  ?? ?workgroup = OUR
>  ?? ?idmap config our : range = 16777220-33554431
>  ?? ?idmap config our : backend = rid
>  ?? ?idmap config * : range = 5000-16777200
>  ?? ?idmap config * : backend = tdb
Why do use such a large range for the default '*' domain, over 16 
million for something that is meant for the Well Known SID's (there are 
less than 200 of them) and anything outside the 'OUR' domain (there will
be very few, if any of those).

between 4.7.0 and 4.15.0 a few parameters changed defaults, these may be 
relevant, these are the defaults on 4.15.x:

lanman auth = no
client plaintext auth = no
client NTLMv2 auth = yes
client lanman auth = no

You may need to add these, with the value set to the opposite i.e. 
'lanman auth = yes'

Rowland