samba - May 2024 - Joining Linux Domain Member to Samba DC, issues

On 5/19/2024 3:50 PM, Rowland Penny via samba wrote:
> On Sun, 19 May 2024 15:26:03 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
>> I've successfully joined several Linux hosts as Domain Members thus
>> far; except for this one particular host that seems to fail in a
>> different way each time I try -- I've even scratch-installed this
>> host from installation DVD.
>>
>> All the tests listed in
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> work. My latest attempt is as follows:
>>
>> # net ads join -U administrator
>> Password for [HPRS\administrator]:
>> ldb: unable to dlopen /usr/lib64/ldb/local_password.so :
>> /usr/lib64/libsamdb-common-samba4.so: version `SAMBA_4.6.16' not
>> found (required by /usr/lib64/ldb/local_password.so)
>> ldb: unable to dlopen /usr/lib64/ldb/simple_dn.so :
>> /usr/lib64/libdsdb-module-samba4.so: version `SAMBA_4.6.16' not
found
>> (required by /usr/lib64/ldb/simple_dn.so)
>> ldb: unable to dlopen /usr/lib64/ldb/simple_ldap_map.so :
>> /usr/lib64/libsamdb-common-samba4.so: version `SAMBA_4.6.16' not
>> found (required by /usr/lib64/ldb/simple_ldap_map.so)
>> Using short domain name -- HPRS
>> Joined 'WEBSERVER' to dns domain 'hprs.local'
>> DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> # samba --version
>> Version 4.18.9
>>
>> A couple of points of interest: neither the Domain Controller nor the
>> other Linux Domain Member on this LAN have the file
>> /usr/lib64/ldb/local_password.so. On this problem child, that file is
>> dated 11/28/2018. Two other files in that directory have the same
>> date: simple_dn.so and simple_ldap_map.so. All the rest of the files
>> in that directory have the same dates as the Domain Controller and
>> the other Domain Member, 11/30/2023.
>>
>> My current Samba Version on all three of these computers is 4.18.9.
>> The old samba version before upgrading was 4.6.16 -- the very version
>> listed above as "SAMBA_4.16.16" not found.
>>
>> Before I do something stupid, I was to bounce a thought off the
>> sambaList experts. I'm theorizing that the previous version of
Samba
>> (4.6.16) was not completely removed and left some files (like
>> local_password.so) laying around.
>>
>> My proposed solution is to completely uninstall Samba and any and all
>> vestiges thereof, and reinstall from scratch.
>>
>> Does that sound reasonable, or could I just delete these 3 old files
>> and try again? Note that this host works fine doing samba shares.
>>
>> Thanks --Mark
> I haven't seen this for a few years, either your upgrade hasn't
> upgraded everything or the upgrade hasn't removed files that it
> should. Either way, I would backup any data you need from the computer
> and then blow it away and start afresh.
>
> Rowland
OK, I'm going to try baby-steps working back to a wipe/reinstall if 
necessary. First, I removed the three old 2018 files: local_password.so, 
simple_dn.so and simple_ldap_map.so. Then I attempted to re-join the 
domain. I got:

# net ads join -U administrator
Password for [HPRS\administrator]:
Using short domain name -- HPRS
Joined 'WEBSERVER' to dns domain 'hprs.local'
DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

I'm guessing (hoping) the DNS errors were because WEBSERVER already had 
an A record configured. I did the following to verify there was a A record:

# samba-tool dns query mail.hprs.local hprs.local webserver.hprs.local A 
-Uadministrator
 ? Name=, Records=1, Children=0
 ??? A: 192.168.0.3 (flags=f0, serial=119, ttl=900)

Which looks like it worked. I further verified that WEBSERVER was a 
domain member (on the DC):

# ldbsearch -H /var/lib/samba/private/sam.ldb '(objectclass=computer)'
dn
# record 13
dn: CN=WEBSERVER,CN=Computers,DC=hprs,DC=local

So, I *think* the join worked. I now have the following smb.conf, adding 
a share (xfer):

[global]
 ??????? max log size = 10000
 ??????? realm = HPRS.LOCAL
 ??????? security = ADS
 ??????? server role = member server
 ??????? server string = HPRS WEBSERVER server
 ??????? template homedir = /home/%U
 ??????? template shell = /bin/bash
 ??????? workgroup = HPRS
 ??????? idmap config hprs : range = 10000-999999
 ??????? idmap config hprs : backend = rid
 ??????? idmap config * : range = 3000-7999
 ??????? idmap config * : backend = tdb

vfs objects = acl_xattr
map acl inherit = yes

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

[xfer]
path = /home/ohprs/xfer
public = yes
readonly = no
locking = yes
printable = no
create mask = 0660
directory mask = 0771

I updated nsswitch.conf to add winbind to passwd: and group: then fired 
up smbd, nmbd and winbindd -- and it worked! I can map the xfer share 
from Windows which silently uses domain credentials. I added several 
more shares and was able to map them all! I may have to tweak 
permissions somewhere, but that should be a minor problem.

Thus far it seems that simply removing those old files did the trick 
without having to uninstall/reinstall Samba, or wipe/install the whole 
system. I'll keep my fingers crossed on this one.

Thanks --Mark

On Mon, 20 May 2024 00:07:38 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> OK, I'm going to try baby-steps working back to a wipe/reinstall if 
> necessary. First, I removed the three old 2018 files:
> local_password.so, simple_dn.so and simple_ldap_map.so. Then I
> attempted to re-join the domain. I got:
> 
> # net ads join -U administrator
> Password for [HPRS\administrator]:
> Using short domain name -- HPRS
> Joined 'WEBSERVER' to dns domain 'hprs.local'
> DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> I'm guessing (hoping) the DNS errors were because WEBSERVER already
> had an A record configured. I did the following to verify there was a
> A record:
> 
> # samba-tool dns query mail.hprs.local hprs.local
> webserver.hprs.local A -Uadministrator
>  ? Name=, Records=1, Children=0
>  ??? A: 192.168.0.3 (flags=f0, serial=119, ttl=900)
> 
> Which looks like it worked. I further verified that WEBSERVER was a 
> domain member (on the DC):
> 
> # ldbsearch -H /var/lib/samba/private/sam.ldb
> '(objectclass=computer)' dn # record 13
> dn: CN=WEBSERVER,CN=Computers,DC=hprs,DC=local
> 
> So, I *think* the join worked. I now have the following smb.conf,
> adding a share (xfer):
> 
> [global]
>  ??????? max log size = 10000
>  ??????? realm = HPRS.LOCAL
>  ??????? security = ADS
>  ??????? server role = member server
>  ??????? server string = HPRS WEBSERVER server
>  ??????? template homedir = /home/%U
>  ??????? template shell = /bin/bash
>  ??????? workgroup = HPRS
>  ??????? idmap config hprs : range = 10000-999999
>  ??????? idmap config hprs : backend = rid
>  ??????? idmap config * : range = 3000-7999
>  ??????? idmap config * : backend = tdb
> 
> vfs objects = acl_xattr
> map acl inherit = yes
> 
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> 
> [xfer]
> path = /home/ohprs/xfer
> public = yes
> readonly = no
> locking = yes
> printable = no
> create mask = 0660
> directory mask = 0771
> 
> I updated nsswitch.conf to add winbind to passwd: and group: then
> fired up smbd, nmbd and winbindd -- and it worked! I can map the xfer
> share from Windows which silently uses domain credentials. I added
> several more shares and was able to map them all! I may have to tweak 
> permissions somewhere, but that should be a minor problem.
> 
> Thus far it seems that simply removing those old files did the trick 
> without having to uninstall/reinstall Samba, or wipe/install the
> whole system. I'll keep my fingers crossed on this one.
> 
> Thanks --Mark
> 
Yes, that will work, provided you know what files to remove, it is easier to
start with a new install if you don't know what to remove.

Lets take a walk through your share:

[xfer]
path = /home/ohprs/xfer
public = yes

Why 'public' ?
A) this is an AD domain and all your users should be known.
B) You haven't set 'map to guest = bad user' in global, so it will
be ignored.

readonly = no
locking = yes # default
printable = no # default

'locking' & 'printable' are set to the defaults, so are not
really required.

create mask = 0660
directory mask = 0771

You will be a lot better off setting the permissions from Windows,
rather than getting Samba to do it for you.

Rowland