• [6.9.0-RC1] SMB can't join AD

    MonoLoGu

    By MonoLoGu

      • Minor

    I am trying to join my Unraid box to my active directory infrastructure but it looks like it's failing.

    LOGS say the following: 

    Dec 16 20:41:21 Backup sshd[13636]: Server listening on 0.0.0.0 port 22.
Dec 16 20:41:21 Backup sshd[13636]: Server listening on :: port 22.
Dec 16 20:41:22 Backup emhttpd: Stopping services...
Dec 16 20:41:22 Backup unassigned.devices: Unmounting All Devices...
Dec 16 20:41:22 Backup emhttpd: shcmd (74452): /etc/rc.d/rc.samba stop
Dec 16 20:41:22 Backup nmbd[4385]: [2020/12/16 20:41:22.515224, 0] ../../source3/nmbd/nmbd.c:59(terminate)
Dec 16 20:41:22 Backup nmbd[4385]: Got SIGTERM: going down...
Dec 16 20:41:22 Backup emhttpd: shcmd (74453): rm -f /etc/avahi/services/smb.service
Dec 16 20:41:22 Backup avahi-daemon[4116]: Files changed, reloading.
Dec 16 20:41:22 Backup avahi-daemon[4116]: Service group file /services/smb.service vanished, removing services.
Dec 16 20:41:22 Backup emhttpd: Starting services...
Dec 16 20:41:22 Backup emhttpd: shcmd (74457): /etc/rc.d/rc.samba restart
Dec 16 20:41:24 Backup root: Starting Samba: /usr/sbin/smbd -D
Dec 16 20:41:25 Backup root: /usr/sbin/nmbd -D
Dec 16 20:41:25 Backup smbd[13718]: [2020/12/16 20:41:25.006054, 0] ../../source3/auth/auth_util.c:1397(make_new_session_info_guest)
Dec 16 20:41:25 Backup smbd[13718]: create_local_token failed: NT_STATUS_INVALID_PARAMETER_MIX
Dec 16 20:41:25 Backup smbd[13718]: [2020/12/16 20:41:25.006113, 0] ../../source3/smbd/server.c:2042(main)
Dec 16 20:41:25 Backup smbd[13718]: ERROR: failed to setup guest info.
Dec 16 20:41:25 Backup root: /usr/sbin/wsdd
Dec 16 20:41:25 Backup nmbd[13723]: [2020/12/16 20:41:25.021493, 0] ../../lib/util/become_daemon.c:135(daemon_ready)
Dec 16 20:41:25 Backup nmbd[13723]: daemon_ready: daemon 'nmbd' finished starting up and ready to serve connections
Dec 16 20:41:25 Backup root: /usr/sbin/winbindd -D
Dec 16 20:41:25 Backup winbindd[13733]: [2020/12/16 20:41:25.071660, 0] ../../source3/winbindd/winbindd_cache.c:3203(initialize_winbindd_cache)
Dec 16 20:41:25 Backup winbindd[13733]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Dec 16 20:41:25 Backup winbindd[13733]: [2020/12/16 20:41:25.072254, 0] ../../source3/winbindd/winbindd_util.c:1289(init_domain_list)
Dec 16 20:41:25 Backup winbindd[13733]: Could not fetch our SID - did we join?
Dec 16 20:41:25 Backup winbindd[13733]: [2020/12/16 20:41:25.072283, 0] ../../source3/winbindd/winbindd.c:1466(winbindd_register_handlers)
Dec 16 20:41:25 Backup winbindd[13733]: unable to initialize domain list
Dec 16 20:41:25 Backup avahi-daemon[4116]: Files changed, reloading.
Dec 16 20:41:25 Backup avahi-daemon[4116]: Loading service file /services/smb.service.
Dec 16 20:41:26 Backup avahi-daemon[4116]: Service "Backup-2" (/services/smb.service) successfully established.
Dec 16 20:41:27 Backup nmbd[13723]: [2020/12/16 20:41:27.024754, 0] ../../source3/nmbd/nmbd_mynames.c:35(my_name_register_failed)
Dec 16 20:41:27 Backup nmbd[13723]: my_name_register_failed: Failed to register my name BACKUP<20> on subnet 192.168.88.86.
Dec 16 20:41:27 Backup nmbd[13723]: [2020/12/16 20:41:27.024836, 0] ../../source3/nmbd/nmbd_namelistdb.c:319(standard_fail_register)
Dec 16 20:41:27 Backup nmbd[13723]: standard_fail_register: Failed to register/refresh name BACKUP<20> on subnet 192.168.88.86
Dec 16 20:41:27 Backup nmbd[13723]: [2020/12/16 20:41:27.024932, 0] ../../source3/nmbd/nmbd_mynames.c:35(my_name_register_failed)
Dec 16 20:41:27 Backup nmbd[13723]: my_name_register_failed: Failed to register my name BACKUP<00> on subnet 192.168.88.86.
Dec 16 20:41:27 Backup nmbd[13723]: [2020/12/16 20:41:27.024975, 0] ../../source3/nmbd/nmbd_namelistdb.c:319(standard_fail_register)
Dec 16 20:41:27 Backup nmbd[13723]: standard_fail_register: Failed to register/refresh name BACKUP<00> on subnet 192.168.88.86

    There is a similar post created for beta 25 and here is the output the command from that post: 

    testparm -sv >/boot/smb.txt
    # Global parameters
[global]
	abort shutdown script = 
	add group script = 
	additional dns hostnames = 
	add machine script = 
	addport command = 
	addprinter command = 
	add share command = 
	add user script = 
	add user to group script = 
	afs token lifetime = 604800
	afs username map = 
	aio max threads = 100
	algorithmic rid base = 1000
	allow dcerpc auth level connect = No
	allow dns updates = secure only
	allow insecure wide links = No
	allow nt4 crypto = No
	allow trusted domains = Yes
	allow unsafe cluster upgrade = No
	apply group policies = No
	async smb echo handler = No
	auth event notification = No
	auto services = 
	binddns dir = /var/lib/samba/bind-dns
	bind interfaces only = No
	browse list = Yes
	cache directory = /var/cache/samba
	change notify = Yes
	change share command = 
	check password script = 
	cldap port = 389
	client ipc max protocol = default
	client ipc min protocol = default
	client ipc signing = default
	client lanman auth = No
	client ldap sasl wrapping = sign
	client max protocol = default
	client min protocol = SMB2_02
	client NTLMv2 auth = Yes
	client plaintext auth = No
	client schannel = Yes
	client signing = default
	client use spnego principal = No
	client use spnego = Yes
	cluster addresses = 
	clustering = No
	config backend = file
	config file = 
	create krb5 conf = Yes
	ctdbd socket = 
	ctdb locktime warn threshold = 0
	ctdb timeout = 0
	cups connection timeout = 30
	cups encrypt = No
	cups server = 
	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
	deadtime = 10080
	debug class = No
	debug encryption = No
	debug hires timestamp = Yes
	debug pid = No
	debug prefix timestamp = No
	debug uid = No
	dedicated keytab file = 
	default service = 
	defer sharing violations = Yes
	delete group script = 
	deleteprinter command = 
	delete share command = 
	delete user from group script = 
	delete user script = 
	dgram port = 138
	disable netbios = No
	disable spoolss = Yes
	dns forwarder = 
	dns proxy = Yes
	dns update command = /usr/sbin/samba_dnsupdate
	dns zone scavenging = No
	domain logons = No
	domain master = Auto
	dos charset = CP850
	dsdb event notification = No
	dsdb group change notification = No
	dsdb password event notification = No
	enable asu support = No
	enable core files = Yes
	enable privileges = Yes
	encrypt passwords = Yes
	enhanced browsing = Yes
	enumports command = 
	eventlog list = 
	get quota command = 
	getwd cache = Yes
	gpo update command = /usr/sbin/samba-gpupdate
	guest account = nobody
	homedir map = 
	host msdfs = Yes
	hostname lookups = No
	idmap backend = tdb
	idmap cache time = 604800
	idmap gid = 
	idmap negative cache time = 120
	idmap uid = 
	include system krb5 conf = Yes
	init logon delay = 100
	init logon delayed hosts = 
	interfaces = 
	iprint server = 
	keepalive = 300
	kerberos encryption types = all
	kerberos method = default
	kernel change notify = Yes
	kpasswd port = 464
	krb5 port = 88
	lanman auth = No
	large readwrite = Yes
	ldap admin dn = 
	ldap connection timeout = 2
	ldap debug level = 0
	ldap debug threshold = 10
	ldap delete dn = No
	ldap deref = auto
	ldap follow referral = Auto
	ldap group suffix = 
	ldap idmap suffix = 
	ldap machine suffix = 
	ldap max anonymous request size = 256000
	ldap max authenticated request size = 16777216
	ldap max search request size = 256000
	ldap page size = 1000
	ldap passwd sync = no
	ldap replication sleep = 1000
	ldap server require strong auth = Yes
	ldap ssl = no
	ldap ssl ads = No
	ldap suffix = 
	ldap timeout = 15
	ldap user suffix = 
	lm announce = Auto
	lm interval = 60
	load printers = No
	local master = Yes
	lock directory = /var/cache/samba
	lock spin time = 200
	log file = 
	logging = syslog@0
	log level = 1
	log nt token command = 
	logon drive = 
	logon home = \\%N\%U
	logon path = \\%N\%U\profile
	logon script = 
	log writeable files on exit = No
	lpq cache time = 30
	lsa over netlogon = No
	machine password timeout = 604800
	mangle prefix = 1
	mangling method = hash2
	map to guest = Never
	max disk size = 0
	max log size = 5000
	max mux = 50
	max open files = 16424
	max smbd processes = 0
	max stat cache size = 512
	max ttl = 259200
	max wins ttl = 518400
	max xmit = 16644
	mdns name = netbios
	message command = 
	min receivefile size = 0
	min wins ttl = 21600
	mit kdc command = 
	multicast dns register = No
	name cache timeout = 660
	name resolve order = lmhosts wins host bcast
	nbt client socket address = 0.0.0.0
	nbt port = 137
	ncalrpc dir = /var/run/samba/ncalrpc
	netbios aliases = 
	netbios name = BACKUP
	netbios scope = 
	neutralize nt4 emulation = No
	NIS homedir = No
	nmbd bind explicit broadcast = Yes
	nsupdate command = /usr/bin/nsupdate -g
	ntlm auth = ntlmv1-permitted
	nt pipe support = Yes
	ntp signd socket directory = /var/lib/samba/ntp_signd
	nt status support = Yes
	null passwords = Yes
	obey pam restrictions = No
	old password allowed period = 60
	oplock break wait time = 0
	os2 driver map = 
	os level = 100
	pam password change = No
	panic action = 
	passdb backend = tdbsam
	passdb expand explicit = No
	passwd chat = *new*password* %n\n *new*password* %n\n *changed*
	passwd chat debug = No
	passwd chat timeout = 2
	passwd program = 
	password hash gpg key ids = 
	password hash userPassword schemes = 
	password server = *
	perfcount module = 
	pid directory = /var/run
	preferred master = Auto
	prefork backoff increment = 10
	prefork children = 4
	prefork maximum backoff = 120
	preload modules = 
	printcap cache time = 750
	printcap name = /dev/null
	private dir = /var/lib/samba/private
	raw NTLMv2 auth = No
	read raw = Yes
	realm = DC-CONTAB.ROOT
	registry shares = No
	reject md5 clients = No
	reject md5 servers = No
	remote announce = 
	remote browse sync = 
	rename user script = 
	require strong key = Yes
	reset on zero vc = No
	restrict anonymous = 0
	root directory = 
	rpc big endian = No
	rpc server dynamic port range = 49152-65535
	rpc server port = 0
	samba kcc command = /usr/sbin/samba_kcc
	security = ADS
	server max protocol = SMB3
	server min protocol = NT1
	server multi channel support = No
	server role = auto
	server schannel = Yes
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
	server signing = default
	server string = Backup Vault
	set primary group script = 
	set quota command = 
	share backend = classic
	show add printer wizard = No
	shutdown script = 
	smb2 leases = Yes
	smb2 max credits = 8192
	smb2 max read = 8388608
	smb2 max trans = 8388608
	smb2 max write = 8388608
	smbd profiling level = off
	smb passwd file = /var/lib/samba/private/smbpasswd
	smb ports = 445 139
	socket options = TCP_NODELAY
	spn update command = /usr/sbin/samba_spnupdate
	stat cache = Yes
	state directory = /var/lib/samba
	svcctl list = 
	syslog = 1
	syslog only = No
	template homedir = /home/%D/%U
	template shell = /bin/false
	time server = No
	timestamp logs = Yes
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls crlfile = 
	tls dh params file = 
	tls enabled = Yes
	tls keyfile = tls/key.pem
	tls priority = NORMAL:-VERS-SSL3.0
	tls verify peer = as_strict_as_possible
	unicode = Yes
	unix charset = UTF-8
	unix extensions = No
	unix password sync = No
	use mmap = Yes
	username level = 0
	username map = 
	username map cache time = 0
	username map script = 
	usershare allow guests = No
	usershare max shares = 0
	usershare owner only = Yes
	usershare path = /var/lib/samba/usershares
	usershare prefix allow list = 
	usershare prefix deny list = 
	usershare template share = 
	utmp = No
	utmp directory = 
	winbind cache time = 300
	winbindd socket directory = /var/run/samba/winbindd
	winbind enum groups = No
	winbind enum users = No
	winbind expand groups = 0
	winbind max clients = 200
	winbind max domain connections = 1
	winbind nested groups = Yes
	winbind normalize names = No
	winbind nss info = template
	winbind offline logon = No
	winbind reconnect delay = 30
	winbind refresh tickets = No
	winbind request timeout = 60
	winbind rpc only = No
	winbind scan trusted domains = Yes
	winbind sealed pipes = Yes
	winbind separator = \
	winbind use default domain = Yes
	winbind use krb5 enterprise principals = No
	wins hook = 
	wins proxy = No
	wins server = 
	wins support = No
	workgroup = DC-CONTAB
	write raw = Yes
	wtmp directory = 
	idmap config * : range = 10000-4000000000
	idmap config * : backend = hash
	access based share enum = No
	acl allow execute always = Yes
	acl check permissions = Yes
	acl group control = Yes
	acl map full control = Yes
	administrative share = No
	admin users = 
	afs share = No
	aio read size = 0
	aio write behind = 
	aio write size = 0
	allocation roundup size = 0
	available = Yes
	blocking locks = Yes
	block size = 1024
	browseable = Yes
	case sensitive = Auto
	check parent directory delete on close = No
	comment = 
	copy = 
	create mask = 0744
	csc policy = manual
	cups options = 
	default case = lower
	default devmode = Yes
	delete readonly = No
	delete veto files = No
	dfree cache time = 0
	dfree command = 
	directory mask = 0755
	directory name cache size = 100
	dmapi support = No
	dont descend = 
	dos filemode = Yes
	dos filetime resolution = No
	dos filetimes = Yes
	durable handles = Yes
	ea support = Yes
	fake directory create times = No
	fake oplocks = No
	follow symlinks = Yes
	force create mode = 0000
	force directory mode = 0000
	force group = 
	force printername = No
	force unknown acl user = No
	force user = 
	fstype = NTFS
	guest ok = No
	guest only = No
	hide dot files = No
	hide files = 
	hide new files timeout = 0
	hide special files = No
	hide unreadable = No
	hide unwriteable files = No
	hosts allow = 
	hosts deny = 
	include = /etc/samba/smb-shares.conf
	inherit acls = Yes
	inherit owner = no
	inherit permissions = Yes
	invalid users = root
	kernel oplocks = No
	kernel share modes = Yes
	level2 oplocks = Yes
	locking = Yes
	lppause command = 
	lpq command = lpq -P'%p'
	lpresume command = 
	lprm command = lprm -P'%p' %j
	magic output = 
	magic script = 
	mangled names = illegal
	mangling char = ~
	map acl inherit = Yes
	map archive = No
	map hidden = No
	map readonly = no
	map system = No
	max connections = 0
	max print jobs = 1000
	max reported print jobs = 0
	min print space = 0
	msdfs proxy = 
	msdfs root = No
	msdfs shuffle referrals = No
	nt acl support = Yes
	ntvfs handler = unixuid, default
	oplocks = Yes
	path = 
	posix locking = Yes
	postexec = 
	preexec = 
	preexec close = No
	preserve case = Yes
	printable = No
	print command = lpr -r -P'%p' %s
	printer name = 
	printing = bsd
	printjob username = %U
	print notify backchannel = No
	queuepause command = 
	queueresume command = 
	read list = 
	read only = Yes
	root postexec = 
	root preexec = 
	root preexec close = No
	short preserve case = Yes
	smbd async dosmode = No
	smbd getinfo ask sharemode = Yes
	smbd max async dosmode = 0
	smbd search ask sharemode = Yes
	smb encrypt = default
	spotlight = No
	spotlight backend = noindex
	store dos attributes = Yes
	strict allocate = No
	strict locking = Auto
	strict rename = No
	strict sync = Yes
	sync always = No
	use client driver = No
	use sendfile = Yes
	valid users = 
	veto files = 
	veto oplock files = 
	vfs objects = 
	volume = 
	wide links = Yes
	write list =

    The output from the same command in the terminal is:
      

    root@Backup:~# testparm -sv >/boot/smb.txt

Load smb config files from /etc/samba/smb.conf
WARNING: The "null passwords" option is deprecated
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

    I have also attached the diagnostics file.

    backup-diagnostics-20201216-2047.zip

    Go to reports Prereleases

    User Feedback

    Recommended Comments



    limetech
    On 1/2/2021 at 4:59 AM, dsmith44 said:

    @jonp any clues on why we all have krb.conf (v4 if memory serves) instead of a krb5.conf in /etc?

    It's my bug.  Prior to samba 4.12 or maybe 4.11 we didn't need to install kerberos at all since there are no Unraid "users" in the traditional sense that would use kerberos to authenicate logging into a remote server.  But somewhere the samba team integrated other components of kerberos which made including the package mandatory.  The /etc/krb5.conf file is super-simple however and I made a mistake by leaving the '5' off - doh!

    • Haha 1
    Link to comment
    limetech
    On 12/29/2020 at 3:39 PM, dsmith44 said:

    Ok, I've fixed this for me.

     

    Running a strace on the net ads join command it was referencing /var/cache/samba/smb_krb5/krb5.conf.SHORTDOMAIN in which there is the line

      

    
include /etc/krb5.conf

    That file doesn't exist on my system, instead I have /etc/krb.conf.

     

    A symlink later and I can join the domain properly.

     

    I'm adding this to /boot/config/go for now 

    
# Fix missing /etc/krb5.conf
if [ ! -f /etc/krb5.conf ] && [ -f /etc/krb.conf ]; then
ln -s /etc/krb.conf /etc/krb5.conf
fi

     

     

    Great detective work, saved me a lot of time, thank you!

    Link to comment


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.

    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.