Samba as domain member - problem

Hello,
I'm struggling with freebsd and samba as domain member. It's takes 3 days, searching, reading and nothing
I have another machine with Samba4 AD DC. Everything is ok and working perfect - windows machines connecting to the domain, linux mint and debian too.
I'm trying to connect freebsd machine to the same domain (testing dns, pinging etc works perfect). Samba is working good but when I give security = ADS parameter Samba going down.
Kinit command working good.

Info from samba log afte give security = ADS parameter:
Code:
"2020/11/18 14:58:47.557571,  0] ../../source3/smbd/server.c:1784(main)
  smbd version 4.13.0 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2020
[2020/11/18 14:58:48.976053,  0] ../../source3/auth/auth_util.c:1403(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_INVALID_PARAMETER_MIX
[2020/11/18 14:58:48.994832,  0] ../../source3/smbd/server.c:2050(main)
  ERROR: failed to setup guest info.
[2020/11/18 15:00:13.642219,  0] ../../source3/smbd/server.c:1784(main)
  smbd version 4.13.0 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2020
[2020/11/18 15:00:13.968645,  0] ../../source3/auth/auth_util.c:1403(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_INVALID_PARAMETER_MIX
[2020/11/18 15:00:13.970111,  0] ../../source3/smbd/server.c:2050(main)
  ERROR: failed to setup guest info."

Info from nmbd log after give security = ADS parameter:
Code:
[2020/11/18 14:58:47.061112,  0] ../../source3/nmbd/nmbd.c:960(main)
  nmbd version 4.13.0 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2020
[2020/11/18 14:58:47.082827,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'nmbd' finished starting up and ready to serve connections
[2020/11/18 14:59:11.106914,  0] ../../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****

  Samba name server FREEBSD is now a local master browser for workgroup XXX on subnet 192.168.1.9

  *****
[2020/11/18 15:00:12.893715,  0] ../../source3/nmbd/nmbd.c:59(terminate)
  Got SIGTERM: going down...
[2020/11/18 15:00:13.172491,  0] ../../source3/nmbd/nmbd.c:960(main)
  nmbd version 4.13.0 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2020
[2020/11/18 15:00:13.181203,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'nmbd' finished starting up and ready to serve connections
[2020/11/18 15:00:37.305872,  0] ../../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****

  Samba name server FREEBSD is now a local master browser for workgroup XXX on subnet 192.168.1.9

  *****
[2020/11/18 15:06:00.104433,  0] ../../source3/nmbd/nmbd_incomingdgrams.c:304(process_local_master_announce)
  process_local_master_announce: Server XXX-HOST at IP 192.168.1.2 is announcing itself as a local master browser for workgroup XXX and we think we are master. Forcing election.
[2020/11/18 15:06:00.105012,  0] ../../source3/nmbd/nmbd_become_lmb.c:150(unbecome_local_master_success)
  *****

  Samba name server FREEBSD has stopped being a local master browser for workgroup XXX on subnet 192.168.1.9

  *****
[2020/11/18 15:06:19.005770,  0] ../../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****


I tried: samba 410,411,412,413 (FreeBSD 12.2, FreeBSD 11.4) - the same problem
It's bug or something ?

Parameters like: local master = no and other giving no resluts.

Someone have the solution ?
I'm sorry for my english.
Thank you.
 
Link below can help to start all samba services but I still have the problem:

Failed to join domain: failed to find DC for domain ads - The object was not found.


Link: https://kiskeyix.org/articles/409


Samba PANIC: Could not fetch our SID - did we join?​

From the solving-mysteries dept. (19891) (3) by Luis

Got WINS in your domain but your winbindd stopped working in your samba workstation? In order to fix this you need two things done:

Edit /etc/samba/smb.conf and make sure that you have the following in your [global] section:

idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false

Make sure that those IDs are not used by your own system (hint: getent passwd)

Get your domain SID in secrets.tdb:

sudo net rpc getsid

Edit /etc/nsswitch.conf and add wins to do host lookups.

hosts: files dns wins

I'm amazed that nobody actually solved this mystery before.
 
unfortunately in my case command:

net ads join dc.xxx.local -U administrator

don't work - maybe someone explain me why, dns works fine ... ?

instead of command above I used this:

net ads join -S dc.xxx.local -U administrator

and finally it seems to work ...

below my config file

smb4.conf


[global]

workgroup = XXX
password server = *
realm = XXX.LOCAL
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = true
idmap_ldb:use rfc2307 = yes

log file = /var/log/samba4/log.%m
max log size = 50

passdb backend = tdbsam

load printers = yes
cups options = raw


also maybe I found the bug or maybe I don't know about something but the file
/var/db/samba4/bind-dns/named.conf is not correct - missing part is marked below:

dlz "AD DNS Zone" {

# For BIND 9.16.x
database "dlopen /usr/local/lib/samba4/modules/bind9/dlz_bind9_16.so";

};
 
Hi,
For testing I made 2 freebsd virtual machines.

One is the active directory domain and second should be domain member, but in my case it is not possible to join this machine as domain memeber and make it works.
What is very important windows machines can join to the domain, I see share files etc.

Domain name: ipro.lan

#nslookup 192.168.1.4

4.1.168.192.in-addr.arpa name = ipro.lan.
4.1.168.192.in-addr.arpa name = ns.ipro.lan.

----


# nslookup ipro.lan
Server: 192.168.1.4
Address: 192.168.1.4#53

Name: ipro.lan
Address: 192.168.1.4

----

# dig 192.168.1.4

; <<>> DiG 9.16.8 <<>> 192.168.1.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44775
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9bf9fd3816d84a97010000005fbe935c871c3e4d185cd9bb (good)
;; QUESTION SECTION:
;192.168.1.4. IN A

;; AUTHORITY SECTION:
. 9576 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020112500 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Wed Nov 25 18:24:44 CET 2020
;; MSG SIZE rcvd: 143

---

# dig ipro.lan

; <<>> DiG 9.16.8 <<>> ipro.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65081
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c2d33513b4487cc1010000005fbe9392e37caaf37fd4f1b1 (good)
;; QUESTION SECTION:
;ipro.lan. IN A

;; ANSWER SECTION:
ipro.lan. 900 IN A 192.168.1.4

;; Query time: 1 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Wed Nov 25 18:25:38 CET 2020
;; MSG SIZE rcvd: 81

---

smb4.conf (domain member machine)

[global]
workgroup = IPRO
server string = Samba Server Version %v
security = ads
realm = IPRO.LAN
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
use sendfile = true

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config IPRO : backend = rid
idmap config IPRO : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/false

client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba4/log.%m
max log size = 50

message after net join command
net join ads -U administrator
Enter administrator's password:
Failed to join domain: failed to find DC for domain ads - The object was not found.
ADS join did not work, falling back to RPC...
Enter administrator's password:

kinit works in both machines, pings working nice.

AD DC machine is set to work with BIND9_DLZ

I can't find the proper guide how to set it up. Tried everything I think.

I need your help. Thank you.
 
Last edited:
Don't open multiple threads about the same problem please.

Threads merged.
 
Ok. I give up. Don't waste your time. Samba is broken on freebsd.
It's immposible to set it right.


 
Back
Top