VSI OpenVMS SAMBA Joining to windows 2022 AD Domain

Talk about commercial or opensource products that already exist for OpenVMS or may be available in the future.
Post Reply

Topic author
e-man
Newbie
Posts: 3
Joined: Thu Feb 08, 2024 5:34 pm
Reputation: 0
Status: Offline

VSI OpenVMS SAMBA Joining to windows 2022 AD Domain

Post by e-man » Fri May 03, 2024 9:54 am

Hi All,

Just wondering if anyone has tried join VSI OpenVMS to windows Samba domain?
I am currently running OpenVMS V9.2-2 on a VMWare Pro Workstation server VM and trying to join this VM to my Windows 2022 AD Samba domain using X86VMS-SAMBA-V0410-16D-1.

I run the sambaconf on my openvms vm and it appears to be joining the domain but at the end the last line spits out an “unable to join domain error”. When I check windows AD users and computers I can see that the VMS vm has been added to the computers OU in the AD.

However I cannot map to “Public” Shares which are configured in the SAMBA SMB.conf shares are wide open to everyone. I can see that windows AD account samba users (for the windows user account I tried to map to public shares on VMS server) has been auto created in openvms. Which is what I set in SMBCONF, so this part works.

It seems that it’s partially setup correct and just trying to figure out what is wrong.

Here is my OpenVMS samba testparm output (took out my real domain & servernames)…

# Global parameters
[global]
client min protocol = NT1
dedicated keytab file = /samba$root/lib/krb5.keytab
domain master = No
kerberos method = dedicated keytab
load printers = No
local master = No
log file = /samba$root/var/%h_%m.log
map to guest = Bad Uid
max smbd processes = 50
name resolve order = wins lmhosts host bcast
password server = mydc1 mydc2 mydc3
preferred master = No
realm = mydomain.com
restrict anonymous = 2
security = ADS
server role = member server
server signing = if_required
server string = Samba %v running on %h (OpenVMS)
username map = /samba$root/lib/username.map
vms kdc port = 88
vms path allow = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind use default domain = Yes
wins server = 192.168.1.99 192.168.1.98 192.168.1.97 192.168.2.99
workgroup = myworkgroup
idmap config * : read only = no
idmap config * : range = 5000-6000
idmap config * : backend = tdb
admin users = smbadmin
print command = /DELETE/PASSALL
vfs objects = varvfc


[homes]
browseable = No
comment = Users homes share
read only = No


[public]
admin users = administrators "mydomain\domain admins"
comment = Public Share on vms87
guest ok = Yes
inherit owner = windows and unix
path = [000000.shares.public]
read only = No
store dos attributes = Yes
vms rms format = stream


[public2]
admin users = "my domain\Domain Admins"
comment = Pulbic Share 2
guest ok = Yes
inherit owner = windows and unix
path = [000000.shares.public2]
read only = No
vms rms format = stream


[public3]
admin users = administrators "my domain\domain admins"
comment = Public Share on OpenVms vms87
guest ok = Yes
path = [000000.samba.shares.public3]
read only = No
store dos attributes = Yes
vms rms format = stream



Any suggestions would be much appreciated.

Thanks,

E


Topic author
e-man
Newbie
Posts: 3
Joined: Thu Feb 08, 2024 5:34 pm
Reputation: 0
Status: Offline

Re: VSI OpenVMS SAMBA Joining to windows 2022 AD Domain

Post by e-man » Sun Jun 02, 2024 9:02 am

I'm still battling to get this work...

The Error is a Windows AD LDAP error ...

ads_print error: AD LDAP Error: 53 (server is unwilling to perform): 0000001F: S
vcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM), data 0


I have tried several fixes from whitepapers for Windows AD DC for "AD LDAP Error: 53 (server is unwilling to perform): 0000001F:"

and still no joy.

I will keep hunting around for a fix.

thanks,

E

Added in 2 minutes 42 seconds:
I'm still battling to get this work...

The Error is a Windows AD LDAP error ...

ads_print error: AD LDAP Error: 53 (server is unwilling to perform): 0000001F: S
vcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM), data 0


I have tried several fixes from whitepapers for Windows AD DC for "AD LDAP Error: 53 (server is unwilling to perform): 0000001F:"

and still no joy.

I will keep hunting around for a fix.

thanks,

E


paul.nunez
VSI Expert
Contributor
Posts: 16
Joined: Tue Aug 27, 2019 11:46 am
Reputation: 0
Status: Offline

Re: VSI OpenVMS SAMBA Joining to windows 2022 AD Domain

Post by paul.nunez » Mon Jun 03, 2024 9:32 am

Hi E. Once the machine/computer account gets created/exists, the NET JOIN command uses LDAP to (re)set the password on the computer account. The LDAP error suggests this password reset attempt is being done over an insecure session which LDAP (on Windows) does not allow. Just not sure how this might occur. Maybe the Windows account used when joining the domain is not sufficiently privileged??

I'd be happy to look at a network trace if you post it:

$ @sys$startup:tcpip$define_commands
$ tcpdump -s0 -w join.cap host <ip-address-of-"mydc1">

Then in another interactive session:

$ net ads join --user <windows-username> --server "mydc1"

After the error occurs, stop the trace using Ctrl/C and post the join.cap file.

Regards,

Paul

Post Reply