[Samba] Windows 7 samba 4 domain join problem

[jared.m.jacobson at L-3com.com]

I stood up a samba 4 (4.0.9) Active Directory domain controller on a Red
Hat Enterprise Linux 6.3 server, configured in accordance with the Samba
AD DC HOWTO <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> , and
tailored to the domain name I want.  I'm trying to join a Windows 7
Enterprise Edition client to the domain.  Windows responds with "Your
computer could not be joined to the domain because the following error
has occurred: The network path was not found."  The network between the
Windows 7 box and the samba server is very simple, consisting of a
single switch.  The network itself is also very simple, consisting of 3
Red Hat servers, a NAS, and the workstation.  The network is not
connected to the Internet in any way.

 

I used wireshark to capture the message exchange.  It looks to me like
the DNS stuff is working right - as far as it gets - but something is
misconfigured with the LDAP server, and I can't figure out what.  I
can't provide the pcap file, but here's a summary of the messages
exchanged (C = Win 7 client, S = samba server, pretending client IP is
192.168.0.3, server IP is 192.168.0.4, server name is server, client
name is client, and domain name is domain.name):

 

1.       C->S: NBNS - Name Query NB domain

2.       S->C: NBNS - Name Query response NB 192.168.0.4

3.       C->S: DNS SRV _ldap._tcp.dc._msdcs.domain.name

4.       S->C: DNS SRV 0 100 389 server.domain.name

5.       C->S: DNS A server.domain.name

6.       S->C: DNS A 192.168.0.4

7.       C->S: CLDAP search request "<ROOT>" baseobject

a.       Filter: DnsDomain=domain.name && Host=CLIENT &&
NtVer=0x00000016

b.      Attributes: netlogon

8.       S->C: CLDAP searchresentry

a.       Type: netlogon

b.      Opcode: LOGON_SAM_LOGON_RESPONSE_EX

c.       Flags: GoodTimeServ, Writable, Closest, Timeserv, KDC, DS,
LDAP, GC, PDC

d.      Forest: domain.name

e.      Domain: domain.name

f.        Hostname: CLIENT

g.       NetBIOS domain: DOMAIN

h.      NetBIOS Hostname: SERVER

9.       C->S: DNS SRV _ldap._tcp.dc._msdcs.domain.name

10.   S->C: DNS SRV 0 100 389 server.domain.name

11.   C->S: CLDAP (same as message 7)

12.   S->C: CLDAP (same as message 8)

13.   C->S: CLDAP search request "<ROOT>" baseobject

a.       Filter: DnsDomain=domain.name && Host=CLIENT && User=CLIENT &&
AAC=80:01:00:00 && NtVer=0x20000016

b.      Attributes: netlogon

14.   S->C: CLDAP serchresentry

a.       Type: netlogon

b.      Opcode: LOGON_SAM_USER_UNKNOWN_EX

 

Based on this exchange, it looks like the Win 7 client is trying to use
the username CLIENT (message 13) rather than the "Administrator"
username I put in when attempting to join the domain, and the server is
rejecting that user because it doesn't know that user.

 

Is it normal for the Win 7 client to use the computer name for the
username, here?  Did I miss something in the HOWTO?  Am I supposed to
add the client computer name to the Active Directory before trying to
join the domain?

 

Thanks for any light you can shed on this.

 

Jared