[Samba] Suddenly Windows clients can't join Samba+ldap PDC anymore
Gaiseric Vandal
gaiseric.vandal at gmail.com
Fri May 20 15:04:26 UTC 2016
I was trying to fix a problem on Windows 10 with Outlook 2013. Also
running an NT4-style domain. The machine had already been joined to
the domain and outlook had been working but recently not (probably after
patch tuesday.) I also had had problems with Win 10 mail and RDP.
I came across the following link.
*http://superuser.com/questions/1019862/how-to-connect-windows-10-joined-to-samba-to-a-microsoft-account*
"Open the registry editor (regedit.exe), navigate to
|HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb|
and add a new DWORD subkey |ProtectionPolicy| with the value |1|."
Seemed to fix my e-mail and RDP issues. I don't know if I would have
been unable to join the domain , since the machine was already joined.
On 05/20/16 10:29, Pau Peris wrote:
> Hi,
>
> i've tried adding server max protocol = NT1 into /etc/samba/smb.conf
> and restarting smbd and nmbd services but it didn't do the trick.
>
> I feel like Windows clients are not able to resolve SRV1 into the PDC
> and so they can't event try to join the domain.
>
> On Fri, May 20, 2016 at 4:22 PM, Pau Peris <pau at webeloping.es> wrote:
>> Hi,
>>
>> thanks a lot for the tips. I already did the first one, importing the
>> following into the registry:
>>
>> Windows Registry Editor Version 5.00
>>
>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
>>
>> "DomainCompatibilityMode"=dword:00000001
>> "DNSNameResolutionRequired"=dword:00000000
>>
>> I didn't do the second tip but it looks like it's not needed for
>> Windows 7 OS and i also had the same issue on a Windows 7 VMWare
>> machine. I'm going to try it and see what happens.
>>
>> Thank u!
>>
>> On Fri, May 20, 2016 at 3:07 PM, Denis Cardon
>> <denis.cardon at tranquil-it-systems.fr> wrote:
>>> Hi Peris,
>>>
>>>> some years ago i configured a `Primary Domain Controller` through
>>>> Samba and LDAP (slapd) on an Ubuntu machine (13.10) at 192.168.69.203
>>>> which should be accessible by the string/name `SRV1`. I must note i
>>>> did not installed winbind. I've never had any issue and it looks like
>>>> it's working fine as about 10 Windows machines joined the PDC and
>>>> Windows users can login against PDC on daily basis.
>>>>
>>>> The method i always used to join the domain throgh Windows clients was
>>>> right clicking on computer -> properties -> advanced system settings
>>>> -> computer name -> change -> member of domain; and typing SRV1 in the
>>>> input.
>>>>
>>>> But today i tried to join a Windows 10 Professional machine (i even
>>>> tried on a virtualized Windows 7 Profesisonal and suffered the same
>>>> issue) to the PDC and i'm always getting this error:
>>>
>>> Did you make the required registry modification on the Windows clients?
>>>
>>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>>
>>> For Windows 10, you'll also need to limit SMB protocol to version 1 :
>>>
>>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains#Windows_10:_There_are_currently_no_logon_servers_available_to_service_the_logon_request.
>>>
>>> Cheers,
>>>
>>> Denis
>>>
>>>
>>>
>>>>
>>>> Note: This information is intended for a network administrator. If
>>>> you are not your network’s administrator, notify the administrator
>>>> that you received this information, which has been recorded in the
>>>> file C:\Windows\debug\dcdiag.txt.
>>>>
>>>> The following error occurred when DNS was queried for the service
>>>> location (SRV) resource record used to locate an Active Directory
>>>> Domain Controller for domain SRV1:
>>>> The error was: “DNS name does not exist.”
>>>>
>>>> (error code 0x0000232B RCODE_NAME_ERROR)
>>>> The query was for the SRV record for _ldap._tcp.dc._msdcs.SRV1
>>>> Common causes of this error include the following:
>>>>
>>>> - The DNS SRV records required to locate a AD DC for the domain are
>>>> not registered in DNS. These records are registered with a DNS server
>>>> automatically when a AD DC is added to a domain. They are updated by
>>>> the AD DC at set intervals. This computer is configured to use DNS
>>>> servers with the following
>>>>
>>>> IP addresses:
>>>> x.y.w.z
>>>>
>>>> - One or more of the following zones do not include delegation to its
>>>> child zone:
>>>> SRV1
>>>> . (the root zone)
>>>> For information about correcting this problem, click Help.
>>>>
>>>>
>>>> As you can see it looks like it's not possible to reach the PDC service at
>>>> SRV1.
>>>>
>>>> The above error happens when i try to join the PDC by right clicking
>>>> on computer -> properties -> advanced system settings -> computer name
>>>> -> change -> member of domain; and typing SRV1 in the input.
>>>>
>>>> I also can ping SRV1 and it replies fine:
>>>> C:\Users\admin>ping SRV1
>>>> Haciendo ping a SRV1 [192.168.69.203] con 32 bytes de datos:
>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>
>>>>
>>>> I can even run win+r and type \\SRV1 press enter and it asks for a
>>>> LDAP user and password and then it show the right resources according
>>>> to the user rights.
>>>>
>>>> I already tried to adding in 192.168.69.203 SRV1 in
>>>> C:\Windows\System32\drivers\etc\hosts but it didn't help.
>>>>
>>>> The Windows client IP rtying to join the PDC is 192.168.69.49 so if i
>>>> `tailf /var/log/samba/log.nmbd` while trying to join the PDC i can
>>>> see:
>>>> [2016/05/20 11:50:50, 3]
>>>> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>>>> process_name_query_request: Name query from 192.168.69.52 on subnet
>>>> 192.168.69.203 for name SRV1<20>
>>>> [2016/05/20 11:50:50, 3]
>>>> nmbd/nmbd_incomingrequests.c:571(process_name_query_request)
>>>> OK
>>>> [2016/05/20 11:50:54, 3]
>>>> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>>>> process_name_query_request: Name query from 192.168.69.49 on subnet
>>>> 192.168.69.203 for name SRV1<1c>
>>>>
>>>> Reading this doc https://support.microsoft.com/en-us/kb/163409 i see
>>>> Netbios type 20 means File Server Service and Netbios type 1c means
>>>> Domain Controllers but i doubt the latter is fine as i don't see the
>>>> Ok response and the doc say <domain> instead of <computername>:
>>>>
>>>> Name Number(h) Type Usage
>>>> --------------------------------------------------------------------------
>>>> <computername> 20 U File Server Service
>>>> <domain> 1C G Domain Controllers
>>>>
>>>>
>>>> This is the wins.dat file generated automatically by samba `cat
>>>> /var/lib/samba/wins.dat`:
>>>> VERSION 1 0
>>>> "EXEDRA72#20" 1464037217 192.168.69.58 64R
>>>> "EXEDRA.CAT#1c" 1463997523 192.168.69.203 e4R
>>>> "EXEDRA.CAT#1e" 1463997523 0.0.0.0 e4R
>>>> "EXEDRA72#00" 1464037217 192.168.69.58 64R
>>>> "SRV1#03" 1463997523 192.168.69.203 66R
>>>> "SRV1#20" 1463997523 192.168.69.203 66R
>>>> "SRV1#00" 1463997523 192.168.69.203 66R
>>>> "EXEDRA.CAT#1b" 1463997523 192.168.69.203 64R
>>>> "EXEDRA.CAT#00" 1463997523 0.0.0.0 e4R
>>>>
>>>>
>>>> This is the output of `cat /etc/hosts`:
>>>> # cat /etc/hosts
>>>> 127.0.0.1 localhost localhost.localdomain srv1.exedra.cat srv1
>>>> exedra.dyndns.org exedra.cat
>>>> 127.0.1.1 localhost localhost.localdomain srv1.exedra.cat srv1
>>>> exedra.dyndns.org exedra.cat
>>>> 192.168.69.203 localhost localhost.localdomain srv1.exedra.cat srv1
>>>> exedra.dyndns.org exedra.cat
>>>> # The following lines are desirable for IPv6 capable hosts
>>>> ::1 ip6-localhost ip6-loopback
>>>> fe00::0 ip6-localnet
>>>> ff00::0 ip6-mcastprefix
>>>> ff02::1 ip6-allnodes
>>>> ff02::2 ip6-allrouters
>>>>
>>>>
>>>> output of resolv.conf `cat /etc/resolv.conf`:>
>>>> domain exedra.cat
>>>> search exedra.cat
>>>> nameserver 80.58.61.250
>>>> nameserver 80.58.61.254
>>>>
>>>>
>>>> hostname output `cat /etc/hostname`: srv1.exedra.cat
>>>>
>>>>
>>>> Here i post the output of `testparm -v`
>>>> https://gist.github.com/sibok/2e5ec48bc4030e64984d4ed1cbebad1f
>>>>
>>>> This is the output of running `smbclient -L localhost` ont the server
>>>> (192.168.69.203):
>>>> smbclient -L localhost
>>>> Enter root's password:
>>>> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>>>>
>>>> Sharename Type Comment
>>>> --------- ---- -------
>>>> IPC$ IPC IPC Service (exedra.cat)
>>>> print$ Disk Printer Drivers Download Area
>>>> public Disk Public Share
>>>> Dropbox Disk Dropbox content
>>>> PLOTTER Printer PLOTTER
>>>> OfficeJetK850 Printer HP Officejet Pro K850
>>>> HPDesignJet500 Printer HPDesignJet500
>>>> RICOH Printer RICOH Aficio MP C2500
>>>> root Disk Home Directories
>>>> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>>>>
>>>> Server Comment
>>>> --------- -------
>>>> EXEDRA101 exedra101
>>>> SRV1 exedra.cat
>>>>
>>>> Workgroup Master
>>>> --------- -------
>>>> EXEDRA.CAT SRV1
>>>>
>>>>
>>>>
>>>> As the last time i try adding a machine it was about a year ago i
>>>> thought i might be wrong when typing SRV1 and instead i tried typing
>>>> exedra.cat - but i'm 99% confident i just need to make sure Windows
>>>> clients are capable of resolving SRV1 as 192.168.69.203 and then type
>>>> SRV1 instead of exedra.cat - but it showed me the same error so i
>>>> added the following records to the exedra.cat DNS zone (this is the
>>>> first time i need to add SRV records to join the domain):
>>>>
>>>> _ldap._tcp.dc._msdcs.exedra.cat SRV 0 0 exedra.cat.
>>>> _ldap._tcp.dc._msdcs.srv1.exedra.cat SRV 0 0 exedra.cat.
>>>>
>>>>
>>>> and by trying to join exedra.cat instead of SRV1 i get:
>>>> Note: This information is intended for a network administrator. If
>>>> you are not your network's administrator, notify the administrator
>>>> that you received this information, which has been recorded in the
>>>> file C:\Windows\debug\dcdiag.txt.
>>>>
>>>> DNS was successfully queried for the service location (SRV) resource
>>>> record used to locate a domain controller for domain "exedra.cat":
>>>>
>>>> The query was for the SRV record for _ldap._tcp.dc._msdcs.exedra.cat
>>>>
>>>> The following domain controllers were identified by the query:
>>>> srv1.exedra.cat
>>>>
>>>>
>>>> However no domain controllers could be contacted.
>>>>
>>>> Common causes of this error include:
>>>>
>>>> - Host (A) or (AAAA) records that map the names of the domain
>>>> controllers to their IP addresses are missing or contain incorrect
>>>> addresses.
>>>>
>>>> - Domain controllers registered in DNS are not connected to the
>>>> network or are not running.
>>>>
>>>>
>>>> Note the following resolutions:
>>>> ~ host -t SRV _ldap._tcp.dc._msdcs.exedra.cat
>>>> _ldap._tcp.dc._msdcs.exedra.cat has SRV record 0 0 389 srv1.exedra.cat.
>>>>
>>>> ~ host -t SRV _ldap._tcp.dc._msdcs.srv1.exedra.cat
>>>> _ldap._tcp.dc._msdcs.srv1.exedra.cat has SRV record 0 0 389
>>>> srv1.exedra.cat.
>>>>
>>>> ~ host -t A srv1.exedra.cat
>>>> srv1.exedra.cat has address 192.168.69.203
>>>>
>>>> ~ host -t A exedra.cat
>>>> exedra.cat has address 66.96.147.160
>>>>
>>>>
>>>> The thing is i'm 99% sure i used to join the domain by supplying SRV1
>>>> string on "member of domain" input but now it looks like Windows
>>>> clients are not able to resolve SRV1 to 192.168.69.203 which is the
>>>> ubuntu machine which hosts the samba+ldap PDC.
>>>>
>>> --
>>> Denis Cardon
>>> Tranquil IT Systems
>>> Les Espaces Jules Verne, bâtiment A
>>> 12 avenue Jules Verne
>>> 44230 Saint Sébastien sur Loire
>>> tel : +33 (0) 2.40.97.57.55
>>> http://www.tranquil-it-systems.fr
>>>
More information about the samba
mailing list