[Samba] Problem joining XP SP2 Machines to the domain

Marshall Buschman mbuschman at gmail.com
Tue Apr 29 20:59:42 GMT 2008


Dale:

There is no client firewall on any of the machines in question.
The windows XP firewall has been disabled.

-Marshall


On Tue, Apr 29, 2008 at 12:57 PM, Dale Schroeder <
dale at briannassaladdressing.com> wrote:

>  Marshall,
>
> One last guess: Windows Firewall.  Is it turned on?  For comparison, in
> the AD domain I administer, I have to turn off the XP firewall or create an
> exception for tcp port 113 to join the domain.  Otherwise, it just sits
> there until it times out.  So, if any client firewall is running, try
> turning it off or making an exception.
>
> Dale
>
>
> Marshall Buschman wrote:
>
> Dale:
>
> I'm continuing to investigate - ipconfig /all shows both WINS servers.
> /var/cache/samba/wins.dat contains the xp machines.
> I do have a local DNS server, and it does resolve typical addresses (
> google.com) as expected.
> My PDC and BDC have A and PTR records that resolve properly, but nothing
> special other than that.
>
> Nothing appears in the logs on either the PDC or BDC.
>
> I've recently tried using the ForensiT User Profile Wizard, which tries to
> join the domain as part of it's process.
> It's interesting that using this tool, when auth fails, wireshark shows no
> conversation between the XP box and the DC - it looks like the XP isn't even
> trying to connect to the PDC.
>
> I've seen similar results using wireshark and the normal domain joining
> facilities.
> I've attempted to disable the signorseal requirements, which have no
> effect.
>
> The only effective solution is adding an entry to the lmhosts file, which
> is undesirable.
>
> -Marshall
>
> On Fri, Apr 25, 2008 at 9:14 AM, Dale Schroeder <
> dale at briannassaladdressing.com> wrote:
>
> > Marshall,
> >
> > Running out of ideas, but:
> > Have you checked the wins.dat file to see if it is actually being
> > populated with the xp machines?
> > Does "ipconfig /all" on the xp machines list the wins server?
> > If using it, is DNS working properly?
> > Any other clues in the logs?
> >
> > In "name resolve order =" I list wins first to give it the first chance
> > at name resolution.
> > I also don't have the multi-subnet issue to deal with, but some admins
> > put a wins server on each subnet.
> >
> > Dale
> >
> >
> > Marshall Buschman wrote:
> >
> > > Dale:
> > >
> > > Correct. I've implemented this option on all of the relevant subnets.
> > > I'm doing something like this:
> > >
> > > -----------------------------------------------------------------------------------------
> > > option                          netbios-name-servers 1.2.3.4, 1.3.3.7;
> > >
> > > -----------------------------------------------------------------------------------------
> > >
> > > Where 1.2.3.4 is the old windows 2000 DC that we're migrating away
> > > from, and
> > > 1.3.3.7 is the samba PDC.
> > >
> > > I tested this, and found it to work appropriately under Windows 2000
> > > clients, but not Windows XP clients.
> > >
> > > I've even statically assigned an XP client an IP and WINS server, and
> > > it
> > > still does not work consistently.
> > >
> > > I still get the following error most of the time:
> > >
> > > The following error occurred attempting to join the domain "FOO":
> > > Logon failure: unknown user name or bad password.
> > >
> > > Windows 2000 clients function perfectly.
> > >
> > > Any ideas? Especially why only the XP clients have an issue?
> > >
> > > -Marshall
> > >
> > >
> > > On Thu, Apr 24, 2008 at 8:43 AM, Dale Schroeder <
> > > dale at briannassaladdressing.com> wrote:
> > >
> > >
> > >
> > > > Marshall,
> > > >
> > > > Since you have many clients, I'm guessing you have a dhcp server
> > > > running.
> > > >  If so, do you have a netbios nameserver option enabled in the dhcp
> > > > config?
> > > > In ISC's dhcp3 server it is "option netbios-name-servers
> > > > xxx.xxx.xxx.xxx;"
> > > >
> > > > Of course, on clients with static ip's, wins config must be done
> > > > manually,
> > > > and IIRC, the options changed somewhat in XP.  The default is to get
> > > > netbios
> > > > info from the dhcp server.
> > > >
> > > > Good luck,
> > > > Dale
> > > >
> > > >
> > > >
> > > >
> > > > Marshall Buschman wrote:
> > > >
> > > >
> > > >
> > > > > Hey All:
> > > > >
> > > > > I've got a working samba/ldap domain with a PDC in a datacenter
> > > > > and a BDC
> > > > > in
> > > > > my local office.
> > > > >
> > > > > I'm not able to reliably join a windows XP Pro machine to the
> > > > > domain by
> > > > > specifying the PDC as a wins server.
> > > > >
> > > > > I get the following error 90% of the time or more, with no
> > > > > discernible
> > > > > patterns or errors in any logs:
> > > > > ---------------------------------
> > > > > The following error occurred attempting to join the domain "FOO":
> > > > > Logon failure: unknown user name or bad password.
> > > > > ---------------------------------
> > > > >
> > > > > Windows 2000 machines join the domain 100% of the time.
> > > > >
> > > > > Adding a line to the lmhosts file like this:
> > > > > ---------------------------
> > > > > 1.2.3.4       foopdc     #PRE #DOM:FOO #net group's DC
> > > > > ---------------------------
> > > > > Causes the XP machine to be able to join the domain 100% of the
> > > > > time.
> > > > >
> > > > > I have many clients, and adding this file to the lmhosts file
> > > > > everywhere
> > > > > isn't feasible.
> > > > >
> > > > > The real question is - why doesn't WINS work?
> > > > > I can run net view and see all the machines..
> > > > >
> > > > > I'd really appreciate any help you guys can provide.
> > > > >
> > > > > -Marshall
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> ------------------------------
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.523 / Virus Database: 269.23.6/1403 - Release Date: 4/29/2008 7:26 AM
>
>
>


More information about the samba mailing list