[Samba] Join 2012 Server R2 as member to NT domain

James Fromm fromm at omnis.com
Wed Apr 15 13:35:12 MDT 2015 

Using wireshark, the last communication between the client and the Samba 
server is:

RPC_NETLOGON	262	DsrGetDcNameEx2 request

DCERPC	146	Fault: call_id: 2, Fragment: Single, Ctx: 0, status: 
nca_op_rng_error

Immediately after this the client starts to close the SMB connection.

On 04/15/2015 12:23 PM, James Fromm wrote:
> I don't have anything but Server 2003, 2008 and 2012 to test with.  2003
> joins the domain without issue.  2008 and 2012 will not.  The registry
> has been updated on both:
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
>
> "DNSNameResolutionRequired"=dword:00000000
> "DomainCompatibilityMode"=dword:00000001
>
> Our smb.conf is:
>
>
> [global]
>      workgroup = CUST.OMNIS.COM
>      netbios name = GLEN
>      server string = GLEN
>      passdb backend = ldapsam:ldap://ldap-cust.omnis.com
>      username map = /etc/samba/smbusers
>      smb ports = 139 445
>      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>      max stat cache size = 16384
>
>      wins support = yes
>      name resolve order = wins lmhosts hosts bcast
>      dns proxy = yes
>
>      encrypt passwords = yes
>
>      name cache timeout = 3600
>      log level = 0
>      syslog = 0
>      log file = /var/log/samba/%m
>      include = /etc/samba/smb.conf.%m
>
>      time server = Yes
>      add user script = /usr/sbin/smbldap-useradd -a -m '%u'
>      delete user script = /usr/sbin/smbldap-userdel %u
>      add group script = /usr/sbin/smbldap-groupadd '%g'
>      delete group script = /usr/sbin/smbldap-groupdel '%g'
>      add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>      delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
> '%g'
>      set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>      add machine script = /usr/sbin/smbldap-useradd -W '%u'
>      logon script = scripts\logon.bat
>      logon path = \\%L\profiles\%U
>      logon drive = X:
>      domain logons = Yes
>      preferred master = auto
>      domain master = no
>
>      wins support = Yes
>      ldap suffix = ou=System,dc=cust,dc=omnis,dc=com
>      ldap machine suffix = ou=Computers
>      ldap user suffix = ou=Users
>      ldap group suffix = ou=Groups
>
>      ldapsam:trusted = yes
>
>      ldap idmap suffix = ou=Idmap
>      ldap admin dn = uid=CManager, ou=Special Users, dc=omnis, dc=com
>      idmap backend = ldap:ldap://ldap-cust.omnis.com
>      idmap uid = 10000-20000
>      idmap gid = 10000-20000
>      map acl inherit = Yes
>
> [home]
>          comment = Home %U, %u
>          read only = No
>          create mask = 0644
>          directory mask = 0775
>          browseable = No
>          path = /home/%u
>
>
> [netlogon]
>          comment = Network Logon Service
>          path = /var/lib/samba/netlogon
>          read only = yes
>          guest ok = yes
>
> [profiles]
>          path = /var/lib/samba/profiles
>          read only = no
>          browseable = No
>          guest ok = Yes
>          profile acls = yes
>          valid users = %U "Domain Admins"
>
> You can run Samba 4 as a 'classic' domain.  We just haven't upgraded
> yet.  If Samba4 fixes this, we'll upgrade.  However, my understanding is
> that Samba4 as AD requires internal LDAP only.  We use 4 replicating,
> load-balanced LDAP servers so the internal LDAP and AD schema won't work.
>
> Anyone have an idea with 3.6 I can try?
>
> Thanks,
> James
>
>
>
>
>
> On 04/15/2015 09:39 AM, Andrey Repin wrote:
>> Greetings, James Fromm!
>>
>>> Is it still possible to join a Windows 2012 Server R2 system as a member
>>> to a 'pre-NT5' Samba (3.6.23) domain controller?
>>
>> Yes, at least for Win7 Pro.
>> You have to disable DNS lookups.
>>
>> Windows Registry Editor Version 5.00
>>
>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
>>
>> "DomainCompatibilityMode"=dword:00000001
>> "DNSNameResolutionRequired"=dword:00000000
>>
>>> The Windows 'Domain
>>> Change' GUI errors immediately after failing the SRV lookup for the AD
>>> server.  Even with the SRV record in place, the GUI fails trying to
>>> connect to the non-existent LDAP port.
>>
>>> Netdom on the command line tries to work if the DC name is supplied on
>>> the /Domain argument.  The logs for Samba show the authentication for
>>> the domain administrator working fine to the Samba controller.  The
>>> command fails.
>>
>>> ----
>>> C:\Users\Administrator>netdom JOIN cl40 /Domain:cust.omnis.com\glen
>>> /UserD:cust.omnis.com\root /PasswordD:* /VERBOSE
>>> Type the password associated with the domain user:
>>
>>> Joining domain cust.omnis.com\glen
>>
>>> The computer rename attempt failed with error 50.
>>
>>> The request is not supported.
>>
>>> The command failed to complete successfully.
>>> ----
>>
>> This may be caused by a different issue.
>>
>>> The DNSNameResolutionRequired and DomainCompatibilityMode registry
>>> modifications are in place.
>>
>>> We are trying to stick with an NT domain so we can keep our Windows and
>>> Unix users in the same LDAP backend.
>>
>> You're making no sense. Samba4 uses LDAP even more that before. To the
>> level
>> of having it implemented internally.
>> So far, all my users in the domain are successfully logging in,
>> Windows and
>> *NIX alike, provided the correct local system setup.
>>
>>

More information about the samba mailing list