[Samba] Suddenly Windows clients can't join Samba+ldap PDC anymore

Denis Cardon denis.cardon at tranquil-it-systems.fr
Fri May 20 13:07:01 UTC 2016 

Hi Peris,

> some years ago i configured a `Primary Domain Controller` through
> Samba and LDAP (slapd) on an Ubuntu machine (13.10) at 192.168.69.203
> which should be accessible by the string/name `SRV1`. I must note i
> did not installed winbind. I've never had any issue and it looks like
> it's working fine as about 10 Windows machines joined the PDC and
> Windows users can login against PDC on daily basis.
>
> The method i always used to join the domain throgh Windows clients was
> right clicking on computer -> properties -> advanced system settings
> -> computer name -> change -> member of domain; and typing SRV1 in the
> input.
>
> But today i tried to join a Windows 10 Professional machine (i even
> tried on a virtualized Windows 7 Profesisonal and suffered the same
> issue) to the PDC and i'm always getting this error:

Did you make the required registry modification on the Windows clients?

https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

For Windows 10, you'll also need to limit SMB protocol to version 1 :

https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains#Windows_10:_There_are_currently_no_logon_servers_available_to_service_the_logon_request.

Cheers,

Denis


>
>
> Note: This information is intended for a network administrator.  If
> you are not your network’s administrator, notify the administrator
> that you received this information, which has been recorded in the
> file C:\Windows\debug\dcdiag.txt.
>
> The following error occurred when DNS was queried for the service
> location (SRV) resource record used to locate an Active Directory
> Domain Controller for domain SRV1:
> The error was: “DNS name does not exist.”
>
> (error code 0x0000232B RCODE_NAME_ERROR)
> The query was for the SRV record for _ldap._tcp.dc._msdcs.SRV1
> Common causes of this error include the following:
>
> - The DNS SRV records required to locate a AD DC for the domain are
> not registered in DNS. These records are registered with a DNS server
> automatically when a AD DC is added to a domain. They are updated by
> the AD DC at set intervals. This computer is configured to use DNS
> servers with the following
>
> IP addresses:
> x.y.w.z
>
> - One or more of the following zones do not include delegation to its
> child zone:
> SRV1
> . (the root zone)
> For information about correcting this problem, click Help.
>
>
> As you can see it looks like it's not possible to reach the PDC service at SRV1.
>
> The above error happens when i try to join the PDC by right clicking
> on computer -> properties -> advanced system settings -> computer name
> -> change -> member of domain; and typing SRV1 in the input.
>
> I also can ping SRV1 and it replies fine:
> C:\Users\admin>ping SRV1
> Haciendo ping a SRV1 [192.168.69.203] con 32 bytes de datos:
> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>
>
> I can even run win+r and type \\SRV1 press enter and it asks for a
> LDAP user and password and then it show the right resources according
> to the user rights.
>
> I already tried to adding in 192.168.69.203 SRV1 in
> C:\Windows\System32\drivers\etc\hosts but it didn't help.
>
> The Windows client IP rtying to join the PDC is 192.168.69.49 so if i
> `tailf /var/log/samba/log.nmbd` while trying to join the PDC i can
> see:
> [2016/05/20 11:50:50,  3]
> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>    process_name_query_request: Name query from 192.168.69.52 on subnet
> 192.168.69.203 for name SRV1<20>
> [2016/05/20 11:50:50,  3]
> nmbd/nmbd_incomingrequests.c:571(process_name_query_request)
>    OK
> [2016/05/20 11:50:54,  3]
> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>    process_name_query_request: Name query from 192.168.69.49 on subnet
> 192.168.69.203 for name SRV1<1c>
>
> Reading this doc https://support.microsoft.com/en-us/kb/163409 i see
> Netbios type 20 means File Server Service and Netbios type 1c means
> Domain Controllers but i doubt the latter is fine as i don't see the
> Ok response and the doc say <domain> instead of <computername>:
>
> Name                Number(h)  Type  Usage
> --------------------------------------------------------------------------
> <computername>         20       U    File Server Service
> <domain>               1C       G    Domain Controllers
>
>
> This is the wins.dat file generated automatically by samba `cat
> /var/lib/samba/wins.dat`:
> VERSION 1 0
> "EXEDRA72#20" 1464037217 192.168.69.58 64R
> "EXEDRA.CAT#1c" 1463997523 192.168.69.203 e4R
> "EXEDRA.CAT#1e" 1463997523 0.0.0.0 e4R
> "EXEDRA72#00" 1464037217 192.168.69.58 64R
> "SRV1#03" 1463997523 192.168.69.203 66R
> "SRV1#20" 1463997523 192.168.69.203 66R
> "SRV1#00" 1463997523 192.168.69.203 66R
> "EXEDRA.CAT#1b" 1463997523 192.168.69.203 64R
> "EXEDRA.CAT#00" 1463997523 0.0.0.0 e4R
>
>
> This is the output of `cat /etc/hosts`:
> # cat /etc/hosts
> 127.0.0.1       localhost localhost.localdomain srv1.exedra.cat srv1
> exedra.dyndns.org exedra.cat
> 127.0.1.1       localhost localhost.localdomain srv1.exedra.cat srv1
> exedra.dyndns.org exedra.cat
> 192.168.69.203  localhost localhost.localdomain srv1.exedra.cat srv1
> exedra.dyndns.org exedra.cat
> # The following lines are desirable for IPv6 capable hosts
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> output of resolv.conf `cat /etc/resolv.conf`:>
> domain exedra.cat
> search exedra.cat
> nameserver 80.58.61.250
> nameserver 80.58.61.254
>
>
> hostname output `cat /etc/hostname`:  srv1.exedra.cat
>
>
> Here i post the output of `testparm -v`
> https://gist.github.com/sibok/2e5ec48bc4030e64984d4ed1cbebad1f
>
> This is the output of running  `smbclient -L localhost` ont the server
> (192.168.69.203):
> smbclient -L localhost
> Enter root's password:
> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>
>          Sharename       Type      Comment
>          ---------       ----      -------
>          IPC$            IPC       IPC Service (exedra.cat)
>          print$          Disk      Printer Drivers Download Area
>          public          Disk      Public Share
>          Dropbox         Disk      Dropbox content
>          PLOTTER         Printer   PLOTTER
>          OfficeJetK850   Printer   HP Officejet Pro K850
>          HPDesignJet500  Printer   HPDesignJet500
>          RICOH           Printer   RICOH Aficio MP C2500
>          root            Disk      Home Directories
> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>
>          Server               Comment
>          ---------            -------
>          EXEDRA101            exedra101
>          SRV1                 exedra.cat
>
>          Workgroup            Master
>          ---------            -------
>          EXEDRA.CAT           SRV1
>
>
>
> As the last time i try adding a machine it was about a year ago i
> thought i might be wrong when typing SRV1  and instead i tried typing
> exedra.cat - but i'm 99% confident i just need to make sure Windows
> clients are capable of resolving SRV1 as 192.168.69.203 and then type
> SRV1 instead of exedra.cat - but it showed me the same error so i
> added the following records to the exedra.cat DNS zone (this is the
> first time i need to add SRV records to join the domain):
>
> _ldap._tcp.dc._msdcs.exedra.cat SRV 0 0 exedra.cat.
> _ldap._tcp.dc._msdcs.srv1.exedra.cat  SRV 0 0 exedra.cat.
>
>
> and by trying to join exedra.cat instead of SRV1 i get:
> Note: This information is intended for a network administrator.  If
> you are not your network's administrator, notify the administrator
> that you received this information, which has been recorded in the
> file C:\Windows\debug\dcdiag.txt.
>
> DNS was successfully queried for the service location (SRV) resource
> record used to locate a domain controller for domain "exedra.cat":
>
> The query was for the SRV record for _ldap._tcp.dc._msdcs.exedra.cat
>
> The following domain controllers were identified by the query:
> srv1.exedra.cat
>
>
> However no domain controllers could be contacted.
>
> Common causes of this error include:
>
> - Host (A) or (AAAA) records that map the names of the domain
> controllers to their IP addresses are missing or contain incorrect
> addresses.
>
> - Domain controllers registered in DNS are not connected to the
> network or are not running.
>
>
> Note the following resolutions:
> ~ host -t SRV _ldap._tcp.dc._msdcs.exedra.cat
> _ldap._tcp.dc._msdcs.exedra.cat has SRV record 0 0 389 srv1.exedra.cat.
>
> ~ host -t SRV _ldap._tcp.dc._msdcs.srv1.exedra.cat
> _ldap._tcp.dc._msdcs.srv1.exedra.cat has SRV record 0 0 389 srv1.exedra.cat.
>
> ~ host -t A srv1.exedra.cat
> srv1.exedra.cat has address 192.168.69.203
>
> ~ host -t A exedra.cat
> exedra.cat has address 66.96.147.160
>
>
> The thing is i'm 99% sure i used to join the domain by supplying SRV1
> string on "member of domain" input but now it looks like Windows
> clients are not able to resolve SRV1 to 192.168.69.203 which is the
> ubuntu machine which hosts the samba+ldap PDC.
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list