[Samba] Suddenly Windows clients can't join Samba+ldap PDC anymore
Pau Peris
pau at webeloping.es
Fri May 20 14:29:20 UTC 2016
Hi,
i've tried adding server max protocol = NT1 into /etc/samba/smb.conf
and restarting smbd and nmbd services but it didn't do the trick.
I feel like Windows clients are not able to resolve SRV1 into the PDC
and so they can't event try to join the domain.
On Fri, May 20, 2016 at 4:22 PM, Pau Peris <pau at webeloping.es> wrote:
> Hi,
>
> thanks a lot for the tips. I already did the first one, importing the
> following into the registry:
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
>
> "DomainCompatibilityMode"=dword:00000001
> "DNSNameResolutionRequired"=dword:00000000
>
> I didn't do the second tip but it looks like it's not needed for
> Windows 7 OS and i also had the same issue on a Windows 7 VMWare
> machine. I'm going to try it and see what happens.
>
> Thank u!
>
> On Fri, May 20, 2016 at 3:07 PM, Denis Cardon
> <denis.cardon at tranquil-it-systems.fr> wrote:
>> Hi Peris,
>>
>>> some years ago i configured a `Primary Domain Controller` through
>>> Samba and LDAP (slapd) on an Ubuntu machine (13.10) at 192.168.69.203
>>> which should be accessible by the string/name `SRV1`. I must note i
>>> did not installed winbind. I've never had any issue and it looks like
>>> it's working fine as about 10 Windows machines joined the PDC and
>>> Windows users can login against PDC on daily basis.
>>>
>>> The method i always used to join the domain throgh Windows clients was
>>> right clicking on computer -> properties -> advanced system settings
>>> -> computer name -> change -> member of domain; and typing SRV1 in the
>>> input.
>>>
>>> But today i tried to join a Windows 10 Professional machine (i even
>>> tried on a virtualized Windows 7 Profesisonal and suffered the same
>>> issue) to the PDC and i'm always getting this error:
>>
>>
>> Did you make the required registry modification on the Windows clients?
>>
>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>
>> For Windows 10, you'll also need to limit SMB protocol to version 1 :
>>
>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains#Windows_10:_There_are_currently_no_logon_servers_available_to_service_the_logon_request.
>>
>> Cheers,
>>
>> Denis
>>
>>
>>
>>>
>>>
>>> Note: This information is intended for a network administrator. If
>>> you are not your network’s administrator, notify the administrator
>>> that you received this information, which has been recorded in the
>>> file C:\Windows\debug\dcdiag.txt.
>>>
>>> The following error occurred when DNS was queried for the service
>>> location (SRV) resource record used to locate an Active Directory
>>> Domain Controller for domain SRV1:
>>> The error was: “DNS name does not exist.”
>>>
>>> (error code 0x0000232B RCODE_NAME_ERROR)
>>> The query was for the SRV record for _ldap._tcp.dc._msdcs.SRV1
>>> Common causes of this error include the following:
>>>
>>> - The DNS SRV records required to locate a AD DC for the domain are
>>> not registered in DNS. These records are registered with a DNS server
>>> automatically when a AD DC is added to a domain. They are updated by
>>> the AD DC at set intervals. This computer is configured to use DNS
>>> servers with the following
>>>
>>> IP addresses:
>>> x.y.w.z
>>>
>>> - One or more of the following zones do not include delegation to its
>>> child zone:
>>> SRV1
>>> . (the root zone)
>>> For information about correcting this problem, click Help.
>>>
>>>
>>> As you can see it looks like it's not possible to reach the PDC service at
>>> SRV1.
>>>
>>> The above error happens when i try to join the PDC by right clicking
>>> on computer -> properties -> advanced system settings -> computer name
>>> -> change -> member of domain; and typing SRV1 in the input.
>>>
>>> I also can ping SRV1 and it replies fine:
>>> C:\Users\admin>ping SRV1
>>> Haciendo ping a SRV1 [192.168.69.203] con 32 bytes de datos:
>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>
>>>
>>> I can even run win+r and type \\SRV1 press enter and it asks for a
>>> LDAP user and password and then it show the right resources according
>>> to the user rights.
>>>
>>> I already tried to adding in 192.168.69.203 SRV1 in
>>> C:\Windows\System32\drivers\etc\hosts but it didn't help.
>>>
>>> The Windows client IP rtying to join the PDC is 192.168.69.49 so if i
>>> `tailf /var/log/samba/log.nmbd` while trying to join the PDC i can
>>> see:
>>> [2016/05/20 11:50:50, 3]
>>> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>>> process_name_query_request: Name query from 192.168.69.52 on subnet
>>> 192.168.69.203 for name SRV1<20>
>>> [2016/05/20 11:50:50, 3]
>>> nmbd/nmbd_incomingrequests.c:571(process_name_query_request)
>>> OK
>>> [2016/05/20 11:50:54, 3]
>>> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>>> process_name_query_request: Name query from 192.168.69.49 on subnet
>>> 192.168.69.203 for name SRV1<1c>
>>>
>>> Reading this doc https://support.microsoft.com/en-us/kb/163409 i see
>>> Netbios type 20 means File Server Service and Netbios type 1c means
>>> Domain Controllers but i doubt the latter is fine as i don't see the
>>> Ok response and the doc say <domain> instead of <computername>:
>>>
>>> Name Number(h) Type Usage
>>> --------------------------------------------------------------------------
>>> <computername> 20 U File Server Service
>>> <domain> 1C G Domain Controllers
>>>
>>>
>>> This is the wins.dat file generated automatically by samba `cat
>>> /var/lib/samba/wins.dat`:
>>> VERSION 1 0
>>> "EXEDRA72#20" 1464037217 192.168.69.58 64R
>>> "EXEDRA.CAT#1c" 1463997523 192.168.69.203 e4R
>>> "EXEDRA.CAT#1e" 1463997523 0.0.0.0 e4R
>>> "EXEDRA72#00" 1464037217 192.168.69.58 64R
>>> "SRV1#03" 1463997523 192.168.69.203 66R
>>> "SRV1#20" 1463997523 192.168.69.203 66R
>>> "SRV1#00" 1463997523 192.168.69.203 66R
>>> "EXEDRA.CAT#1b" 1463997523 192.168.69.203 64R
>>> "EXEDRA.CAT#00" 1463997523 0.0.0.0 e4R
>>>
>>>
>>> This is the output of `cat /etc/hosts`:
>>> # cat /etc/hosts
>>> 127.0.0.1 localhost localhost.localdomain srv1.exedra.cat srv1
>>> exedra.dyndns.org exedra.cat
>>> 127.0.1.1 localhost localhost.localdomain srv1.exedra.cat srv1
>>> exedra.dyndns.org exedra.cat
>>> 192.168.69.203 localhost localhost.localdomain srv1.exedra.cat srv1
>>> exedra.dyndns.org exedra.cat
>>> # The following lines are desirable for IPv6 capable hosts
>>> ::1 ip6-localhost ip6-loopback
>>> fe00::0 ip6-localnet
>>> ff00::0 ip6-mcastprefix
>>> ff02::1 ip6-allnodes
>>> ff02::2 ip6-allrouters
>>>
>>>
>>> output of resolv.conf `cat /etc/resolv.conf`:>
>>> domain exedra.cat
>>> search exedra.cat
>>> nameserver 80.58.61.250
>>> nameserver 80.58.61.254
>>>
>>>
>>> hostname output `cat /etc/hostname`: srv1.exedra.cat
>>>
>>>
>>> Here i post the output of `testparm -v`
>>> https://gist.github.com/sibok/2e5ec48bc4030e64984d4ed1cbebad1f
>>>
>>> This is the output of running `smbclient -L localhost` ont the server
>>> (192.168.69.203):
>>> smbclient -L localhost
>>> Enter root's password:
>>> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>>>
>>> Sharename Type Comment
>>> --------- ---- -------
>>> IPC$ IPC IPC Service (exedra.cat)
>>> print$ Disk Printer Drivers Download Area
>>> public Disk Public Share
>>> Dropbox Disk Dropbox content
>>> PLOTTER Printer PLOTTER
>>> OfficeJetK850 Printer HP Officejet Pro K850
>>> HPDesignJet500 Printer HPDesignJet500
>>> RICOH Printer RICOH Aficio MP C2500
>>> root Disk Home Directories
>>> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>>>
>>> Server Comment
>>> --------- -------
>>> EXEDRA101 exedra101
>>> SRV1 exedra.cat
>>>
>>> Workgroup Master
>>> --------- -------
>>> EXEDRA.CAT SRV1
>>>
>>>
>>>
>>> As the last time i try adding a machine it was about a year ago i
>>> thought i might be wrong when typing SRV1 and instead i tried typing
>>> exedra.cat - but i'm 99% confident i just need to make sure Windows
>>> clients are capable of resolving SRV1 as 192.168.69.203 and then type
>>> SRV1 instead of exedra.cat - but it showed me the same error so i
>>> added the following records to the exedra.cat DNS zone (this is the
>>> first time i need to add SRV records to join the domain):
>>>
>>> _ldap._tcp.dc._msdcs.exedra.cat SRV 0 0 exedra.cat.
>>> _ldap._tcp.dc._msdcs.srv1.exedra.cat SRV 0 0 exedra.cat.
>>>
>>>
>>> and by trying to join exedra.cat instead of SRV1 i get:
>>> Note: This information is intended for a network administrator. If
>>> you are not your network's administrator, notify the administrator
>>> that you received this information, which has been recorded in the
>>> file C:\Windows\debug\dcdiag.txt.
>>>
>>> DNS was successfully queried for the service location (SRV) resource
>>> record used to locate a domain controller for domain "exedra.cat":
>>>
>>> The query was for the SRV record for _ldap._tcp.dc._msdcs.exedra.cat
>>>
>>> The following domain controllers were identified by the query:
>>> srv1.exedra.cat
>>>
>>>
>>> However no domain controllers could be contacted.
>>>
>>> Common causes of this error include:
>>>
>>> - Host (A) or (AAAA) records that map the names of the domain
>>> controllers to their IP addresses are missing or contain incorrect
>>> addresses.
>>>
>>> - Domain controllers registered in DNS are not connected to the
>>> network or are not running.
>>>
>>>
>>> Note the following resolutions:
>>> ~ host -t SRV _ldap._tcp.dc._msdcs.exedra.cat
>>> _ldap._tcp.dc._msdcs.exedra.cat has SRV record 0 0 389 srv1.exedra.cat.
>>>
>>> ~ host -t SRV _ldap._tcp.dc._msdcs.srv1.exedra.cat
>>> _ldap._tcp.dc._msdcs.srv1.exedra.cat has SRV record 0 0 389
>>> srv1.exedra.cat.
>>>
>>> ~ host -t A srv1.exedra.cat
>>> srv1.exedra.cat has address 192.168.69.203
>>>
>>> ~ host -t A exedra.cat
>>> exedra.cat has address 66.96.147.160
>>>
>>>
>>> The thing is i'm 99% sure i used to join the domain by supplying SRV1
>>> string on "member of domain" input but now it looks like Windows
>>> clients are not able to resolve SRV1 to 192.168.69.203 which is the
>>> ubuntu machine which hosts the samba+ldap PDC.
>>>
>>
>> --
>> Denis Cardon
>> Tranquil IT Systems
>> Les Espaces Jules Verne, bâtiment A
>> 12 avenue Jules Verne
>> 44230 Saint Sébastien sur Loire
>> tel : +33 (0) 2.40.97.57.55
>> http://www.tranquil-it-systems.fr
>>
More information about the samba
mailing list