[Samba] Suddenly Windows clients can't join Samba+ldap PDC anymore
Pau Peris
pau at webeloping.es
Fri May 20 20:06:28 UTC 2016
Excuse me for the little flood please, i've just checked it again and
now i see SRV1 as master for exedra.cat workgroup, i event can see in
the logs Samba name server SRV1 is now a local master browser for
workgroup EXEDRA.CAT on subnet 192.168.69.203
So i'll keep digging on how to fix the issue exposed on my first
email, tomorrow i'll try to see wether it's an IPV6 issue or not.
On Fri, May 20, 2016 at 9:59 PM, Pau Peris <pau at webeloping.es> wrote:
> Right now i'm out of the office and i have no way to remotely work
> with the Windows machines so i've been upgrading the server to Ubuntu
> 16.04. Everything seems to be working as before but i'm wondering why
> right now the Master value is blank for Workgroup exedra.cat Any idea?
>
> # smbclient -L localhost
> WARNING: The "syslog" option is deprecated
> Enter root's password:
> Domain=[EXEDRA.CAT] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
>
> Sharename Type Comment
> --------- ---- -------
> Dropbox Disk Dropbox content
> public Disk Public Share
> print$ Disk Printer Drivers Download Area
> IPC$ IPC IPC Service (exedra.cat)
> root Disk Home Directories
> PLOTTER Printer PLOTTER
> OfficeJetK850 Printer HP Officejet Pro K850
> HPDesignJet500 Printer HPDesignJet500
> RICOH Printer RICOH Aficio MP C2500
> Domain=[EXEDRA.CAT] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
>
> Server Comment
> --------- -------
> SRV1 exedra.cat
>
> Workgroup Master
> --------- -------
> EXEDRA.CAT
>
> On Fri, May 20, 2016 at 7:40 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com> wrote:
>> You should be able to unbind ipv6 for the win 10 machine's network
>> interface.
>>
>>
>>
>> does "nslookup SRV1" work?
>>
>>
>> Also, you may want to try running tcpdump or ethereal or wireshark on our
>> PDC and see what traffic is captres.
>>
>>
>> On 05/20/16 13:24, Pau Peris wrote:
>>>
>>> I'm completely lost as i can ping SRV1 without issues but i'm starting
>>> to think that maybe Windows tries to join the domain through IPV6.
>>> ping -c6 SRV1 from this Windows 10 machine leads to host not found so
>>> i'm working on this direction right now.
>>>
>>> Any help will be really appreciated
>>>
>>> On Fri, May 20, 2016 at 5:04 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com> wrote:
>>>>
>>>> I was trying to fix a problem on Windows 10 with Outlook 2013. Also
>>>> running an NT4-style domain. The machine had already been joined to
>>>> the
>>>> domain and outlook had been working but recently not (probably after
>>>> patch
>>>> tuesday.) I also had had problems with Win 10 mail and RDP.
>>>> I
>>>> came across the following link.
>>>>
>>>>
>>>>
>>>> *http://superuser.com/questions/1019862/how-to-connect-windows-10-joined-to-samba-to-a-microsoft-account*
>>>>
>>>>
>>>>
>>>> "Open the registry editor (regedit.exe), navigate to
>>>>
>>>> |HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb|
>>>> and add a new DWORD subkey |ProtectionPolicy| with the value |1|."
>>>>
>>>>
>>>>
>>>>
>>>> Seemed to fix my e-mail and RDP issues. I don't know if I would have
>>>> been
>>>> unable to join the domain , since the machine was already joined.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 05/20/16 10:29, Pau Peris wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> i've tried adding server max protocol = NT1 into /etc/samba/smb.conf
>>>>> and restarting smbd and nmbd services but it didn't do the trick.
>>>>>
>>>>> I feel like Windows clients are not able to resolve SRV1 into the PDC
>>>>> and so they can't event try to join the domain.
>>>>>
>>>>> On Fri, May 20, 2016 at 4:22 PM, Pau Peris <pau at webeloping.es> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> thanks a lot for the tips. I already did the first one, importing the
>>>>>> following into the registry:
>>>>>>
>>>>>> Windows Registry Editor Version 5.00
>>>>>>
>>>>>>
>>>>>>
>>>>>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
>>>>>>
>>>>>> "DomainCompatibilityMode"=dword:00000001
>>>>>> "DNSNameResolutionRequired"=dword:00000000
>>>>>>
>>>>>> I didn't do the second tip but it looks like it's not needed for
>>>>>> Windows 7 OS and i also had the same issue on a Windows 7 VMWare
>>>>>> machine. I'm going to try it and see what happens.
>>>>>>
>>>>>> Thank u!
>>>>>>
>>>>>> On Fri, May 20, 2016 at 3:07 PM, Denis Cardon
>>>>>> <denis.cardon at tranquil-it-systems.fr> wrote:
>>>>>>>
>>>>>>> Hi Peris,
>>>>>>>
>>>>>>>> some years ago i configured a `Primary Domain Controller` through
>>>>>>>> Samba and LDAP (slapd) on an Ubuntu machine (13.10) at 192.168.69.203
>>>>>>>> which should be accessible by the string/name `SRV1`. I must note i
>>>>>>>> did not installed winbind. I've never had any issue and it looks like
>>>>>>>> it's working fine as about 10 Windows machines joined the PDC and
>>>>>>>> Windows users can login against PDC on daily basis.
>>>>>>>>
>>>>>>>> The method i always used to join the domain throgh Windows clients
>>>>>>>> was
>>>>>>>> right clicking on computer -> properties -> advanced system settings
>>>>>>>> -> computer name -> change -> member of domain; and typing SRV1 in
>>>>>>>> the
>>>>>>>> input.
>>>>>>>>
>>>>>>>> But today i tried to join a Windows 10 Professional machine (i even
>>>>>>>> tried on a virtualized Windows 7 Profesisonal and suffered the same
>>>>>>>> issue) to the PDC and i'm always getting this error:
>>>>>>>
>>>>>>>
>>>>>>> Did you make the required registry modification on the Windows
>>>>>>> clients?
>>>>>>>
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>>>>>>
>>>>>>> For Windows 10, you'll also need to limit SMB protocol to version 1 :
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains#Windows_10:_There_are_currently_no_logon_servers_available_to_service_the_logon_request.
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Denis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Note: This information is intended for a network administrator. If
>>>>>>>> you are not your network’s administrator, notify the administrator
>>>>>>>> that you received this information, which has been recorded in the
>>>>>>>> file C:\Windows\debug\dcdiag.txt.
>>>>>>>>
>>>>>>>> The following error occurred when DNS was queried for the service
>>>>>>>> location (SRV) resource record used to locate an Active Directory
>>>>>>>> Domain Controller for domain SRV1:
>>>>>>>> The error was: “DNS name does not exist.”
>>>>>>>>
>>>>>>>> (error code 0x0000232B RCODE_NAME_ERROR)
>>>>>>>> The query was for the SRV record for _ldap._tcp.dc._msdcs.SRV1
>>>>>>>> Common causes of this error include the following:
>>>>>>>>
>>>>>>>> - The DNS SRV records required to locate a AD DC for the domain are
>>>>>>>> not registered in DNS. These records are registered with a DNS server
>>>>>>>> automatically when a AD DC is added to a domain. They are updated by
>>>>>>>> the AD DC at set intervals. This computer is configured to use DNS
>>>>>>>> servers with the following
>>>>>>>>
>>>>>>>> IP addresses:
>>>>>>>> x.y.w.z
>>>>>>>>
>>>>>>>> - One or more of the following zones do not include delegation to its
>>>>>>>> child zone:
>>>>>>>> SRV1
>>>>>>>> . (the root zone)
>>>>>>>> For information about correcting this problem, click Help.
>>>>>>>>
>>>>>>>>
>>>>>>>> As you can see it looks like it's not possible to reach the PDC
>>>>>>>> service
>>>>>>>> at
>>>>>>>> SRV1.
>>>>>>>>
>>>>>>>> The above error happens when i try to join the PDC by right clicking
>>>>>>>> on computer -> properties -> advanced system settings -> computer
>>>>>>>> name
>>>>>>>> -> change -> member of domain; and typing SRV1 in the input.
>>>>>>>>
>>>>>>>> I also can ping SRV1 and it replies fine:
>>>>>>>> C:\Users\admin>ping SRV1
>>>>>>>> Haciendo ping a SRV1 [192.168.69.203] con 32 bytes de datos:
>>>>>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>>>>>
>>>>>>>>
>>>>>>>> I can even run win+r and type \\SRV1 press enter and it asks for a
>>>>>>>> LDAP user and password and then it show the right resources according
>>>>>>>> to the user rights.
>>>>>>>>
>>>>>>>> I already tried to adding in 192.168.69.203 SRV1 in
>>>>>>>> C:\Windows\System32\drivers\etc\hosts but it didn't help.
>>>>>>>>
>>>>>>>> The Windows client IP rtying to join the PDC is 192.168.69.49 so if i
>>>>>>>> `tailf /var/log/samba/log.nmbd` while trying to join the PDC i can
>>>>>>>> see:
>>>>>>>> [2016/05/20 11:50:50, 3]
>>>>>>>> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>>>>>>>> process_name_query_request: Name query from 192.168.69.52 on
>>>>>>>> subnet
>>>>>>>> 192.168.69.203 for name SRV1<20>
>>>>>>>> [2016/05/20 11:50:50, 3]
>>>>>>>> nmbd/nmbd_incomingrequests.c:571(process_name_query_request)
>>>>>>>> OK
>>>>>>>> [2016/05/20 11:50:54, 3]
>>>>>>>> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>>>>>>>> process_name_query_request: Name query from 192.168.69.49 on
>>>>>>>> subnet
>>>>>>>> 192.168.69.203 for name SRV1<1c>
>>>>>>>>
>>>>>>>> Reading this doc https://support.microsoft.com/en-us/kb/163409 i see
>>>>>>>> Netbios type 20 means File Server Service and Netbios type 1c means
>>>>>>>> Domain Controllers but i doubt the latter is fine as i don't see the
>>>>>>>> Ok response and the doc say <domain> instead of <computername>:
>>>>>>>>
>>>>>>>> Name Number(h) Type Usage
>>>>>>>>
>>>>>>>>
>>>>>>>> --------------------------------------------------------------------------
>>>>>>>> <computername> 20 U File Server Service
>>>>>>>> <domain> 1C G Domain Controllers
>>>>>>>>
>>>>>>>>
>>>>>>>> This is the wins.dat file generated automatically by samba `cat
>>>>>>>> /var/lib/samba/wins.dat`:
>>>>>>>> VERSION 1 0
>>>>>>>> "EXEDRA72#20" 1464037217 192.168.69.58 64R
>>>>>>>> "EXEDRA.CAT#1c" 1463997523 192.168.69.203 e4R
>>>>>>>> "EXEDRA.CAT#1e" 1463997523 0.0.0.0 e4R
>>>>>>>> "EXEDRA72#00" 1464037217 192.168.69.58 64R
>>>>>>>> "SRV1#03" 1463997523 192.168.69.203 66R
>>>>>>>> "SRV1#20" 1463997523 192.168.69.203 66R
>>>>>>>> "SRV1#00" 1463997523 192.168.69.203 66R
>>>>>>>> "EXEDRA.CAT#1b" 1463997523 192.168.69.203 64R
>>>>>>>> "EXEDRA.CAT#00" 1463997523 0.0.0.0 e4R
>>>>>>>>
>>>>>>>>
>>>>>>>> This is the output of `cat /etc/hosts`:
>>>>>>>> # cat /etc/hosts
>>>>>>>> 127.0.0.1 localhost localhost.localdomain srv1.exedra.cat srv1
>>>>>>>> exedra.dyndns.org exedra.cat
>>>>>>>> 127.0.1.1 localhost localhost.localdomain srv1.exedra.cat srv1
>>>>>>>> exedra.dyndns.org exedra.cat
>>>>>>>> 192.168.69.203 localhost localhost.localdomain srv1.exedra.cat srv1
>>>>>>>> exedra.dyndns.org exedra.cat
>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>> fe00::0 ip6-localnet
>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>
>>>>>>>>
>>>>>>>> output of resolv.conf `cat /etc/resolv.conf`:>
>>>>>>>> domain exedra.cat
>>>>>>>> search exedra.cat
>>>>>>>> nameserver 80.58.61.250
>>>>>>>> nameserver 80.58.61.254
>>>>>>>>
>>>>>>>>
>>>>>>>> hostname output `cat /etc/hostname`: srv1.exedra.cat
>>>>>>>>
>>>>>>>>
>>>>>>>> Here i post the output of `testparm -v`
>>>>>>>> https://gist.github.com/sibok/2e5ec48bc4030e64984d4ed1cbebad1f
>>>>>>>>
>>>>>>>> This is the output of running `smbclient -L localhost` ont the
>>>>>>>> server
>>>>>>>> (192.168.69.203):
>>>>>>>> smbclient -L localhost
>>>>>>>> Enter root's password:
>>>>>>>> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>>>>>>>>
>>>>>>>> Sharename Type Comment
>>>>>>>> --------- ---- -------
>>>>>>>> IPC$ IPC IPC Service (exedra.cat)
>>>>>>>> print$ Disk Printer Drivers Download Area
>>>>>>>> public Disk Public Share
>>>>>>>> Dropbox Disk Dropbox content
>>>>>>>> PLOTTER Printer PLOTTER
>>>>>>>> OfficeJetK850 Printer HP Officejet Pro K850
>>>>>>>> HPDesignJet500 Printer HPDesignJet500
>>>>>>>> RICOH Printer RICOH Aficio MP C2500
>>>>>>>> root Disk Home Directories
>>>>>>>> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>>>>>>>>
>>>>>>>> Server Comment
>>>>>>>> --------- -------
>>>>>>>> EXEDRA101 exedra101
>>>>>>>> SRV1 exedra.cat
>>>>>>>>
>>>>>>>> Workgroup Master
>>>>>>>> --------- -------
>>>>>>>> EXEDRA.CAT SRV1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> As the last time i try adding a machine it was about a year ago i
>>>>>>>> thought i might be wrong when typing SRV1 and instead i tried typing
>>>>>>>> exedra.cat - but i'm 99% confident i just need to make sure Windows
>>>>>>>> clients are capable of resolving SRV1 as 192.168.69.203 and then type
>>>>>>>> SRV1 instead of exedra.cat - but it showed me the same error so i
>>>>>>>> added the following records to the exedra.cat DNS zone (this is the
>>>>>>>> first time i need to add SRV records to join the domain):
>>>>>>>>
>>>>>>>> _ldap._tcp.dc._msdcs.exedra.cat SRV 0 0 exedra.cat.
>>>>>>>> _ldap._tcp.dc._msdcs.srv1.exedra.cat SRV 0 0 exedra.cat.
>>>>>>>>
>>>>>>>>
>>>>>>>> and by trying to join exedra.cat instead of SRV1 i get:
>>>>>>>> Note: This information is intended for a network administrator. If
>>>>>>>> you are not your network's administrator, notify the administrator
>>>>>>>> that you received this information, which has been recorded in the
>>>>>>>> file C:\Windows\debug\dcdiag.txt.
>>>>>>>>
>>>>>>>> DNS was successfully queried for the service location (SRV) resource
>>>>>>>> record used to locate a domain controller for domain "exedra.cat":
>>>>>>>>
>>>>>>>> The query was for the SRV record for _ldap._tcp.dc._msdcs.exedra.cat
>>>>>>>>
>>>>>>>> The following domain controllers were identified by the query:
>>>>>>>> srv1.exedra.cat
>>>>>>>>
>>>>>>>>
>>>>>>>> However no domain controllers could be contacted.
>>>>>>>>
>>>>>>>> Common causes of this error include:
>>>>>>>>
>>>>>>>> - Host (A) or (AAAA) records that map the names of the domain
>>>>>>>> controllers to their IP addresses are missing or contain incorrect
>>>>>>>> addresses.
>>>>>>>>
>>>>>>>> - Domain controllers registered in DNS are not connected to the
>>>>>>>> network or are not running.
>>>>>>>>
>>>>>>>>
>>>>>>>> Note the following resolutions:
>>>>>>>> ~ host -t SRV _ldap._tcp.dc._msdcs.exedra.cat
>>>>>>>> _ldap._tcp.dc._msdcs.exedra.cat has SRV record 0 0 389
>>>>>>>> srv1.exedra.cat.
>>>>>>>>
>>>>>>>> ~ host -t SRV _ldap._tcp.dc._msdcs.srv1.exedra.cat
>>>>>>>> _ldap._tcp.dc._msdcs.srv1.exedra.cat has SRV record 0 0 389
>>>>>>>> srv1.exedra.cat.
>>>>>>>>
>>>>>>>> ~ host -t A srv1.exedra.cat
>>>>>>>> srv1.exedra.cat has address 192.168.69.203
>>>>>>>>
>>>>>>>> ~ host -t A exedra.cat
>>>>>>>> exedra.cat has address 66.96.147.160
>>>>>>>>
>>>>>>>>
>>>>>>>> The thing is i'm 99% sure i used to join the domain by supplying SRV1
>>>>>>>> string on "member of domain" input but now it looks like Windows
>>>>>>>> clients are not able to resolve SRV1 to 192.168.69.203 which is the
>>>>>>>> ubuntu machine which hosts the samba+ldap PDC.
>>>>>>>>
>>>>>>> --
>>>>>>> Denis Cardon
>>>>>>> Tranquil IT Systems
>>>>>>> Les Espaces Jules Verne, bâtiment A
>>>>>>> 12 avenue Jules Verne
>>>>>>> 44230 Saint Sébastien sur Loire
>>>>>>> tel : +33 (0) 2.40.97.57.55
>>>>>>> http://www.tranquil-it-systems.fr
>>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
More information about the samba
mailing list