[Samba] Suddenly Windows clients can't join Samba+ldap PDC anymore
Gaiseric Vandal
gaiseric.vandal at gmail.com
Fri May 20 20:45:55 UTC 2016
Are you running a wins server (maybe you already mentioned this.) That
tends to help minimize some classic samba issues.
On my PDC
root at mypdc:~# testparm -v | more
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit
(16384)
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[config]"
WARNING: The "share modes" option is deprecated
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[global]
dos charset = CP850
unix charset = UTF8
display charset = UTF8
workgroup = MYDOMAIN
realm =
netbios name = MYPDC
netbios aliases =
netbios scope =
server string = mypdc
interfaces =
bind interfaces only = No
security = USER
...
smb ports = 445 139
...
wins server =
wins support = Yes
Make sure that on the windows clients, "ipconfig /all" shows a wins
server. Also make sure that you have NOT disable netbios-over-tcpip.
THis is enabled by default on Windows 7. I don't think it is disabled
on Windows 10 by default.
I ran into an issue this week where, even tho I don't use Ipv6, some
windows machines were attempting to resolve names via invalid DNS
servers specified in ipv6 settings.
On 05/20/16 16:06, Pau Peris wrote:
> Excuse me for the little flood please, i've just checked it again and
> now i see SRV1 as master for exedra.cat workgroup, i event can see in
> the logs Samba name server SRV1 is now a local master browser for
> workgroup EXEDRA.CAT on subnet 192.168.69.203
>
> So i'll keep digging on how to fix the issue exposed on my first
> email, tomorrow i'll try to see wether it's an IPV6 issue or not.
>
> On Fri, May 20, 2016 at 9:59 PM, Pau Peris <pau at webeloping.es> wrote:
>> Right now i'm out of the office and i have no way to remotely work
>> with the Windows machines so i've been upgrading the server to Ubuntu
>> 16.04. Everything seems to be working as before but i'm wondering why
>> right now the Master value is blank for Workgroup exedra.cat Any idea?
>>
>> # smbclient -L localhost
>> WARNING: The "syslog" option is deprecated
>> Enter root's password:
>> Domain=[EXEDRA.CAT] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
>>
>> Sharename Type Comment
>> --------- ---- -------
>> Dropbox Disk Dropbox content
>> public Disk Public Share
>> print$ Disk Printer Drivers Download Area
>> IPC$ IPC IPC Service (exedra.cat)
>> root Disk Home Directories
>> PLOTTER Printer PLOTTER
>> OfficeJetK850 Printer HP Officejet Pro K850
>> HPDesignJet500 Printer HPDesignJet500
>> RICOH Printer RICOH Aficio MP C2500
>> Domain=[EXEDRA.CAT] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
>>
>> Server Comment
>> --------- -------
>> SRV1 exedra.cat
>>
>> Workgroup Master
>> --------- -------
>> EXEDRA.CAT
>>
>> On Fri, May 20, 2016 at 7:40 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com> wrote:
>>> You should be able to unbind ipv6 for the win 10 machine's network
>>> interface.
>>>
>>>
>>>
>>> does "nslookup SRV1" work?
>>>
>>>
>>> Also, you may want to try running tcpdump or ethereal or wireshark on our
>>> PDC and see what traffic is captres.
>>>
>>>
>>> On 05/20/16 13:24, Pau Peris wrote:
>>>> I'm completely lost as i can ping SRV1 without issues but i'm starting
>>>> to think that maybe Windows tries to join the domain through IPV6.
>>>> ping -c6 SRV1 from this Windows 10 machine leads to host not found so
>>>> i'm working on this direction right now.
>>>>
>>>> Any help will be really appreciated
>>>>
>>>> On Fri, May 20, 2016 at 5:04 PM, Gaiseric Vandal
>>>> <gaiseric.vandal at gmail.com> wrote:
>>>>> I was trying to fix a problem on Windows 10 with Outlook 2013. Also
>>>>> running an NT4-style domain. The machine had already been joined to
>>>>> the
>>>>> domain and outlook had been working but recently not (probably after
>>>>> patch
>>>>> tuesday.) I also had had problems with Win 10 mail and RDP.
>>>>> I
>>>>> came across the following link.
>>>>>
>>>>>
>>>>>
>>>>> *http://superuser.com/questions/1019862/how-to-connect-windows-10-joined-to-samba-to-a-microsoft-account*
>>>>>
>>>>>
>>>>>
>>>>> "Open the registry editor (regedit.exe), navigate to
>>>>>
>>>>> |HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb|
>>>>> and add a new DWORD subkey |ProtectionPolicy| with the value |1|."
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Seemed to fix my e-mail and RDP issues. I don't know if I would have
>>>>> been
>>>>> unable to join the domain , since the machine was already joined.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 05/20/16 10:29, Pau Peris wrote:
>>>>>> Hi,
>>>>>>
>>>>>> i've tried adding server max protocol = NT1 into /etc/samba/smb.conf
>>>>>> and restarting smbd and nmbd services but it didn't do the trick.
>>>>>>
>>>>>> I feel like Windows clients are not able to resolve SRV1 into the PDC
>>>>>> and so they can't event try to join the domain.
>>>>>>
>>>>>> On Fri, May 20, 2016 at 4:22 PM, Pau Peris <pau at webeloping.es> wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> thanks a lot for the tips. I already did the first one, importing the
>>>>>>> following into the registry:
>>>>>>>
>>>>>>> Windows Registry Editor Version 5.00
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
>>>>>>>
>>>>>>> "DomainCompatibilityMode"=dword:00000001
>>>>>>> "DNSNameResolutionRequired"=dword:00000000
>>>>>>>
>>>>>>> I didn't do the second tip but it looks like it's not needed for
>>>>>>> Windows 7 OS and i also had the same issue on a Windows 7 VMWare
>>>>>>> machine. I'm going to try it and see what happens.
>>>>>>>
>>>>>>> Thank u!
>>>>>>>
>>>>>>> On Fri, May 20, 2016 at 3:07 PM, Denis Cardon
>>>>>>> <denis.cardon at tranquil-it-systems.fr> wrote:
>>>>>>>> Hi Peris,
>>>>>>>>
>>>>>>>>> some years ago i configured a `Primary Domain Controller` through
>>>>>>>>> Samba and LDAP (slapd) on an Ubuntu machine (13.10) at 192.168.69.203
>>>>>>>>> which should be accessible by the string/name `SRV1`. I must note i
>>>>>>>>> did not installed winbind. I've never had any issue and it looks like
>>>>>>>>> it's working fine as about 10 Windows machines joined the PDC and
>>>>>>>>> Windows users can login against PDC on daily basis.
>>>>>>>>>
>>>>>>>>> The method i always used to join the domain throgh Windows clients
>>>>>>>>> was
>>>>>>>>> right clicking on computer -> properties -> advanced system settings
>>>>>>>>> -> computer name -> change -> member of domain; and typing SRV1 in
>>>>>>>>> the
>>>>>>>>> input.
>>>>>>>>>
>>>>>>>>> But today i tried to join a Windows 10 Professional machine (i even
>>>>>>>>> tried on a virtualized Windows 7 Profesisonal and suffered the same
>>>>>>>>> issue) to the PDC and i'm always getting this error:
>>>>>>>>
>>>>>>>> Did you make the required registry modification on the Windows
>>>>>>>> clients?
>>>>>>>>
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>>>>>>>
>>>>>>>> For Windows 10, you'll also need to limit SMB protocol to version 1 :
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains#Windows_10:_There_are_currently_no_logon_servers_available_to_service_the_logon_request.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Denis
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Note: This information is intended for a network administrator. If
>>>>>>>>> you are not your network’s administrator, notify the administrator
>>>>>>>>> that you received this information, which has been recorded in the
>>>>>>>>> file C:\Windows\debug\dcdiag.txt.
>>>>>>>>>
>>>>>>>>> The following error occurred when DNS was queried for the service
>>>>>>>>> location (SRV) resource record used to locate an Active Directory
>>>>>>>>> Domain Controller for domain SRV1:
>>>>>>>>> The error was: “DNS name does not exist.”
>>>>>>>>>
>>>>>>>>> (error code 0x0000232B RCODE_NAME_ERROR)
>>>>>>>>> The query was for the SRV record for _ldap._tcp.dc._msdcs.SRV1
>>>>>>>>> Common causes of this error include the following:
>>>>>>>>>
>>>>>>>>> - The DNS SRV records required to locate a AD DC for the domain are
>>>>>>>>> not registered in DNS. These records are registered with a DNS server
>>>>>>>>> automatically when a AD DC is added to a domain. They are updated by
>>>>>>>>> the AD DC at set intervals. This computer is configured to use DNS
>>>>>>>>> servers with the following
>>>>>>>>>
>>>>>>>>> IP addresses:
>>>>>>>>> x.y.w.z
>>>>>>>>>
>>>>>>>>> - One or more of the following zones do not include delegation to its
>>>>>>>>> child zone:
>>>>>>>>> SRV1
>>>>>>>>> . (the root zone)
>>>>>>>>> For information about correcting this problem, click Help.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> As you can see it looks like it's not possible to reach the PDC
>>>>>>>>> service
>>>>>>>>> at
>>>>>>>>> SRV1.
>>>>>>>>>
>>>>>>>>> The above error happens when i try to join the PDC by right clicking
>>>>>>>>> on computer -> properties -> advanced system settings -> computer
>>>>>>>>> name
>>>>>>>>> -> change -> member of domain; and typing SRV1 in the input.
>>>>>>>>>
>>>>>>>>> I also can ping SRV1 and it replies fine:
>>>>>>>>> C:\Users\admin>ping SRV1
>>>>>>>>> Haciendo ping a SRV1 [192.168.69.203] con 32 bytes de datos:
>>>>>>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>>>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>>>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>>>>>> Respuesta desde 192.168.69.203: bytes=32 tiempo<1m TTL=64
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I can even run win+r and type \\SRV1 press enter and it asks for a
>>>>>>>>> LDAP user and password and then it show the right resources according
>>>>>>>>> to the user rights.
>>>>>>>>>
>>>>>>>>> I already tried to adding in 192.168.69.203 SRV1 in
>>>>>>>>> C:\Windows\System32\drivers\etc\hosts but it didn't help.
>>>>>>>>>
>>>>>>>>> The Windows client IP rtying to join the PDC is 192.168.69.49 so if i
>>>>>>>>> `tailf /var/log/samba/log.nmbd` while trying to join the PDC i can
>>>>>>>>> see:
>>>>>>>>> [2016/05/20 11:50:50, 3]
>>>>>>>>> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>>>>>>>>> process_name_query_request: Name query from 192.168.69.52 on
>>>>>>>>> subnet
>>>>>>>>> 192.168.69.203 for name SRV1<20>
>>>>>>>>> [2016/05/20 11:50:50, 3]
>>>>>>>>> nmbd/nmbd_incomingrequests.c:571(process_name_query_request)
>>>>>>>>> OK
>>>>>>>>> [2016/05/20 11:50:54, 3]
>>>>>>>>> nmbd/nmbd_incomingrequests.c:456(process_name_query_request)
>>>>>>>>> process_name_query_request: Name query from 192.168.69.49 on
>>>>>>>>> subnet
>>>>>>>>> 192.168.69.203 for name SRV1<1c>
>>>>>>>>>
>>>>>>>>> Reading this doc https://support.microsoft.com/en-us/kb/163409 i see
>>>>>>>>> Netbios type 20 means File Server Service and Netbios type 1c means
>>>>>>>>> Domain Controllers but i doubt the latter is fine as i don't see the
>>>>>>>>> Ok response and the doc say <domain> instead of <computername>:
>>>>>>>>>
>>>>>>>>> Name Number(h) Type Usage
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------------------------------------------------------------------------
>>>>>>>>> <computername> 20 U File Server Service
>>>>>>>>> <domain> 1C G Domain Controllers
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This is the wins.dat file generated automatically by samba `cat
>>>>>>>>> /var/lib/samba/wins.dat`:
>>>>>>>>> VERSION 1 0
>>>>>>>>> "EXEDRA72#20" 1464037217 192.168.69.58 64R
>>>>>>>>> "EXEDRA.CAT#1c" 1463997523 192.168.69.203 e4R
>>>>>>>>> "EXEDRA.CAT#1e" 1463997523 0.0.0.0 e4R
>>>>>>>>> "EXEDRA72#00" 1464037217 192.168.69.58 64R
>>>>>>>>> "SRV1#03" 1463997523 192.168.69.203 66R
>>>>>>>>> "SRV1#20" 1463997523 192.168.69.203 66R
>>>>>>>>> "SRV1#00" 1463997523 192.168.69.203 66R
>>>>>>>>> "EXEDRA.CAT#1b" 1463997523 192.168.69.203 64R
>>>>>>>>> "EXEDRA.CAT#00" 1463997523 0.0.0.0 e4R
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This is the output of `cat /etc/hosts`:
>>>>>>>>> # cat /etc/hosts
>>>>>>>>> 127.0.0.1 localhost localhost.localdomain srv1.exedra.cat srv1
>>>>>>>>> exedra.dyndns.org exedra.cat
>>>>>>>>> 127.0.1.1 localhost localhost.localdomain srv1.exedra.cat srv1
>>>>>>>>> exedra.dyndns.org exedra.cat
>>>>>>>>> 192.168.69.203 localhost localhost.localdomain srv1.exedra.cat srv1
>>>>>>>>> exedra.dyndns.org exedra.cat
>>>>>>>>> # The following lines are desirable for IPv6 capable hosts
>>>>>>>>> ::1 ip6-localhost ip6-loopback
>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> output of resolv.conf `cat /etc/resolv.conf`:>
>>>>>>>>> domain exedra.cat
>>>>>>>>> search exedra.cat
>>>>>>>>> nameserver 80.58.61.250
>>>>>>>>> nameserver 80.58.61.254
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> hostname output `cat /etc/hostname`: srv1.exedra.cat
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Here i post the output of `testparm -v`
>>>>>>>>> https://gist.github.com/sibok/2e5ec48bc4030e64984d4ed1cbebad1f
>>>>>>>>>
>>>>>>>>> This is the output of running `smbclient -L localhost` ont the
>>>>>>>>> server
>>>>>>>>> (192.168.69.203):
>>>>>>>>> smbclient -L localhost
>>>>>>>>> Enter root's password:
>>>>>>>>> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>>>>>>>>>
>>>>>>>>> Sharename Type Comment
>>>>>>>>> --------- ---- -------
>>>>>>>>> IPC$ IPC IPC Service (exedra.cat)
>>>>>>>>> print$ Disk Printer Drivers Download Area
>>>>>>>>> public Disk Public Share
>>>>>>>>> Dropbox Disk Dropbox content
>>>>>>>>> PLOTTER Printer PLOTTER
>>>>>>>>> OfficeJetK850 Printer HP Officejet Pro K850
>>>>>>>>> HPDesignJet500 Printer HPDesignJet500
>>>>>>>>> RICOH Printer RICOH Aficio MP C2500
>>>>>>>>> root Disk Home Directories
>>>>>>>>> Domain=[EXEDRA.CAT] OS=[Unix] Server=[Samba 3.6.18]
>>>>>>>>>
>>>>>>>>> Server Comment
>>>>>>>>> --------- -------
>>>>>>>>> EXEDRA101 exedra101
>>>>>>>>> SRV1 exedra.cat
>>>>>>>>>
>>>>>>>>> Workgroup Master
>>>>>>>>> --------- -------
>>>>>>>>> EXEDRA.CAT SRV1
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> As the last time i try adding a machine it was about a year ago i
>>>>>>>>> thought i might be wrong when typing SRV1 and instead i tried typing
>>>>>>>>> exedra.cat - but i'm 99% confident i just need to make sure Windows
>>>>>>>>> clients are capable of resolving SRV1 as 192.168.69.203 and then type
>>>>>>>>> SRV1 instead of exedra.cat - but it showed me the same error so i
>>>>>>>>> added the following records to the exedra.cat DNS zone (this is the
>>>>>>>>> first time i need to add SRV records to join the domain):
>>>>>>>>>
>>>>>>>>> _ldap._tcp.dc._msdcs.exedra.cat SRV 0 0 exedra.cat.
>>>>>>>>> _ldap._tcp.dc._msdcs.srv1.exedra.cat SRV 0 0 exedra.cat.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> and by trying to join exedra.cat instead of SRV1 i get:
>>>>>>>>> Note: This information is intended for a network administrator. If
>>>>>>>>> you are not your network's administrator, notify the administrator
>>>>>>>>> that you received this information, which has been recorded in the
>>>>>>>>> file C:\Windows\debug\dcdiag.txt.
>>>>>>>>>
>>>>>>>>> DNS was successfully queried for the service location (SRV) resource
>>>>>>>>> record used to locate a domain controller for domain "exedra.cat":
>>>>>>>>>
>>>>>>>>> The query was for the SRV record for _ldap._tcp.dc._msdcs.exedra.cat
>>>>>>>>>
>>>>>>>>> The following domain controllers were identified by the query:
>>>>>>>>> srv1.exedra.cat
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> However no domain controllers could be contacted.
>>>>>>>>>
>>>>>>>>> Common causes of this error include:
>>>>>>>>>
>>>>>>>>> - Host (A) or (AAAA) records that map the names of the domain
>>>>>>>>> controllers to their IP addresses are missing or contain incorrect
>>>>>>>>> addresses.
>>>>>>>>>
>>>>>>>>> - Domain controllers registered in DNS are not connected to the
>>>>>>>>> network or are not running.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Note the following resolutions:
>>>>>>>>> ~ host -t SRV _ldap._tcp.dc._msdcs.exedra.cat
>>>>>>>>> _ldap._tcp.dc._msdcs.exedra.cat has SRV record 0 0 389
>>>>>>>>> srv1.exedra.cat.
>>>>>>>>>
>>>>>>>>> ~ host -t SRV _ldap._tcp.dc._msdcs.srv1.exedra.cat
>>>>>>>>> _ldap._tcp.dc._msdcs.srv1.exedra.cat has SRV record 0 0 389
>>>>>>>>> srv1.exedra.cat.
>>>>>>>>>
>>>>>>>>> ~ host -t A srv1.exedra.cat
>>>>>>>>> srv1.exedra.cat has address 192.168.69.203
>>>>>>>>>
>>>>>>>>> ~ host -t A exedra.cat
>>>>>>>>> exedra.cat has address 66.96.147.160
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The thing is i'm 99% sure i used to join the domain by supplying SRV1
>>>>>>>>> string on "member of domain" input but now it looks like Windows
>>>>>>>>> clients are not able to resolve SRV1 to 192.168.69.203 which is the
>>>>>>>>> ubuntu machine which hosts the samba+ldap PDC.
>>>>>>>>>
>>>>>>>> --
>>>>>>>> Denis Cardon
>>>>>>>> Tranquil IT Systems
>>>>>>>> Les Espaces Jules Verne, bâtiment A
>>>>>>>> 12 avenue Jules Verne
>>>>>>>> 44230 Saint Sébastien sur Loire
>>>>>>>> tel : +33 (0) 2.40.97.57.55
>>>>>>>> http://www.tranquil-it-systems.fr
>>>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
More information about the samba
mailing list