[Samba] Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range

Rowland Penny rpenny at samba.org
Wed Jul 18 15:53:53 UTC 2018

On Wed, 18 Jul 2018 17:25:51 +0200
Thomas Glanzmann via samba <samba at lists.samba.org> wrote:

> Hello,
> I try to connect with Active Directory Users and Computers from a
> W2k16 to a Samba 4.8.3 DC. I get the following error message:
> https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/screenshot-x1-2018-07-18-17_12_49.png
> ---------------------------
> Active Directory Domain Services
> ---------------------------
> Naming information cannot be located because:
> The procedure number is out of range.
> Contact your system administrator to verify that your domain is
> properly configured and is currently online.
> --------------------------- OK
> ---------------------------
> In the logs with debug level 3 I don't see anything. My Samba Config
> and setup script is here, my logs as well:
> https://thomas.glanzmann.de/static/63a3e0ba-8a9d-11e8-891f-f3ff022aacb0/

Your smb.conf is up the spout, there is a number of things wrong with

These are okay:

netbios name = ad
workgroup = V101
realm = V101.TUVL.DE
interfaces =
bind interfaces only = yes
lock directory = /local/samba-config/v101/lock
cache directory = /local/samba-config/v101/cache
pid directory = /local/samba-config/v101/pid
private dir = /local/samba-config/v101/private
state directory = /local/samba-config/v101/state
log file = /local/samba-config/v101/log/%m

These shouldn't be set or are defaults:
name resolve order = host
time server = yes
passdb backend = tdbsam
security = user
domain logons = yes
log level = 3
os level = 64
preferred master = yes
local master = yes
domain master = yes
tls keyfile  = key.pem
tls certfile = cert.pem
tls cafile   = ca.pem

This is definitely wrong:

dns forwarder =

You do not forward to itself.

This is all 'netlogon' needs:

comment = Domain Logon Service
path = /local/samba-config/v101/netlogon
read only = no

It doesn't need these:

valid users = %U
admin users = Administrator
browseable = no
guest ok = yes
locking = no

'sysvol' is okay except it needs to be writeable.

You also do not set the maximum password age with pdbedit.

> But what I really would like to do is enable the following:
> https://livelibrary.osisoft.com/LiveLibrary/content/en/vision-v1/GUID-799220A0-4967-45CE-A592-45E3FC10C752#addHistory=true&filename=GUID-4B33BAFA-A923-4550-B3DC-CAD83E3C0587.xml&docid=GUID-799220A0-4967-45CE-A592-45E3FC10C752&inner_id=&tid=&query=&scope=&resource=&toc=false&eventType=lcContent.loadDocGUID-799220A0-4967-45CE-A592-45E3FC10C752
> Setup delegation for a machine account 'Trust this computer for
> delegation to any service (Kerberos only)'. Is there a way to do this
> from the command line? For the user account I think that, I found it:
> (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool
> delegation for-any-protocol
> -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator
> on ldb_wrap open of secrets.ldb (infra)
> [/local/samba-config/v101] / /local/samba/bin/samba-tool delegation
> for-any-service
> -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator
> on (infra) [/local/samba-config/v101] / /local/samba/bin/samba-tool
> delegation show
> -s /home/sithglan/work/scripts/lab/output/smb-v101.conf Administrator
> Note, my goal is to run 9 different active directory domains in
> different VLANs, so far I succeeded. And with samba my setup time
> went down from 10 minutes to 15 seconds. I'm setting up Active
> Directory Domains for training environments on a regular basis (once
> a week).
> I'm grateful for any pointers.

Yes try reading up on Samba AD more before trying to train others on
how to use it. ;-)


More information about the samba mailing list