[Samba] Windows 10 won't join Samba 3 domain

Konstantin Boyandin lists at boyandin.info
Thu Jul 19 09:36:45 UTC 2018 

Hello,

Given:
- Samba 3 domain is set up (runs on Samba 3.6.23, domain name "LAN")
- Windows 10 Enterprise workstation

1. Workstation (currently in WORKGROUP workgroup) is assigned computer 
(NetBIOS) name "sirius"

2. The instructions below:

https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains

have been applied (the 2 registry values added, workstation rebooted)

3. Corresponding machine name has been added on Samba PDC via

useradd -M -g 515 sirius$
smbpasswd -a -m sirius

4. Firewall settings on Windows machine do not prevent communication 
with the PDC.

When I try to join workstation to domain LAN (from "This PC" -> 
"Properties" -> "Change settings"), the only reaction is pop-up:

============= details below
An Active Directory Domain Controller (AD DC) for the domain "LAN" could 
not be contacted"
Ensure that the domain name is typed correctly.
If the name is correct, click "Details" for troubleshooting 
information."
============= details above

When I click "Details, the below is displayed:

============= details below
Note: This information is intended for a network administrator.  If you 
are not your network's administrator, notify the administrator that you 
received this information, which has been recorded in the file 
C:\WINDOWS\debug\dcdiag.txt.

The domain name "LAN" might be a NetBIOS domain name.  If this is the 
case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the 
following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service 
location (SRV) resource record used to locate an Active Directory Domain 
Controller (AD DC) for domain "LAN":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.LAN

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not 
registered in DNS. These records are registered with a DNS server 
automatically when a AD DC is added to a domain. They are updated by the 
AD DC at set intervals. This computer is configured to use DNS servers 
with the following IP addresses:

10.1.0.1
10.1.0.5

- One or more of the following zones do not include delegation to its 
child zone:

LAN
. (the root zone)
============= details below

/etc/samba/smb.conf:
============= smb.conf below
[global]
unix charset = UTF8
workgroup = LAN
netbios name = PDCLAN
server max protocol = NT1
server string = PDCLAN - LAN Samba PDC
passdb backend =ldapsam:"ldap://127.0.0.1 ldap://10.1.0.10"
username map = /etc/samba/smbusers
interfaces = eth0 lo
bind interfaces only = yes
enable privileges = yes
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -W '%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = %u.bat
logon drive = W:
logon home = \\%L\%u
logon path = \\%L\profiles\%u
domain logons = Yes
domain master = Yes
wins support = Yes
ldapsam:trusted = no
ldap ssl = off
ldap suffix = dc=company,dc=lan
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=company,dc=lan
idmap backend = ldap://127.0.0.1
idmap uid = 500-20000
idmap gid = 500-20000
printer admin = root
printing = cups
============= smb.conf above

PDC lives in intranet, in DNS root zone .lan.

Note: there were many a Windows 7, Windows 8/8.1, other Windows 10; 
Windows 2012, and Windows 1026 servers which joined the above domain, 
following the same instructions, without a glitch.

I would appreciate any helpful piece of advice.

Sincerely,
Konstantin

More information about the samba mailing list