[Samba] Windows 10 won't join Samba 3 domain

Rowland Penny rpenny at samba.org
Thu Jul 19 10:55:54 UTC 2018 

On Thu, 19 Jul 2018 16:36:45 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> Given:
> - Samba 3 domain is set up (runs on Samba 3.6.23, domain name "LAN")
> - Windows 10 Enterprise workstation
> 
> 1. Workstation (currently in WORKGROUP workgroup) is assigned
> computer (NetBIOS) name "sirius"
> 
> 2. The instructions below:
> 
> https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains
> 
> have been applied (the 2 registry values added, workstation rebooted)
> 
> 3. Corresponding machine name has been added on Samba PDC via
> 
> useradd -M -g 515 sirius$
> smbpasswd -a -m sirius
> 
> 4. Firewall settings on Windows machine do not prevent communication 
> with the PDC.
> 
> When I try to join workstation to domain LAN (from "This PC" -> 
> "Properties" -> "Change settings"), the only reaction is pop-up:
> 
> ============= details below
> An Active Directory Domain Controller (AD DC) for the domain "LAN"
> could not be contacted"
> Ensure that the domain name is typed correctly.
> If the name is correct, click "Details" for troubleshooting 
> information."
> ============= details above
> 
> When I click "Details, the below is displayed:
> 
> ============= details below
> Note: This information is intended for a network administrator.  If
> you are not your network's administrator, notify the administrator
> that you received this information, which has been recorded in the
> file C:\WINDOWS\debug\dcdiag.txt.
> 
> The domain name "LAN" might be a NetBIOS domain name.  If this is the 
> case, verify that the domain name is properly registered with WINS.
> 
> If you are certain that the name is not a NetBIOS domain name, then
> the following information can help you troubleshoot your DNS
> configuration.
> 
> The following error occurred when DNS was queried for the service 
> location (SRV) resource record used to locate an Active Directory
> Domain Controller (AD DC) for domain "LAN":
> 
> The error was: "DNS name does not exist."
> (error code 0x0000232B RCODE_NAME_ERROR)
> 
> The query was for the SRV record for _ldap._tcp.dc._msdcs.LAN
> 
> Common causes of this error include the following:
> 
> - The DNS SRV records required to locate a AD DC for the domain are
> not registered in DNS. These records are registered with a DNS server 
> automatically when a AD DC is added to a domain. They are updated by
> the AD DC at set intervals. This computer is configured to use DNS
> servers with the following IP addresses:
> 
> 10.1.0.1
> 10.1.0.5
> 
> - One or more of the following zones do not include delegation to its 
> child zone:
> 
> LAN
> . (the root zone)
> ============= details below
> 
> /etc/samba/smb.conf:
> ============= smb.conf below
> [global]
> unix charset = UTF8
> workgroup = LAN
> netbios name = PDCLAN
> server max protocol = NT1
> server string = PDCLAN - LAN Samba PDC
> passdb backend =ldapsam:"ldap://127.0.0.1 ldap://10.1.0.10"
> username map = /etc/samba/smbusers
> interfaces = eth0 lo
> bind interfaces only = yes
> enable privileges = yes
> log level = 1
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 0
> name resolve order = wins bcast hosts
> time server = Yes
> printcap name = CUPS
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel '%u'
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'
> delete user from group script = /usr/sbin/smbldap-groupmod -x '%g'
> '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -W '%u'
> shutdown script = /var/lib/samba/scripts/shutdown.sh
> abort shutdown script = /sbin/shutdown -c
> logon script = %u.bat
> logon drive = W:
> logon home = \\%L\%u
> logon path = \\%L\profiles\%u
> domain logons = Yes
> domain master = Yes
> wins support = Yes
> ldapsam:trusted = no
> ldap ssl = off
> ldap suffix = dc=company,dc=lan
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=company,dc=lan
> idmap backend = ldap://127.0.0.1
> idmap uid = 500-20000
> idmap gid = 500-20000
> printer admin = root
> printing = cups
> ============= smb.conf above
> 
> PDC lives in intranet, in DNS root zone .lan.
> 
> Note: there were many a Windows 7, Windows 8/8.1, other Windows 10; 
> Windows 2012, and Windows 1026 servers which joined the above domain, 
> following the same instructions, without a glitch.
> 
> I would appreciate any helpful piece of advice.
> 
> Sincerely,
> Konstantin
> 

The most helpful advice I can give you is, start planning to upgrade to
active directory NOW. Microsoft seems to be making it almost impossible
to join Windows 10 to an NT4-style domain, there have been several
similar posts about this recently.

Rowland

More information about the samba mailing list