[Samba] Problem to join a windows XP

Rowland Penny rpenny at samba.org
Tue Apr 23 20:23:32 UTC 2019 

On Tue, 23 Apr 2019 19:27:21 +0000
Rogerio Bettini via samba <samba at lists.samba.org> wrote:

> Hi,
> I'm not able to join a windows XP machine in samba AD DC. This XP
> machine is a VM. No problems when joining Windows 10 machines to this
> DC.
> 
> On XP machine, after inserting the Administrator username\password to
> join the domain, the error message is - error while attempting to
> join the domain "VIDROESTE.IND": Internal error. I can see that the
> XP machine account was created in AD but it is disabled. In this AD
> account, there is no information at the "DNS name" property.
> 
> All the tests suggested in wiki where successfully executed
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS
> 
> 
> For samba AD-DC, I'm using:
> - OpenSuSE Leap 15.0
> - no AppArmor or SELinux active
> - Samba version is Version
> 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64
> - using Bind9
> 
> Does someone passed on something similar? Thanks in advance.
> 
> My smb.conf is below.
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8 8.8.4.4
> bind interfaces only = Yes
> interfaces = eth0
> netbios name = DC1
> realm = VIDROESTE.IND
> server string = Suse Leap 15.0
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE
> idmap_ldb:use rfc2307 = yes
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8 8.8.4.4
> bind interfaces only = Yes
> interfaces = eth0
> netbios name = DC1
> realm = VIDROESTE.IND
> server string = Suse Leap 15.0
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE
> idmap_ldb:use rfc2307 = yes
> 
> #To windows XP
> ntlm auth = yes
> lanman auth = yes
> #log level = 10
> 
> [netlogon]
> path = /var/lib/samba/sysvol/vidroeste.ind/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No ntlm auth = yes
> lanman auth = yes
> #log level = 10
> 
> [netlogon]
> path = /var/lib/samba/sysvol/vidroeste.ind/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No

Unless that is the biggest typo I have seen, you have everything twice,
can I suggest you ensure your smb.conf is just this:

[global]
bind interfaces only = Yes
interfaces = eth0
netbios name = DC1
realm = VIDROESTE.IND
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = VIDROESTE
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/vidroeste.ind/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

Check that you have your forwarders set in your named.conf files (they
are in your smb.conf at the moment, where they will do nothing)

Next turn your attention to the XP machine and make it use NTLMv2, see
here:

https://support.symantec.com/en_US/article.HOWTO54187.html

Finally, I do not know what kerberos your SUSE packages are using, so
you need to find out. If it is MIT, then I would suggest you stop using
them, using MIT is experimental and shouldn't be used in production.

Rowland

More information about the samba mailing list