[Samba] Problem joining windows clients to Samba AD

Léo dlopoel at gmail.com
Wed Aug 21 12:11:52 UTC 2024


Hello Rowland,

Here it is:

smb.conf:
---
[global]
dns forwarder = 9.9.9.9
netbios name = DC1
realm = AD.EXAMPLE.COM
server role = active directory domain controller
workgroup = AD
idmap_ldb:use rfc2307  = yes

min protocol = SMB2
ntlm auth = mschapv2-and-ntlmv2-only

restrict anonymous = 2
disable netbios = yes
smb ports = 445

printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd

tls enabled = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/ad.example.com/scripts
read only = No
---

It is, indeed, the same one on DC2 (except for the netbios name of course).

Le mer. 21 août 2024 à 14:05, Rowland Penny via samba
<samba at lists.samba.org> a écrit :
>
> On Wed, 21 Aug 2024 13:46:05 +0200
> Léo via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I come to you after several days of research about my problem: I
> > cannot make windows clients join my Samba AD domain anymore.
> >
> > My domain is built with two Samba AD DCs, dc1 and dc2, that are both
> > debian 12.6 up to date and use the debian samba packages
> > (4.17.12+dfsg-0+deb12u1). dc1 has all FSMO roles.
> >
> > When I try to make a Windows computer join the domain, I get an error
> > saying the domain could not be contacted. Logs are:
> >
> >
> > C:\Windows\debug\dcdiag.txt:
> > ---
> > DNS was successfully queried for the service location (SRV) resource
> > record used to locate a domain controller for domain "ad.example.com":
> >
> > The query was for the SRV record for
> > _ldap._tcp.dc._msdcs.ad.example.com
> >
> > The following domain controllers were identified by the query:
> > dc2.ad.example.com
> > dc1.ad.example.com
> >
> >
> > However no domain controllers could be contacted.
> >
> > Common causes of this error include:
> >
> > - Host (A) or (AAAA) records that map the names of the domain
> > controllers to their IP addresses are missing or contain incorrect
> > addresses.
> >
> > - Domain controllers registered in DNS are not connected to the
> > network or are not running.
> > ---
> >
> >
> > C:\Windows\debug\NetSetup.LOG:
> > ---
> > 08/21/2024 00:18:10:477
> > -----------------------------------------------------------------
> > 08/21/2024 00:18:10:477 NetpValidateName: checking to see if 'PC11' is
> > valid as type 1 name
> > 08/21/2024 00:18:10:477 NetpCheckNetBiosNameNotInUse for 'PC11'
> > [MACHINE] returned 0x0
> > 08/21/2024 00:18:10:477 NetpValidateName: name 'PC11' is valid for
> > type 1 08/21/2024 00:18:10:477
> > -----------------------------------------------------------------
> > 08/21/2024 00:18:10:477 NetpValidateName: checking to see if 'PC11' is
> > valid as type 5 name
> > 08/21/2024 00:18:10:477 NetpValidateName: name 'PC11' is valid for
> > type 5 08/21/2024 00:18:10:477
> > -----------------------------------------------------------------
> > 08/21/2024 00:18:10:477 NetpValidateName: checking to see if
> > 'ad.example.com' is valid as type 3 name
> > 08/21/2024 00:18:10:477 NetpValidateName: 'ad.example.com' is not a
> > valid NetBIOS domain name: 0x7b
> > 08/21/2024 00:18:25:477 NetpCheckDomainNameIsValid for ad.example.com
> > returned 0x54b, last error is 0x0
> > 08/21/2024 00:18:25:477 NetpCheckDomainNameIsValid [ Exists ] for '
> > ad.example.com' returned 0x54b
> > ---
> >
> > Most resources online say this can come from:
> >  - connectivity issues: I removed all firewall rules, on DC hosts and
> > on the network, no change
> >  - name resolution issues: I checked the windows PC is correctly
> > using both DC as DNS resolvers, I also used the samba_dnsupdate to
> > make sure DNS records are correct, and also manually checked these
> > records from the windows PC, I could not find any problem in them.
> >
> > I also ran other diagnostic commands:
> >  - samba-tool drs showrepl: no sync issues between both DCs,
> >  - samba-tool dbcheck --cross-ncs --fix: no fixes required
> >
> > On Linux clients, I noticed that they can join the domain when using
> > sssd, but have the same problem as windows client when trying to join
> > with samba-tool or net ads join commands.
> >
> > I hope someone can help figuring this out!
> >
> > Thank you!
> >
> > Leo
>
> Can we start by seeing the smb.conf file from one of the DCs (I take
> they are similar).
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list