[Samba] Problem joining windows clients to Samba AD
Rowland Penny
rpenny at samba.org
Wed Aug 21 13:44:41 UTC 2024
On Wed, 21 Aug 2024 15:04:35 +0200
Léo via samba <samba at lists.samba.org> wrote:
> > > ntlm auth = mschapv2-and-ntlmv2-only
> >
> > Why do you need the line above ?
>
> This is part of security hardening, to prevent the use of NTLMv1
> authentication protocol (except for MSCHAPv2 authentication scheme)
>
> > > restrict anonymous = 2
> > > disable netbios = yes
> >
> > I am not sure that is the correct way to do it on a DC, I do know
> > that the 'nbt' server (the DC variant of nmbd) is running.
>
> This is also part of the security hardening. Same for disabling
> printing services, etc.
>
> > There isn't anything there that should be stopping you joining
> > computers, which sounds like a dns problem, so I would start by
> > checking your dns.
>
> Well, I checked all records from this list:
> https://learn.microsoft.com/en-us/archive/technet-wiki/7608.srv-records-registered-by-net-logon
> and all of them seem to be working.
>
> Also, nltest /dnsgetdc:ad.example.com correctly fetches the two samba
> DCs, but nltest /dsgetdc:ad.example.com fails (0x54b
> ERROR_NO_SUCH_DOMAIN), like in the logs of my first message. It is
> like windows was not actually using DNS to find the domain, but I
> think this is the default on recent editions, right?
>
This isn't something I have come across before, but I found this:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/cannot-join-computer-to-domain
It seems to describe your problem, perhaps the fix there will help.
Rowland
More information about the samba
mailing list