Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Windows XP cannot join Samba 4AD but win 7 can.
106 views
Skip to first unread message
Sébastien Degouzon
Jul 21, 2014, 6:30:03 AM7/21/14
to
Hello everybody,
I've got some troubles making Win XP join may samba4 AD, and, well, i'm
kind of stuck !
I use the binary distribution of Samba 4 for Ubuntu Trusty Server
(4.1.6), with bind9 DLZ as a DNS backend.
Everything works fine with Win7 workstations, but I get a message
"Internal Error" on Win XP workstation during the domain join.
The machine account is created on the server, but stated "disabled", and
the DNS entry is missing...
I've already checked time sync (works fine), and all the typical
pitfalls, and again, it works just fine with a Win 7 box...
FYI, my server is running on a KVM/Libvirt virtual machine, but I don't
think this is the issue. Also, I already ran tests with previous
relesases of samba4 witch worked well.
The log files show me that the Win 7 boxes use SMB2 protocol, and XP
uses NTLM : is this normal ? (I thought XP could use SMB1, but maybe i'm
wrong)...
Any idea ? Or course I can show every piece of information you might
need to resolve my issue...
Thank you very much for your help...
--
UBO <http://iut.univ-brest.fr>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I've got some troubles making Win XP join may samba4 AD, and, well, i'm
kind of stuck !
I use the binary distribution of Samba 4 for Ubuntu Trusty Server
(4.1.6), with bind9 DLZ as a DNS backend.
Everything works fine with Win7 workstations, but I get a message
"Internal Error" on Win XP workstation during the domain join.
The machine account is created on the server, but stated "disabled", and
the DNS entry is missing...
I've already checked time sync (works fine), and all the typical
pitfalls, and again, it works just fine with a Win 7 box...
FYI, my server is running on a KVM/Libvirt virtual machine, but I don't
think this is the issue. Also, I already ran tests with previous
relesases of samba4 witch worked well.
The log files show me that the Win 7 boxes use SMB2 protocol, and XP
uses NTLM : is this normal ? (I thought XP could use SMB1, but maybe i'm
wrong)...
Any idea ? Or course I can show every piece of information you might
need to resolve my issue...
Thank you very much for your help...
--
UBO <http://iut.univ-brest.fr>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gaiseric Vandal
Jul 21, 2014, 10:40:02 AM7/21/14
to
NTLM is related to authentication (The NT Lan Manager password hashing.)
SMB is the "Server Messaging Blocks" - aka CIFS - which is the
network file and print sharing protocol.
So your NTLM and SMB settings are not related to each other.
If I understand correctly - and maybe I don't - if you are using AD
then kerberos is used for authentication instead of NTLM. I don't know
if Samba 4 AD can fall back to NTLM for backward compatibility.
You can check wikipedia to quickly determine with versions of NTLM and
SMB work with which clients.
On 07/21/14 05:58, Sébastien Degouzon wrote:
> Hello everybody,
>
> I've got some troubles making Win XP join may samba4 AD, and, well,
> i'm kind of stuck !
>
> I use the binary distribution of Samba 4 for Ubuntu Trusty Server
> (4.1.6), with bind9 DLZ as a DNS backend.
>
> Everything works fine with Win7 workstations, but I get a message
> "Internal Error" on Win XP workstation during the domain join.
> The machine account is created on the server, but stated "disabled",
> and the DNS entry is missing...
>
> I've already checked time sync (works fine), and all the typical
> pitfalls, and again, it works just fine with a Win 7 box...
>
> FYI, my server is running on a KVM/Libvirt virtual machine, but I
> don't think this is the issue. Also, I already ran tests with previous
> relesases of samba4 witch worked well.
>
> The log files show me that the Win 7 boxes use SMB2 protocol, and XP
> uses NTLM : is this normal ? (I thought XP could use SMB1, but maybe
> i'm wrong)...
>
> Any idea ? Or course I can show every piece of information you might
> need to resolve my issue...
>
> Thank you very much for your help...
>
>
--
SMB is the "Server Messaging Blocks" - aka CIFS - which is the
network file and print sharing protocol.
So your NTLM and SMB settings are not related to each other.
If I understand correctly - and maybe I don't - if you are using AD
then kerberos is used for authentication instead of NTLM. I don't know
if Samba 4 AD can fall back to NTLM for backward compatibility.
You can check wikipedia to quickly determine with versions of NTLM and
SMB work with which clients.
On 07/21/14 05:58, Sébastien Degouzon wrote:
> Hello everybody,
>
> I've got some troubles making Win XP join may samba4 AD, and, well,
> i'm kind of stuck !
>
> I use the binary distribution of Samba 4 for Ubuntu Trusty Server
> (4.1.6), with bind9 DLZ as a DNS backend.
>
> Everything works fine with Win7 workstations, but I get a message
> "Internal Error" on Win XP workstation during the domain join.
> The machine account is created on the server, but stated "disabled",
> and the DNS entry is missing...
>
> I've already checked time sync (works fine), and all the typical
> pitfalls, and again, it works just fine with a Win 7 box...
>
> FYI, my server is running on a KVM/Libvirt virtual machine, but I
> don't think this is the issue. Also, I already ran tests with previous
> relesases of samba4 witch worked well.
>
> The log files show me that the Win 7 boxes use SMB2 protocol, and XP
> uses NTLM : is this normal ? (I thought XP could use SMB1, but maybe
> i'm wrong)...
>
> Any idea ? Or course I can show every piece of information you might
> need to resolve my issue...
>
> Thank you very much for your help...
>
>
--
Marc Muehlfeld
Jul 21, 2014, 2:10:02 PM7/21/14
to
Hello Sébastien,
Am 21.07.2014 11:58, schrieb Sébastien Degouzon:
> I've got some troubles making Win XP join may samba4 AD, and, well, i'm
> kind of stuck !
>
> I use the binary distribution of Samba 4 for Ubuntu Trusty Server
> (4.1.6), with bind9 DLZ as a DNS backend.
>
> Everything works fine with Win7 workstations, but I get a message
> "Internal Error" on Win XP workstation during the domain join.
> The machine account is created on the server, but stated "disabled", and
> the DNS entry is missing...
Which account do you use to join the machine? The domain admin or have
you delegated the permission to a different account/group?
Domain Admin should always work.
If delegated, then have a look here:
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
In an earlier version of that HowTo I forgot to grant permissions to a
few attributes, what caused that I could join XP, but not Win7 (or was
it the other way around?).
In this context: You haven't changed ACLs on containers?
One more idea: If you provisioned/upgraded your domain with an early 4.0
version, you should fix the ACLs:
https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs
It doessn't hurt, if you check your AD with the two 'samba-tool dbcheck'
commands without the '--fix', anyway.
Regards,
Marc
Am 21.07.2014 11:58, schrieb Sébastien Degouzon:
> I've got some troubles making Win XP join may samba4 AD, and, well, i'm
> kind of stuck !
>
> I use the binary distribution of Samba 4 for Ubuntu Trusty Server
> (4.1.6), with bind9 DLZ as a DNS backend.
>
> Everything works fine with Win7 workstations, but I get a message
> "Internal Error" on Win XP workstation during the domain join.
> The machine account is created on the server, but stated "disabled", and
> the DNS entry is missing...
you delegated the permission to a different account/group?
Domain Admin should always work.
If delegated, then have a look here:
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
In an earlier version of that HowTo I forgot to grant permissions to a
few attributes, what caused that I could join XP, but not Win7 (or was
it the other way around?).
In this context: You haven't changed ACLs on containers?
One more idea: If you provisioned/upgraded your domain with an early 4.0
version, you should fix the ACLs:
https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs
It doessn't hurt, if you check your AD with the two 'samba-tool dbcheck'
commands without the '--fix', anyway.
Regards,
Marc
Sébastien Degouzon
Jul 21, 2014, 5:30:02 PM7/21/14
to
Le 21/07/2014 20:02, Marc Muehlfeld a écrit :
> Hello Sébastien,
>
> Am 21.07.2014 11:58, schrieb Sébastien Degouzon:
>> kind of stuck !
>>
>> I use the binary distribution of Samba 4 for Ubuntu Trusty Server
>> (4.1.6), with bind9 DLZ as a DNS backend.
>>
>> Everything works fine with Win7 workstations, but I get a message
>> "Internal Error" on Win XP workstation during the domain join.
>> The machine account is created on the server, but stated "disabled", and
>> the DNS entry is missing...
>
>
> Which account do you use to join the machine? The domain admin or have
> you delegated the permission to a different account/group?
>
> Domain Admin should always work.
>
> If delegated, then have a look here:
> https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
> In an earlier version of that HowTo I forgot to grant permissions to a
> few attributes, what caused that I could join XP, but not Win7 (or was
> it the other way around?).
>
> In this context: You haven't changed ACLs on containers?
>
>
> One more idea: If you provisioned/upgraded your domain with an early 4.0
> version, you should fix the ACLs:
> https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs
>
> It doessn't hurt, if you check your AD with the two 'samba-tool dbcheck'
> commands without the '--fix', anyway.
>
>
> Regards,
> Marc
>
>
>
Ok, thank you, I currently use the "administrator" account and I didn't
>>
>> I use the binary distribution of Samba 4 for Ubuntu Trusty Server
>> (4.1.6), with bind9 DLZ as a DNS backend.
>>
>> Everything works fine with Win7 workstations, but I get a message
>> "Internal Error" on Win XP workstation during the domain join.
>> The machine account is created on the server, but stated "disabled", and
>> the DNS entry is missing...
>
>
> Which account do you use to join the machine? The domain admin or have
> you delegated the permission to a different account/group?
>
> Domain Admin should always work.
>
> If delegated, then have a look here:
> https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
> In an earlier version of that HowTo I forgot to grant permissions to a
> few attributes, what caused that I could join XP, but not Win7 (or was
> it the other way around?).
>
> In this context: You haven't changed ACLs on containers?
>
>
> One more idea: If you provisioned/upgraded your domain with an early 4.0
> version, you should fix the ACLs:
> https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs
>
> It doessn't hurt, if you check your AD with the two 'samba-tool dbcheck'
> commands without the '--fix', anyway.
>
>
> Regards,
> Marc
>
>
>
modify ACL on the containers.
But today, great news :
I built a brand new AD controller from scratch, using the official samba
Howto - and guess what ? Everything works ! (the same windows XP boxes
where able to join the domain, apply GPOs etc).
I guess I'll stick with this method (build from sources) as I've got the
feeling there's something wrong with the Ubuntu packages. I've not been
able to determine what's the issue, but I may investigate furthermore.
I was very surprised as I never had any problems of this kind during my
early tests (always with compiled samba). I guess it began with the
switch to the repo version of Samba (as of ubuntu 14.04).
Anyway, thank you for your tip, and I hope I can help somehow !
Regards
Sébastien
0 new messages