Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Windows 7 samba 4 domain join problem
101 views
Skip to first unread message
jared.m....@l-3com.com
Sep 5, 2013, 5:10:02 PM9/5/13
to
I stood up a samba 4 (4.0.9) Active Directory domain controller on a Red
Hat Enterprise Linux 6.3 server, configured in accordance with the Samba
AD DC HOWTO <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> , and
tailored to the domain name I want. I'm trying to join a Windows 7
Enterprise Edition client to the domain. Windows responds with "Your
computer could not be joined to the domain because the following error
has occurred: The network path was not found." The network between the
Windows 7 box and the samba server is very simple, consisting of a
single switch. The network itself is also very simple, consisting of 3
Red Hat servers, a NAS, and the workstation. The network is not
connected to the Internet in any way.
I used wireshark to capture the message exchange. It looks to me like
the DNS stuff is working right - as far as it gets - but something is
misconfigured with the LDAP server, and I can't figure out what. I
can't provide the pcap file, but here's a summary of the messages
exchanged (C = Win 7 client, S = samba server, pretending client IP is
192.168.0.3, server IP is 192.168.0.4, server name is server, client
name is client, and domain name is domain.name):
1. C->S: NBNS - Name Query NB domain
2. S->C: NBNS - Name Query response NB 192.168.0.4
3. C->S: DNS SRV _ldap._tcp.dc._msdcs.domain.name
4. S->C: DNS SRV 0 100 389 server.domain.name
5. C->S: DNS A server.domain.name
6. S->C: DNS A 192.168.0.4
7. C->S: CLDAP search request "<ROOT>" baseobject
a. Filter: DnsDomain=domain.name && Host=CLIENT &&
NtVer=0x00000016
b. Attributes: netlogon
8. S->C: CLDAP searchresentry
a. Type: netlogon
b. Opcode: LOGON_SAM_LOGON_RESPONSE_EX
c. Flags: GoodTimeServ, Writable, Closest, Timeserv, KDC, DS,
LDAP, GC, PDC
d. Forest: domain.name
e. Domain: domain.name
f. Hostname: CLIENT
g. NetBIOS domain: DOMAIN
h. NetBIOS Hostname: SERVER
9. C->S: DNS SRV _ldap._tcp.dc._msdcs.domain.name
10. S->C: DNS SRV 0 100 389 server.domain.name
11. C->S: CLDAP (same as message 7)
12. S->C: CLDAP (same as message 8)
13. C->S: CLDAP search request "<ROOT>" baseobject
a. Filter: DnsDomain=domain.name && Host=CLIENT && User=CLIENT &&
AAC=80:01:00:00 && NtVer=0x20000016
b. Attributes: netlogon
14. S->C: CLDAP serchresentry
a. Type: netlogon
b. Opcode: LOGON_SAM_USER_UNKNOWN_EX
Based on this exchange, it looks like the Win 7 client is trying to use
the username CLIENT (message 13) rather than the "Administrator"
username I put in when attempting to join the domain, and the server is
rejecting that user because it doesn't know that user.
Is it normal for the Win 7 client to use the computer name for the
username, here? Did I miss something in the HOWTO? Am I supposed to
add the client computer name to the Active Directory before trying to
join the domain?
Thanks for any light you can shed on this.
Jared
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Hat Enterprise Linux 6.3 server, configured in accordance with the Samba
AD DC HOWTO <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> , and
tailored to the domain name I want. I'm trying to join a Windows 7
Enterprise Edition client to the domain. Windows responds with "Your
computer could not be joined to the domain because the following error
has occurred: The network path was not found." The network between the
Windows 7 box and the samba server is very simple, consisting of a
single switch. The network itself is also very simple, consisting of 3
Red Hat servers, a NAS, and the workstation. The network is not
connected to the Internet in any way.
I used wireshark to capture the message exchange. It looks to me like
the DNS stuff is working right - as far as it gets - but something is
misconfigured with the LDAP server, and I can't figure out what. I
can't provide the pcap file, but here's a summary of the messages
exchanged (C = Win 7 client, S = samba server, pretending client IP is
192.168.0.3, server IP is 192.168.0.4, server name is server, client
name is client, and domain name is domain.name):
1. C->S: NBNS - Name Query NB domain
2. S->C: NBNS - Name Query response NB 192.168.0.4
3. C->S: DNS SRV _ldap._tcp.dc._msdcs.domain.name
4. S->C: DNS SRV 0 100 389 server.domain.name
5. C->S: DNS A server.domain.name
6. S->C: DNS A 192.168.0.4
7. C->S: CLDAP search request "<ROOT>" baseobject
a. Filter: DnsDomain=domain.name && Host=CLIENT &&
NtVer=0x00000016
b. Attributes: netlogon
8. S->C: CLDAP searchresentry
a. Type: netlogon
b. Opcode: LOGON_SAM_LOGON_RESPONSE_EX
c. Flags: GoodTimeServ, Writable, Closest, Timeserv, KDC, DS,
LDAP, GC, PDC
d. Forest: domain.name
e. Domain: domain.name
f. Hostname: CLIENT
g. NetBIOS domain: DOMAIN
h. NetBIOS Hostname: SERVER
9. C->S: DNS SRV _ldap._tcp.dc._msdcs.domain.name
10. S->C: DNS SRV 0 100 389 server.domain.name
11. C->S: CLDAP (same as message 7)
12. S->C: CLDAP (same as message 8)
13. C->S: CLDAP search request "<ROOT>" baseobject
a. Filter: DnsDomain=domain.name && Host=CLIENT && User=CLIENT &&
AAC=80:01:00:00 && NtVer=0x20000016
b. Attributes: netlogon
14. S->C: CLDAP serchresentry
a. Type: netlogon
b. Opcode: LOGON_SAM_USER_UNKNOWN_EX
Based on this exchange, it looks like the Win 7 client is trying to use
the username CLIENT (message 13) rather than the "Administrator"
username I put in when attempting to join the domain, and the server is
rejecting that user because it doesn't know that user.
Is it normal for the Win 7 client to use the computer name for the
username, here? Did I miss something in the HOWTO? Am I supposed to
add the client computer name to the Active Directory before trying to
join the domain?
Thanks for any light you can shed on this.
Jared
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
jared.m....@l-3com.com
Sep 10, 2013, 10:30:02 AM9/10/13
to
Thanks for your help.
I tried configuring the Windows 7 registry settings listed here, even
though it says it shouldn't be necessary for an Active Directory domain:
https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains.
The client acts exactly the same.
Are there other registry settings somewhere else, or is this some other
problem?
Jared
From: luisfor...@gmail.com [mailto:luisfor...@gmail.com]
Sent: Friday, September 06, 2013 6:25 AM
To: Jacobson, Jared M @ CSG - CSW
Subject: Re: [Samba] Windows 7 samba 4 domain join problem
Greetings Jared.
Let's start the troubleshoot with Win7. Normally you need to modofy it's
registry to Win7 work with Samba. Was it done?
Att.
2013/9/5 <jared.m....@l-3com.com>
I stood up a samba 4 (4.0.9) Active Directory domain controller on a Red
Hat Enterprise Linux 6.3 server, configured in accordance with the Samba
AD DC HOWTO <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> , and
tailored to the domain name I want. I'm trying to join a Windows 7
Enterprise Edition client to the domain. Windows responds with "Your
computer could not be joined to the domain because the following error
has occurred: The network path was not found."
I used wireshark to capture the message exchange. ... here's a summary
13. C->S: CLDAP search request "<ROOT>" baseobject
a. Filter: DnsDomain=domain.name && Host=CLIENT && User=CLIENT &&
AAC=80:01:00:00 && NtVer=0x20000016
b. Attributes: netlogon
14. S->C: CLDAP serchresentry
a. Type: netlogon
b. Opcode: LOGON_SAM_USER_UNKNOWN_EX
Based on this exchange, it looks like the Win 7 client is trying to use
the username CLIENT (message 13) rather than the "Administrator"
username I put in when attempting to join the domain, and the server is
rejecting that user because it doesn't know that user.
Is it normal for the Win 7 client to use the computer name for the
username, here? Did I miss something in the HOWTO? Am I supposed to
add the client computer name to the Active Directory before trying to
join the domain?
I tried configuring the Windows 7 registry settings listed here, even
though it says it shouldn't be necessary for an Active Directory domain:
https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains.
The client acts exactly the same.
Are there other registry settings somewhere else, or is this some other
problem?
Jared
From: luisfor...@gmail.com [mailto:luisfor...@gmail.com]
Sent: Friday, September 06, 2013 6:25 AM
To: Jacobson, Jared M @ CSG - CSW
Subject: Re: [Samba] Windows 7 samba 4 domain join problem
Greetings Jared.
Let's start the troubleshoot with Win7. Normally you need to modofy it's
registry to Win7 work with Samba. Was it done?
Att.
2013/9/5 <jared.m....@l-3com.com>
I stood up a samba 4 (4.0.9) Active Directory domain controller on a Red
Hat Enterprise Linux 6.3 server, configured in accordance with the Samba
AD DC HOWTO <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> , and
tailored to the domain name I want. I'm trying to join a Windows 7
Enterprise Edition client to the domain. Windows responds with "Your
computer could not be joined to the domain because the following error
has occurred: The network path was not found."
of the messages
exchanged (C = Win 7 client, S = samba server, pretending client IP is
192.168.0.3, server IP is 192.168.0.4, server name is server, client
name is client, and domain name is domain.name):
...
exchanged (C = Win 7 client, S = samba server, pretending client IP is
192.168.0.3, server IP is 192.168.0.4, server name is server, client
name is client, and domain name is domain.name):
13. C->S: CLDAP search request "<ROOT>" baseobject
a. Filter: DnsDomain=domain.name && Host=CLIENT && User=CLIENT &&
AAC=80:01:00:00 && NtVer=0x20000016
b. Attributes: netlogon
14. S->C: CLDAP serchresentry
a. Type: netlogon
b. Opcode: LOGON_SAM_USER_UNKNOWN_EX
Based on this exchange, it looks like the Win 7 client is trying to use
the username CLIENT (message 13) rather than the "Administrator"
username I put in when attempting to join the domain, and the server is
rejecting that user because it doesn't know that user.
Is it normal for the Win 7 client to use the computer name for the
username, here? Did I miss something in the HOWTO? Am I supposed to
add the client computer name to the Active Directory before trying to
join the domain?
George Itee
Sep 10, 2013, 1:30:02 PM9/10/13
to
Hello,
I once had this issue when I did not use the full domain name. Try and use
the full name "testdomain.local" for example when joining the domain.
Also make sure you use have the DNS properly configured on both the DC and
client.
On the linux side, make sure you have in /etc/resolve.conf :
Domain yourfulldomainname
nameserver x.x.x.x (ip address samba dc)
And Dns1=x.x.x.x (ip address samba dc) in
/etc/sysconfig/network-scripts/ifcfg-ethx
Post back with the results :)
George
Sent via Android Mobile Device
I once had this issue when I did not use the full domain name. Try and use
the full name "testdomain.local" for example when joining the domain.
Also make sure you use have the DNS properly configured on both the DC and
client.
On the linux side, make sure you have in /etc/resolve.conf :
Domain yourfulldomainname
nameserver x.x.x.x (ip address samba dc)
And Dns1=x.x.x.x (ip address samba dc) in
/etc/sysconfig/network-scripts/ifcfg-ethx
Post back with the results :)
George
Sent via Android Mobile Device
Daniel Müller
Sep 11, 2013, 2:00:02 AM9/11/13
to
No you do not need to change any registry settings with samba 4 and windows
7.
Is your dns working?
First of all on your linux box try a smbclient -L localhost -U%
Or more like this to be shure administrator is enabled and working:
[root@s4master ~]# smbclient //s4master/netlogon -Uadministrator
Enter administrator's password:
Domain=[TPLK] OS=[Unix] Server=[Samba 4.0.7]
smb: \> ls
. D 0 Fri Aug 23 08:16:23 2013
.. D 0 Fri Aug 23 11:14:25 2013
65503 blocks of size 33553920. 65502 blocks available
smb: \>
If in any case it refuses you can try to enable "administrator":
samba-tool user enable administrator
or list all known users to be shure:
samba-tool user list
Good luck
Daniel
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von jared.m....@L-3com.com
Gesendet: Dienstag, 10. September 2013 16:27
An: sa...@lists.samba.org
Betreff: Re: [Samba] Windows 7 samba 4 domain join problem
7.
Is your dns working?
First of all on your linux box try a smbclient -L localhost -U%
Or more like this to be shure administrator is enabled and working:
[root@s4master ~]# smbclient //s4master/netlogon -Uadministrator
Enter administrator's password:
Domain=[TPLK] OS=[Unix] Server=[Samba 4.0.7]
smb: \> ls
. D 0 Fri Aug 23 08:16:23 2013
.. D 0 Fri Aug 23 11:14:25 2013
65503 blocks of size 33553920. 65502 blocks available
smb: \>
If in any case it refuses you can try to enable "administrator":
samba-tool user enable administrator
or list all known users to be shure:
samba-tool user list
Good luck
Daniel
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von jared.m....@L-3com.com
Gesendet: Dienstag, 10. September 2013 16:27
An: sa...@lists.samba.org
Betreff: Re: [Samba] Windows 7 samba 4 domain join problem
jared.m....@l-3com.com
Sep 12, 2013, 6:10:02 PM9/12/13
to
Embarrassingly, it turns out that I had opened the wrong port for microsoft-ds (UDP port 445 instead of the TCP 445 it should be). As soon as I corrected that, the workstation joined the domain just fine.
Jared
Jared
0 new messages