samba - Aug 2024 - Problem joining windows clients to Samba AD

On Wed, 21 Aug 2024 13:46:05 +0200
L?o via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I come to you after several days of research about my problem: I
> cannot make windows clients join my Samba AD domain anymore.
> 
> My domain is built with two Samba AD DCs, dc1 and dc2, that are both
> debian 12.6 up to date and use the debian samba packages
> (4.17.12+dfsg-0+deb12u1). dc1 has all FSMO roles.
> 
> When I try to make a Windows computer join the domain, I get an error
> saying the domain could not be contacted. Logs are:
> 
> 
> C:\Windows\debug\dcdiag.txt:
> ---
> DNS was successfully queried for the service location (SRV) resource
> record used to locate a domain controller for domain
"ad.example.com":
> 
> The query was for the SRV record for
> _ldap._tcp.dc._msdcs.ad.example.com
> 
> The following domain controllers were identified by the query:
> dc2.ad.example.com
> dc1.ad.example.com
> 
> 
> However no domain controllers could be contacted.
> 
> Common causes of this error include:
> 
> - Host (A) or (AAAA) records that map the names of the domain
> controllers to their IP addresses are missing or contain incorrect
> addresses.
> 
> - Domain controllers registered in DNS are not connected to the
> network or are not running.
> ---
> 
> 
> C:\Windows\debug\NetSetup.LOG:
> ---
> 08/21/2024 00:18:10:477
> -----------------------------------------------------------------
> 08/21/2024 00:18:10:477 NetpValidateName: checking to see if 'PC11'
is
> valid as type 1 name
> 08/21/2024 00:18:10:477 NetpCheckNetBiosNameNotInUse for 'PC11'
> [MACHINE] returned 0x0
> 08/21/2024 00:18:10:477 NetpValidateName: name 'PC11' is valid for
> type 1 08/21/2024 00:18:10:477
> -----------------------------------------------------------------
> 08/21/2024 00:18:10:477 NetpValidateName: checking to see if 'PC11'
is
> valid as type 5 name
> 08/21/2024 00:18:10:477 NetpValidateName: name 'PC11' is valid for
> type 5 08/21/2024 00:18:10:477
> -----------------------------------------------------------------
> 08/21/2024 00:18:10:477 NetpValidateName: checking to see if
> 'ad.example.com' is valid as type 3 name
> 08/21/2024 00:18:10:477 NetpValidateName: 'ad.example.com' is not a
> valid NetBIOS domain name: 0x7b
> 08/21/2024 00:18:25:477 NetpCheckDomainNameIsValid for ad.example.com
> returned 0x54b, last error is 0x0
> 08/21/2024 00:18:25:477 NetpCheckDomainNameIsValid [ Exists ] for '
> ad.example.com' returned 0x54b
> ---
> 
> Most resources online say this can come from:
>  - connectivity issues: I removed all firewall rules, on DC hosts and
> on the network, no change
>  - name resolution issues: I checked the windows PC is correctly
> using both DC as DNS resolvers, I also used the samba_dnsupdate to
> make sure DNS records are correct, and also manually checked these
> records from the windows PC, I could not find any problem in them.
> 
> I also ran other diagnostic commands:
>  - samba-tool drs showrepl: no sync issues between both DCs,
>  - samba-tool dbcheck --cross-ncs --fix: no fixes required
> 
> On Linux clients, I noticed that they can join the domain when using
> sssd, but have the same problem as windows client when trying to join
> with samba-tool or net ads join commands.
> 
> I hope someone can help figuring this out!
> 
> Thank you!
> 
> Leo
Can we start by seeing the smb.conf file from one of the DCs (I take
they are similar).

Rowland

Hello Rowland,

Here it is:

smb.conf:
---
[global]
dns forwarder = 9.9.9.9
netbios name = DC1
realm = AD.EXAMPLE.COM
server role = active directory domain controller
workgroup = AD
idmap_ldb:use rfc2307  = yes

min protocol = SMB2
ntlm auth = mschapv2-and-ntlmv2-only

restrict anonymous = 2
disable netbios = yes
smb ports = 445

printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd

tls enabled = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/ad.example.com/scripts
read only = No
---

It is, indeed, the same one on DC2 (except for the netbios name of course).

Le mer. 21 ao?t 2024 ? 14:05, Rowland Penny via samba
<samba at lists.samba.org> a ?crit :
>
> On Wed, 21 Aug 2024 13:46:05 +0200
> L?o via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I come to you after several days of research about my problem: I
> > cannot make windows clients join my Samba AD domain anymore.
> >
> > My domain is built with two Samba AD DCs, dc1 and dc2, that are both
> > debian 12.6 up to date and use the debian samba packages
> > (4.17.12+dfsg-0+deb12u1). dc1 has all FSMO roles.
> >
> > When I try to make a Windows computer join the domain, I get an error
> > saying the domain could not be contacted. Logs are:
> >
> >
> > C:\Windows\debug\dcdiag.txt:
> > ---
> > DNS was successfully queried for the service location (SRV) resource
> > record used to locate a domain controller for domain
"ad.example.com":
> >
> > The query was for the SRV record for
> > _ldap._tcp.dc._msdcs.ad.example.com
> >
> > The following domain controllers were identified by the query:
> > dc2.ad.example.com
> > dc1.ad.example.com
> >
> >
> > However no domain controllers could be contacted.
> >
> > Common causes of this error include:
> >
> > - Host (A) or (AAAA) records that map the names of the domain
> > controllers to their IP addresses are missing or contain incorrect
> > addresses.
> >
> > - Domain controllers registered in DNS are not connected to the
> > network or are not running.
> > ---
> >
> >
> > C:\Windows\debug\NetSetup.LOG:
> > ---
> > 08/21/2024 00:18:10:477
> > -----------------------------------------------------------------
> > 08/21/2024 00:18:10:477 NetpValidateName: checking to see if
'PC11' is
> > valid as type 1 name
> > 08/21/2024 00:18:10:477 NetpCheckNetBiosNameNotInUse for
'PC11'
> > [MACHINE] returned 0x0
> > 08/21/2024 00:18:10:477 NetpValidateName: name 'PC11' is valid
for
> > type 1 08/21/2024 00:18:10:477
> > -----------------------------------------------------------------
> > 08/21/2024 00:18:10:477 NetpValidateName: checking to see if
'PC11' is
> > valid as type 5 name
> > 08/21/2024 00:18:10:477 NetpValidateName: name 'PC11' is valid
for
> > type 5 08/21/2024 00:18:10:477
> > -----------------------------------------------------------------
> > 08/21/2024 00:18:10:477 NetpValidateName: checking to see if
> > 'ad.example.com' is valid as type 3 name
> > 08/21/2024 00:18:10:477 NetpValidateName: 'ad.example.com' is
not a
> > valid NetBIOS domain name: 0x7b
> > 08/21/2024 00:18:25:477 NetpCheckDomainNameIsValid for ad.example.com
> > returned 0x54b, last error is 0x0
> > 08/21/2024 00:18:25:477 NetpCheckDomainNameIsValid [ Exists ] for
'
> > ad.example.com' returned 0x54b
> > ---
> >
> > Most resources online say this can come from:
> >  - connectivity issues: I removed all firewall rules, on DC hosts and
> > on the network, no change
> >  - name resolution issues: I checked the windows PC is correctly
> > using both DC as DNS resolvers, I also used the samba_dnsupdate to
> > make sure DNS records are correct, and also manually checked these
> > records from the windows PC, I could not find any problem in them.
> >
> > I also ran other diagnostic commands:
> >  - samba-tool drs showrepl: no sync issues between both DCs,
> >  - samba-tool dbcheck --cross-ncs --fix: no fixes required
> >
> > On Linux clients, I noticed that they can join the domain when using
> > sssd, but have the same problem as windows client when trying to join
> > with samba-tool or net ads join commands.
> >
> > I hope someone can help figuring this out!
> >
> > Thank you!
> >
> > Leo
>
> Can we start by seeing the smb.conf file from one of the DCs (I take
> they are similar).
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba