Marshall Buschman
2008-Apr-24 00:06 UTC
[Samba] Problem joining XP SP2 Machines to the domain
Hey All: I've got a working samba/ldap domain with a PDC in a datacenter and a BDC in my local office. I'm not able to reliably join a windows XP Pro machine to the domain by specifying the PDC as a wins server. I get the following error 90% of the time or more, with no discernible patterns or errors in any logs: --------------------------------- The following error occurred attempting to join the domain "FOO": Logon failure: unknown user name or bad password. --------------------------------- Windows 2000 machines join the domain 100% of the time. Adding a line to the lmhosts file like this: --------------------------- 1.2.3.4 foopdc #PRE #DOM:FOO #net group's DC --------------------------- Causes the XP machine to be able to join the domain 100% of the time. I have many clients, and adding this file to the lmhosts file everywhere isn't feasible. The real question is - why doesn't WINS work? I can run net view and see all the machines.. I'd really appreciate any help you guys can provide. -Marshall
Marshall Buschman
2008-Apr-24 19:57 UTC
[Samba] Problem joining XP SP2 Machines to the domain
Dale: Correct. I've implemented this option on all of the relevant subnets. I'm doing something like this: ----------------------------------------------------------------------------------------- option netbios-name-servers 1.2.3.4, 1.3.3.7; ----------------------------------------------------------------------------------------- Where 1.2.3.4 is the old windows 2000 DC that we're migrating away from, and 1.3.3.7 is the samba PDC. I tested this, and found it to work appropriately under Windows 2000 clients, but not Windows XP clients. I've even statically assigned an XP client an IP and WINS server, and it still does not work consistently. I still get the following error most of the time: The following error occurred attempting to join the domain "FOO": Logon failure: unknown user name or bad password. Windows 2000 clients function perfectly. Any ideas? Especially why only the XP clients have an issue? -Marshall On Thu, Apr 24, 2008 at 8:43 AM, Dale Schroeder < dale@briannassaladdressing.com> wrote:> Marshall, > > Since you have many clients, I'm guessing you have a dhcp server running. > If so, do you have a netbios nameserver option enabled in the dhcp config? > In ISC's dhcp3 server it is "option netbios-name-servers > xxx.xxx.xxx.xxx;" > > Of course, on clients with static ip's, wins config must be done manually, > and IIRC, the options changed somewhat in XP. The default is to get netbios > info from the dhcp server. > > Good luck, > Dale > > > > > Marshall Buschman wrote: > >> Hey All: >> >> I've got a working samba/ldap domain with a PDC in a datacenter and a BDC >> in >> my local office. >> >> I'm not able to reliably join a windows XP Pro machine to the domain by >> specifying the PDC as a wins server. >> >> I get the following error 90% of the time or more, with no discernible >> patterns or errors in any logs: >> --------------------------------- >> The following error occurred attempting to join the domain "FOO": >> Logon failure: unknown user name or bad password. >> --------------------------------- >> >> Windows 2000 machines join the domain 100% of the time. >> >> Adding a line to the lmhosts file like this: >> --------------------------- >> 1.2.3.4 foopdc #PRE #DOM:FOO #net group's DC >> --------------------------- >> Causes the XP machine to be able to join the domain 100% of the time. >> >> I have many clients, and adding this file to the lmhosts file everywhere >> isn't feasible. >> >> The real question is - why doesn't WINS work? >> I can run net view and see all the machines.. >> >> I'd really appreciate any help you guys can provide. >> >> -Marshall >> >> >
Marshall Buschman
2008-Apr-29 16:36 UTC
[Samba] Problem joining XP SP2 Machines to the domain
Dale: I'm continuing to investigate - ipconfig /all shows both WINS servers. /var/cache/samba/wins.dat contains the xp machines. I do have a local DNS server, and it does resolve typical addresses ( google.com) as expected. My PDC and BDC have A and PTR records that resolve properly, but nothing special other than that. Nothing appears in the logs on either the PDC or BDC. I've recently tried using the ForensiT User Profile Wizard, which tries to join the domain as part of it's process. It's interesting that using this tool, when auth fails, wireshark shows no conversation between the XP box and the DC - it looks like the XP isn't even trying to connect to the PDC. I've seen similar results using wireshark and the normal domain joining facilities. I've attempted to disable the signorseal requirements, which have no effect. The only effective solution is adding an entry to the lmhosts file, which is undesirable. -Marshall On Fri, Apr 25, 2008 at 9:14 AM, Dale Schroeder < dale@briannassaladdressing.com> wrote:> Marshall, > > Running out of ideas, but: > Have you checked the wins.dat file to see if it is actually being > populated with the xp machines? > Does "ipconfig /all" on the xp machines list the wins server? > If using it, is DNS working properly? > Any other clues in the logs? > > In "name resolve order =" I list wins first to give it the first chance at > name resolution. > I also don't have the multi-subnet issue to deal with, but some admins put > a wins server on each subnet. > > Dale > > > > Marshall Buschman wrote: > > > Dale: > > > > Correct. I've implemented this option on all of the relevant subnets. > > I'm doing something like this: > > > > ----------------------------------------------------------------------------------------- > > option netbios-name-servers 1.2.3.4, 1.3.3.7; > > > > ----------------------------------------------------------------------------------------- > > > > Where 1.2.3.4 is the old windows 2000 DC that we're migrating away from, > > and > > 1.3.3.7 is the samba PDC. > > > > I tested this, and found it to work appropriately under Windows 2000 > > clients, but not Windows XP clients. > > > > I've even statically assigned an XP client an IP and WINS server, and it > > still does not work consistently. > > > > I still get the following error most of the time: > > > > The following error occurred attempting to join the domain "FOO": > > Logon failure: unknown user name or bad password. > > > > Windows 2000 clients function perfectly. > > > > Any ideas? Especially why only the XP clients have an issue? > > > > -Marshall > > > > > > On Thu, Apr 24, 2008 at 8:43 AM, Dale Schroeder < > > dale@briannassaladdressing.com> wrote: > > > > > > > > > Marshall, > > > > > > Since you have many clients, I'm guessing you have a dhcp server > > > running. > > > If so, do you have a netbios nameserver option enabled in the dhcp > > > config? > > > In ISC's dhcp3 server it is "option netbios-name-servers > > > xxx.xxx.xxx.xxx;" > > > > > > Of course, on clients with static ip's, wins config must be done > > > manually, > > > and IIRC, the options changed somewhat in XP. The default is to get > > > netbios > > > info from the dhcp server. > > > > > > Good luck, > > > Dale > > > > > > > > > > > > > > > Marshall Buschman wrote: > > > > > > > > > > > > > Hey All: > > > > > > > > I've got a working samba/ldap domain with a PDC in a datacenter and > > > > a BDC > > > > in > > > > my local office. > > > > > > > > I'm not able to reliably join a windows XP Pro machine to the domain > > > > by > > > > specifying the PDC as a wins server. > > > > > > > > I get the following error 90% of the time or more, with no > > > > discernible > > > > patterns or errors in any logs: > > > > --------------------------------- > > > > The following error occurred attempting to join the domain "FOO": > > > > Logon failure: unknown user name or bad password. > > > > --------------------------------- > > > > > > > > Windows 2000 machines join the domain 100% of the time. > > > > > > > > Adding a line to the lmhosts file like this: > > > > --------------------------- > > > > 1.2.3.4 foopdc #PRE #DOM:FOO #net group's DC > > > > --------------------------- > > > > Causes the XP machine to be able to join the domain 100% of the > > > > time. > > > > > > > > I have many clients, and adding this file to the lmhosts file > > > > everywhere > > > > isn't feasible. > > > > > > > > The real question is - why doesn't WINS work? > > > > I can run net view and see all the machines.. > > > > > > > > I'd really appreciate any help you guys can provide. > > > > > > > > -Marshall > > > > > > > > > > > > > > > > > > >
Marshall Buschman
2008-Apr-29 21:00 UTC
[Samba] Problem joining XP SP2 Machines to the domain
Dale: There is no client firewall on any of the machines in question. The windows XP firewall has been disabled. -Marshall On Tue, Apr 29, 2008 at 12:57 PM, Dale Schroeder < dale@briannassaladdressing.com> wrote:> Marshall, > > One last guess: Windows Firewall. Is it turned on? For comparison, in > the AD domain I administer, I have to turn off the XP firewall or create an > exception for tcp port 113 to join the domain. Otherwise, it just sits > there until it times out. So, if any client firewall is running, try > turning it off or making an exception. > > Dale > > > Marshall Buschman wrote: > > Dale: > > I'm continuing to investigate - ipconfig /all shows both WINS servers. > /var/cache/samba/wins.dat contains the xp machines. > I do have a local DNS server, and it does resolve typical addresses ( > google.com) as expected. > My PDC and BDC have A and PTR records that resolve properly, but nothing > special other than that. > > Nothing appears in the logs on either the PDC or BDC. > > I've recently tried using the ForensiT User Profile Wizard, which tries to > join the domain as part of it's process. > It's interesting that using this tool, when auth fails, wireshark shows no > conversation between the XP box and the DC - it looks like the XP isn't even > trying to connect to the PDC. > > I've seen similar results using wireshark and the normal domain joining > facilities. > I've attempted to disable the signorseal requirements, which have no > effect. > > The only effective solution is adding an entry to the lmhosts file, which > is undesirable. > > -Marshall > > On Fri, Apr 25, 2008 at 9:14 AM, Dale Schroeder < > dale@briannassaladdressing.com> wrote: > > > Marshall, > > > > Running out of ideas, but: > > Have you checked the wins.dat file to see if it is actually being > > populated with the xp machines? > > Does "ipconfig /all" on the xp machines list the wins server? > > If using it, is DNS working properly? > > Any other clues in the logs? > > > > In "name resolve order =" I list wins first to give it the first chance > > at name resolution. > > I also don't have the multi-subnet issue to deal with, but some admins > > put a wins server on each subnet. > > > > Dale > > > > > > Marshall Buschman wrote: > > > > > Dale: > > > > > > Correct. I've implemented this option on all of the relevant subnets. > > > I'm doing something like this: > > > > > > ----------------------------------------------------------------------------------------- > > > option netbios-name-servers 1.2.3.4, 1.3.3.7; > > > > > > ----------------------------------------------------------------------------------------- > > > > > > Where 1.2.3.4 is the old windows 2000 DC that we're migrating away > > > from, and > > > 1.3.3.7 is the samba PDC. > > > > > > I tested this, and found it to work appropriately under Windows 2000 > > > clients, but not Windows XP clients. > > > > > > I've even statically assigned an XP client an IP and WINS server, and > > > it > > > still does not work consistently. > > > > > > I still get the following error most of the time: > > > > > > The following error occurred attempting to join the domain "FOO": > > > Logon failure: unknown user name or bad password. > > > > > > Windows 2000 clients function perfectly. > > > > > > Any ideas? Especially why only the XP clients have an issue? > > > > > > -Marshall > > > > > > > > > On Thu, Apr 24, 2008 at 8:43 AM, Dale Schroeder < > > > dale@briannassaladdressing.com> wrote: > > > > > > > > > > > > > Marshall, > > > > > > > > Since you have many clients, I'm guessing you have a dhcp server > > > > running. > > > > If so, do you have a netbios nameserver option enabled in the dhcp > > > > config? > > > > In ISC's dhcp3 server it is "option netbios-name-servers > > > > xxx.xxx.xxx.xxx;" > > > > > > > > Of course, on clients with static ip's, wins config must be done > > > > manually, > > > > and IIRC, the options changed somewhat in XP. The default is to get > > > > netbios > > > > info from the dhcp server. > > > > > > > > Good luck, > > > > Dale > > > > > > > > > > > > > > > > > > > > Marshall Buschman wrote: > > > > > > > > > > > > > > > > > Hey All: > > > > > > > > > > I've got a working samba/ldap domain with a PDC in a datacenter > > > > > and a BDC > > > > > in > > > > > my local office. > > > > > > > > > > I'm not able to reliably join a windows XP Pro machine to the > > > > > domain by > > > > > specifying the PDC as a wins server. > > > > > > > > > > I get the following error 90% of the time or more, with no > > > > > discernible > > > > > patterns or errors in any logs: > > > > > --------------------------------- > > > > > The following error occurred attempting to join the domain "FOO": > > > > > Logon failure: unknown user name or bad password. > > > > > --------------------------------- > > > > > > > > > > Windows 2000 machines join the domain 100% of the time. > > > > > > > > > > Adding a line to the lmhosts file like this: > > > > > --------------------------- > > > > > 1.2.3.4 foopdc #PRE #DOM:FOO #net group's DC > > > > > --------------------------- > > > > > Causes the XP machine to be able to join the domain 100% of the > > > > > time. > > > > > > > > > > I have many clients, and adding this file to the lmhosts file > > > > > everywhere > > > > > isn't feasible. > > > > > > > > > > The real question is - why doesn't WINS work? > > > > > I can run net view and see all the machines.. > > > > > > > > > > I'd really appreciate any help you guys can provide. > > > > > > > > > > -Marshall > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------ > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.523 / Virus Database: 269.23.6/1403 - Release Date: 4/29/2008 7:26 AM > > >