samba - Mar 2010 - Trouble joining Windows 7 machines to Samba PDC

Hi folks,

We have a domain controller running Samba 3.4.5 that is backed onto an 
OpenLDAP datastore. The domain has no trouble joining Windows XP clients, 
but we've got a couple of Windows 7 / Windows Server 2008 R2 Standard that 
we can't join to the domain.

The registry changes suggested in 
http://wiki.samba.org/index.php?title=Windows7&oldid=4766 have been 
applied, and a UNIX account for the machine has been created.

While the creation of the object in LDAP appears to succeed, the join 
fails with super-helpful message "The parameter is incorrect" on the 
client.

I've attached the NetSetup.log, the output of testparm, and a debug log at 
level 5 from one of the clients. The only thing particularly notable in 
the NetSetup output is:

NetpSetNetlogonDomainCache: DsEnumerateDomainTrustsW for all trusts failed 
with ERROR_NOT_SUPPORTED -- retry

Any hints?

David Adam
University Computer Club, UWA
zanchey at ucc.gu.uwa.edu.au
-------------- next part --------------
[global]
        workgroup = UCCDOMAYNE
        server string = %h server
        obey pam restrictions = Yes
        passdb backend = ldapsam:"ldaps://mussel.ucc.gu.uwa.edu.au
ldaps://martello.ucc.gu.uwa.edu.au/"
        log level = all:10
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        debug pid = Yes
        logon path = \musundo\profiles
        logon drive = H:
        logon home = \\musundo\%U
        domain logons = Yes
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins server = 130.95.13.3
        ldap admin dn = cn=admin,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
        ldap machine suffix = ou=Computers
        ldap passwd sync = only
        ldap suffix = dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
        ldap ssl = no
        ldap user suffix = ou=People
        panic action = /usr/share/samba/panic-action %d

-------------- next part --------------
?03/15/2010 18:19:21:613
-----------------------------------------------------------------

03/15/2010 18:19:21:613 NetpValidateName: checking to see if 'MAAXEN' is
valid as type 1 name

03/15/2010 18:19:21:633 NetpCheckNetBiosNameNotInUse for 'MAAXEN'
[MACHINE] returned 0x0

03/15/2010 18:19:21:633 NetpValidateName: name 'MAAXEN' is valid for
type 1

03/15/2010 18:19:21:664
-----------------------------------------------------------------

03/15/2010 18:19:21:664 NetpValidateName: checking to see if
'MAAXEN.ucc.gu.uwa.edu.au' is valid as type 5 name

03/15/2010 18:19:21:664 NetpValidateName: name
'MAAXEN.ucc.gu.uwa.edu.au' is valid for type 5

03/15/2010 18:19:21:700
-----------------------------------------------------------------

03/15/2010 18:19:21:701 NetpValidateName: checking to see if
'UCCDOMAYNE' is valid as type 3 name

03/15/2010 18:19:21:828 NetpCheckDomainNameIsValid [ Exists ] for
'UCCDOMAYNE' returned 0x0

03/15/2010 18:19:21:828 NetpValidateName: name 'UCCDOMAYNE' is valid for
type 3

03/15/2010 18:19:26:413
-----------------------------------------------------------------

03/15/2010 18:19:26:413 NetpDoDomainJoin

03/15/2010 18:19:26:413 NetpMachineValidToJoin: 'MAAXEN'

03/15/2010 18:19:26:413 	OS Version: 6.1

03/15/2010 18:19:26:413 	Build number: 7600 (7600.win7_rtm.090713-1255)

03/15/2010 18:19:26:414 	SKU: Windows Server 2008 R2 Standard

03/15/2010 18:19:26:414 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status:
0x0

03/15/2010 18:19:26:414 NetpGetLsaPrimaryDomain: status: 0x0

03/15/2010 18:19:26:414 NetpMachineValidToJoin: status: 0x0

03/15/2010 18:19:26:415 NetpJoinDomain

03/15/2010 18:19:26:415 	Machine: MAAXEN

03/15/2010 18:19:26:415 	Domain: UCCDOMAYNE

03/15/2010 18:19:26:415 	MachineAccountOU: (NULL)

03/15/2010 18:19:26:415 	Account: UCCDOMAYNE\zanchey

03/15/2010 18:19:26:415 	Options: 0x25

03/15/2010 18:19:26:415 NetpLoadParameters: loading registry parameters...

03/15/2010 18:19:26:415 NetpLoadParameters: status: DNSNameResolutionRequired
set to '0'

03/15/2010 18:19:26:415 NetpLoadParameters: status: DomainCompatibilityMode set
to '1'

03/15/2010 18:19:26:415 NetpLoadParameters: status: 0x0

03/15/2010 18:19:26:415 NetpValidateName: checking to see if
'UCCDOMAYNE' is valid as type 3 name

03/15/2010 18:19:26:517 NetpCheckDomainNameIsValid [ Exists ] for
'UCCDOMAYNE' returned 0x0

03/15/2010 18:19:26:517 NetpValidateName: name 'UCCDOMAYNE' is valid for
type 3

03/15/2010 18:19:26:517 NetpDsGetDcName: trying to find DC in domain
'UCCDOMAYNE', flags: 0x1020

03/15/2010 18:19:34:025 NetpLoadParameters: loading registry parameters...

03/15/2010 18:19:34:025 NetpLoadParameters: status: DNSNameResolutionRequired
set to '0'

03/15/2010 18:19:34:025 NetpLoadParameters: status: DomainCompatibilityMode set
to '1'

03/15/2010 18:19:34:025 NetpLoadParameters: status: 0x0

03/15/2010 18:19:34:025 NetpDsGetDcName: found DC '\\MYLAH' in the
specified domain

03/15/2010 18:19:34:025 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0

03/15/2010 18:20:29:939 NetpJoinDomain: status of connecting to dc
'\\MYLAH': 0x0

03/15/2010 18:20:29:939 NetpProvisionComputerAccount:

03/15/2010 18:20:29:939 	lpDomain: UCCDOMAYNE

03/15/2010 18:20:29:939 	lpMachineName: MAAXEN

03/15/2010 18:20:29:939 	lpMachineAccountOU: (NULL)

03/15/2010 18:20:29:939 	lpDcName: MYLAH

03/15/2010 18:20:29:939 	lpDnsHostName: (NULL)

03/15/2010 18:20:29:939 	lpMachinePassword: (null)

03/15/2010 18:20:29:939 	lpAccount: UCCDOMAYNE\zanchey

03/15/2010 18:20:29:939 	lpPassword: (non-null)

03/15/2010 18:20:29:939 	dwJoinOptions: 0x25

03/15/2010 18:20:29:939 	dwOptions: 0x40000003

03/15/2010 18:20:30:953 NetpLdapBind: ldap_bind failed on MYLAH: 81: Server Down

03/15/2010 18:20:30:997 NetpGetLsaPrimaryDomain: DNS Domain policy not
supported, falling back to Primary Domain

03/15/2010 18:20:31:011 NetpGetLsaPrimaryDomain: status: 0x0

03/15/2010 18:20:31:012 NetpCreateComputerObjectInDs: DC passed
'\\MYLAH' doesn't have writable DS 0x101

03/15/2010 18:20:31:013 NetpProvisionComputerAccount: LDAP creation failed: 0x32

03/15/2010 18:20:31:013 NetpJoinDomainOnDs: Function exits with status of: 0x32

03/15/2010 18:20:31:013 NetpJoinDomainOnDs: status of disconnecting from
'\\MYLAH': 0x0

03/15/2010 18:20:31:013 NetpDoDomainJoin: status: 0x32

03/15/2010 18:20:31:035
-----------------------------------------------------------------

03/15/2010 18:20:31:035 NetpDoDomainJoin

03/15/2010 18:20:31:035 NetpMachineValidToJoin: 'MAAXEN'

03/15/2010 18:20:31:035 	OS Version: 6.1

03/15/2010 18:20:31:035 	Build number: 7600 (7600.win7_rtm.090713-1255)

03/15/2010 18:20:31:035 	SKU: Windows Server 2008 R2 Standard

03/15/2010 18:20:31:035 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status:
0x0

03/15/2010 18:20:31:036 NetpGetLsaPrimaryDomain: status: 0x0

03/15/2010 18:20:31:036 NetpMachineValidToJoin: status: 0x0

03/15/2010 18:20:31:036 NetpJoinDomain

03/15/2010 18:20:31:036 	Machine: MAAXEN

03/15/2010 18:20:31:036 	Domain: UCCDOMAYNE

03/15/2010 18:20:31:036 	MachineAccountOU: (NULL)

03/15/2010 18:20:31:036 	Account: UCCDOMAYNE\zanchey

03/15/2010 18:20:31:036 	Options: 0x27

03/15/2010 18:20:31:036 NetpLoadParameters: loading registry parameters...

03/15/2010 18:20:31:036 NetpLoadParameters: status: DNSNameResolutionRequired
set to '0'

03/15/2010 18:20:31:036 NetpLoadParameters: status: DomainCompatibilityMode set
to '1'

03/15/2010 18:20:31:036 NetpLoadParameters: status: 0x0

03/15/2010 18:20:31:036 NetpValidateName: checking to see if
'UCCDOMAYNE' is valid as type 3 name

03/15/2010 18:20:31:138 NetpCheckDomainNameIsValid [ Exists ] for
'UCCDOMAYNE' returned 0x0

03/15/2010 18:20:31:138 NetpValidateName: name 'UCCDOMAYNE' is valid for
type 3

03/15/2010 18:20:31:138 NetpDsGetDcName: trying to find DC in domain
'UCCDOMAYNE', flags: 0x1020

03/15/2010 18:20:31:339 NetpLoadParameters: loading registry parameters...

03/15/2010 18:20:31:339 NetpLoadParameters: status: DNSNameResolutionRequired
set to '0'

03/15/2010 18:20:31:339 NetpLoadParameters: status: DomainCompatibilityMode set
to '1'

03/15/2010 18:20:31:339 NetpLoadParameters: status: 0x0

03/15/2010 18:20:31:339 NetpDsGetDcName: found DC '\\MYLAH' in the
specified domain

03/15/2010 18:20:31:339 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0

03/15/2010 18:20:31:339 NetpJoinDomain: status of connecting to dc
'\\MYLAH': 0x0

03/15/2010 18:20:31:339 NetpProvisionComputerAccount:

03/15/2010 18:20:31:339 	lpDomain: UCCDOMAYNE

03/15/2010 18:20:31:339 	lpMachineName: MAAXEN

03/15/2010 18:20:31:339 	lpMachineAccountOU: (NULL)

03/15/2010 18:20:31:339 	lpDcName: MYLAH

03/15/2010 18:20:31:339 	lpDnsHostName: (NULL)

03/15/2010 18:20:31:339 	lpMachinePassword: (null)

03/15/2010 18:20:31:339 	lpAccount: UCCDOMAYNE\zanchey

03/15/2010 18:20:31:339 	lpPassword: (non-null)

03/15/2010 18:20:31:339 	dwJoinOptions: 0x27

03/15/2010 18:20:31:339 	dwOptions: 0x40000003

03/15/2010 18:20:32:332 NetpLdapBind: ldap_bind failed on MYLAH: 81: Server Down

03/15/2010 18:20:32:363 NetpGetLsaPrimaryDomain: DNS Domain policy not
supported, falling back to Primary Domain

03/15/2010 18:20:32:377 NetpGetLsaPrimaryDomain: status: 0x0

03/15/2010 18:20:32:378 NetpCreateComputerObjectInDs: DC passed
'\\MYLAH' doesn't have writable DS 0x101

03/15/2010 18:20:32:378 NetpProvisionComputerAccount: LDAP creation failed: 0x32

03/15/2010 18:20:32:378 NetpProvisionComputerAccount: Retrying downlevel per
options

03/15/2010 18:20:32:453 NetpManageMachineAccountWithSid: NetUserAdd on
'MYLAH' for 'MAAXEN$' failed: 0x8b0

03/15/2010 18:20:32:662 NetpManageMachineAccountWithSid: status of attempting to
set password on 'MYLAH' for 'MAAXEN$': 0x0

03/15/2010 18:20:32:662 NetpProvisionComputerAccount: retry status of creating
account: 0x0

03/15/2010 18:20:32:662 NetpEncodeProvisioningBlob: Encoding provisioning data

03/15/2010 18:20:32:662 NetpInitBlobWin7: Constructing blob...

03/15/2010 18:20:32:662 Blob version: 1

03/15/2010 18:20:32:662 	lpDomain: UCCDOMAYNE

03/15/2010 18:20:32:662 	lpMachineName: MAAXEN

03/15/2010 18:20:32:662 	lpMachinePassword: <omitted from log>

03/15/2010 18:20:32:662    DomainDnsPolicy:

03/15/2010 18:20:32:662    	Name: UCCDOMAYNE

03/15/2010 18:20:32:662    	DnsDomainName: (null)

03/15/2010 18:20:32:662    	DnsForestName: (null)

03/15/2010 18:20:32:662    	DomainGuid: 00000000-0000-0000-0000-000000000000

03/15/2010 18:20:32:662    	Sid:
S-1-5-352321536-3342141748-1574249315-1264630062

03/15/2010 18:20:32:662    DcInfo:

03/15/2010 18:20:32:662    	DomainControllerName: \\MYLAH

03/15/2010 18:20:32:662    	DomainControllerAddress: \\MYLAH

03/15/2010 18:20:32:662    	DomainControllerAddressType: 2

03/15/2010 18:20:32:662    	DomainGuid: 00000000-0000-0000-0000-000000000000

03/15/2010 18:20:32:662    	DomainName: UCCDOMAYNE

03/15/2010 18:20:32:662    	DnsForestName: (null)

03/15/2010 18:20:32:662    	Flags: 0x101

03/15/2010 18:20:32:662    	DcSiteName: (null)

03/15/2010 18:20:32:662    	ClientSiteName: (null)

03/15/2010 18:20:32:662 	Options: 0x40000003

03/15/2010 18:20:32:662 NetpInitBlobWin7: Blob pickling result: 0

03/15/2010 18:20:32:662 NetpEncodeProvisioningBlob: result: 0x0

03/15/2010 18:20:32:662 NetpRequestOfflineDomainJoin:

03/15/2010 18:20:32:662 	dwProvisionBinDataSize: 656

03/15/2010 18:20:32:662 	JoinOptions: 0x27

03/15/2010 18:20:32:662 	Options: 0x40000003

03/15/2010 18:20:32:662 	lpWindowsPath: C:\Windows

03/15/2010 18:20:32:662 NetpDecodeProvisioningBlob: Unpickling provisioning blob
with size 656 bytes

03/15/2010 18:20:32:662 NetpDecodeProvisioningBlob: Searching 1 blobs for
supported ODJ blob, highest supported version: 1

03/15/2010 18:20:32:662 NetpDecodeProvisioningBlob: Found ODJ blob version: 1

03/15/2010 18:20:32:662 NetpDecodeProvisioningBlob: Selected ODJ blob version: 1

03/15/2010 18:20:32:662 Blob version: 1

03/15/2010 18:20:32:662 	lpDomain: UCCDOMAYNE

03/15/2010 18:20:32:662 	lpMachineName: MAAXEN

03/15/2010 18:20:32:662 	lpMachinePassword: <omitted from log>

03/15/2010 18:20:32:662    DomainDnsPolicy:

03/15/2010 18:20:32:662    	Name: UCCDOMAYNE

03/15/2010 18:20:32:662    	DnsDomainName: (null)

03/15/2010 18:20:32:662    	DnsForestName: (null)

03/15/2010 18:20:32:662    	DomainGuid: 00000000-0000-0000-0000-000000000000

03/15/2010 18:20:32:662    	Sid:
S-1-5-352321536-3342141748-1574249315-1264630062

03/15/2010 18:20:32:662    DcInfo:

03/15/2010 18:20:32:662    	DomainControllerName: \\MYLAH

03/15/2010 18:20:32:662    	DomainControllerAddress: \\MYLAH

03/15/2010 18:20:32:662    	DomainControllerAddressType: 2

03/15/2010 18:20:32:662    	DomainGuid: 00000000-0000-0000-0000-000000000000

03/15/2010 18:20:32:662    	DomainName: UCCDOMAYNE

03/15/2010 18:20:32:662    	DnsForestName: (null)

03/15/2010 18:20:32:662    	Flags: 0x101

03/15/2010 18:20:32:662    	DcSiteName: (null)

03/15/2010 18:20:32:662    	ClientSiteName: (null)

03/15/2010 18:20:32:662 	Options: 0x40000003

03/15/2010 18:20:32:662 NetpDoInitiateOfflineDomainJoin

03/15/2010 18:20:32:663 NetpDoInitiateOfflineDomainJoin: Setting backup/restore
privileges

03/15/2010 18:20:32:666 NetpInitiateOfflineJoin

03/15/2010 18:20:32:666 	lpLocalRegistryPath: C:\Windows\system32\config\SYSTEM

03/15/2010 18:20:32:667 	dwOptions: 0x40000003

03/15/2010 18:20:32:667 NetpConvertBlobToJoinState: Translating provisioning
data to internal format

03/15/2010 18:20:32:667 NetpConvertBlobToJoinState: Selecting version 1

03/15/2010 18:20:32:667 NetpConvertBlobToJoinState: exiting: 0x0

03/15/2010 18:20:32:667 NetpValidateFullJoinState: Validating provisioning
data...

03/15/2010 18:20:32:667 NetpValidateFullJoinState: exiting: 0x0

03/15/2010 18:20:32:667 NetpClearFullJoinState:  Removing cached state from the
registry...

03/15/2010 18:20:32:667 NetpClearFullJoinState: Status of deleting join state
key 0x2

03/15/2010 18:20:32:667 NetpSaveFullJoinStateInternal: Injecting provisioning
data into image...

03/15/2010 18:20:32:670 NetpSaveFullJoinStateInternal: exiting: 0x0

03/15/2010 18:20:32:670 NetpSetComputerNamesOffline: Checking for pending name
changes...

03/15/2010 18:20:32:670 	SetHostName:	TRUE

03/15/2010 18:20:32:670 	SetDnsDomain:	TRUE

03/15/2010 18:20:32:670 	SetNetBiosName:	TRUE

03/15/2010 18:20:32:670 	SetCurrentValues:	TRUE

03/15/2010 18:20:32:670 NetpSetComputerNamesOffline: Setting Hostname to MAAXEN

03/15/2010 18:20:32:670 NetpSetComputerNamesOffline: Setting NetBios computer
name to MAAXEN

03/15/2010 18:20:32:671 NetpDoInitiateOfflineDomainJoin: status: 0x0

03/15/2010 18:20:32:671 NetRequestOfflineDomainJoin: Successfully initiated the
offline domain join

03/15/2010 18:20:32:671 NetpJoinDomainOnDs: Setting netlogon cache.

03/15/2010 18:20:32:699 NetpSetNetlogonDomainCache: DsEnumerateDomainTrustsW for
all trusts failed with ERROR_NOT_SUPPORTED -- retry

03/15/2010 18:20:32:799 NetpJoinDomainOnDs: status of setting netlogon cache:
0x0

03/15/2010 18:20:32:799 NetpJoinDomainOnDs: Function exits with status of: 0x0

03/15/2010 18:20:32:799 NetpJoinDomainOnDs: status of disconnecting from
'\\MYLAH': 0x0

03/15/2010 18:20:32:799 NetpCompleteOfflineDomainJoin

03/15/2010 18:20:32:799 	fBootTimeCaller: FALSE

03/15/2010 18:20:32:799 	fSetLocalGroups: TRUE

03/15/2010 18:20:32:800 NetpLsaOpenSecret: status: 0xc0000034

03/15/2010 18:20:32:800 NetpGetLsaPrimaryDomain: status: 0x0

03/15/2010 18:20:32:800 NetpJoinDomainLocal: NetpHandleJoinedStateInfo returned:
0x0

03/15/2010 18:20:32:800 NetpLsaOpenSecret: status: 0xc0000034

03/15/2010 18:20:33:087 NetpJoinDomainLocal: NetpManageMachineSecret returned:
0x0.

03/15/2010 18:20:33:087 Calling NetpQueryService to get Netlogon service state.

03/15/2010 18:20:33:088 NetpJoinDomainLocal: NetpQueryService returned: 0x0.

03/15/2010 18:20:33:088 NetpSetLsaPrimaryDomain: for 'UCCDOMAYNE'
status: 0xc000000d

03/15/2010 18:20:33:088 NetpJoinDomainLocal: status of setting LSA pri. domain:
0x57

03/15/2010 18:20:33:088 NetpJoinDomainLocal: initiating a rollback due to
earlier errors

03/15/2010 18:20:33:088 NetpLsaOpenSecret: status: 0x0

03/15/2010 18:20:33:186 NetpJoinDomainLocal: rollback: status of deleting
secret: 0x0

03/15/2010 18:20:33:186 NetpClearFullJoinState:  Removing cached state from the
registry...

03/15/2010 18:20:33:186 NetpClearFullJoinState: Status of deleting join state
key 0x0

03/15/2010 18:20:33:186 NetpMarkLastFullJoinAttempt: No offline domain join
information found, FinishJoin key not found.

03/15/2010 18:20:33:186 NetpCompleteOfflineDomainJoin: An error occured while
completing the offline join action, the action can be tried again.  The error
code was: 0x57.

03/15/2010 18:20:33:186 NetpCompleteOfflineDomainJoin: status: 0x57

03/15/2010 18:20:33:186 NetpDoDomainJoin: status: 0x57

On Mon, 15 Mar 2010, David Adam wrote:
> We have a domain controller running Samba 3.4.5 that is backed onto an 
> OpenLDAP datastore. The domain has no trouble joining Windows XP clients, 
> but we've got a couple of Windows 7 / Windows Server 2008 R2 Standard
that
> we can't join to the domain.
> 
> The registry changes suggested in 
> http://wiki.samba.org/index.php?title=Windows7&oldid=4766 have been 
> applied, and a UNIX account for the machine has been created.
> 
> While the creation of the object in LDAP appears to succeed, the join 
> fails with super-helpful message "The parameter is incorrect" on
the
> client.
For the archives, I reported this as bug 7395 - as discussed, it appears 
that Windows 7 has tightened up a bit on valid SIDs and we somehow had an 
invalid one, possibly due to an endianness issue in an old version of Samba.

Replacing our SID that started with S-1-5-352321536 with S-1-5-21 solved 
all our problems.

David Adam
zanchey at ucc.gu.uwa.edu.au