jared.m.jacobson at L-3com.com
2013-Sep-05 21:01 UTC
[Samba] Windows 7 samba 4 domain join problem
I stood up a samba 4 (4.0.9) Active Directory domain controller on a Red Hat Enterprise Linux 6.3 server, configured in accordance with the Samba AD DC HOWTO <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> , and tailored to the domain name I want. I'm trying to join a Windows 7 Enterprise Edition client to the domain. Windows responds with "Your computer could not be joined to the domain because the following error has occurred: The network path was not found." The network between the Windows 7 box and the samba server is very simple, consisting of a single switch. The network itself is also very simple, consisting of 3 Red Hat servers, a NAS, and the workstation. The network is not connected to the Internet in any way. I used wireshark to capture the message exchange. It looks to me like the DNS stuff is working right - as far as it gets - but something is misconfigured with the LDAP server, and I can't figure out what. I can't provide the pcap file, but here's a summary of the messages exchanged (C = Win 7 client, S = samba server, pretending client IP is 192.168.0.3, server IP is 192.168.0.4, server name is server, client name is client, and domain name is domain.name): 1. C->S: NBNS - Name Query NB domain 2. S->C: NBNS - Name Query response NB 192.168.0.4 3. C->S: DNS SRV _ldap._tcp.dc._msdcs.domain.name 4. S->C: DNS SRV 0 100 389 server.domain.name 5. C->S: DNS A server.domain.name 6. S->C: DNS A 192.168.0.4 7. C->S: CLDAP search request "<ROOT>" baseobject a. Filter: DnsDomain=domain.name && Host=CLIENT && NtVer=0x00000016 b. Attributes: netlogon 8. S->C: CLDAP searchresentry a. Type: netlogon b. Opcode: LOGON_SAM_LOGON_RESPONSE_EX c. Flags: GoodTimeServ, Writable, Closest, Timeserv, KDC, DS, LDAP, GC, PDC d. Forest: domain.name e. Domain: domain.name f. Hostname: CLIENT g. NetBIOS domain: DOMAIN h. NetBIOS Hostname: SERVER 9. C->S: DNS SRV _ldap._tcp.dc._msdcs.domain.name 10. S->C: DNS SRV 0 100 389 server.domain.name 11. C->S: CLDAP (same as message 7) 12. S->C: CLDAP (same as message 8) 13. C->S: CLDAP search request "<ROOT>" baseobject a. Filter: DnsDomain=domain.name && Host=CLIENT && User=CLIENT && AAC=80:01:00:00 && NtVer=0x20000016 b. Attributes: netlogon 14. S->C: CLDAP serchresentry a. Type: netlogon b. Opcode: LOGON_SAM_USER_UNKNOWN_EX Based on this exchange, it looks like the Win 7 client is trying to use the username CLIENT (message 13) rather than the "Administrator" username I put in when attempting to join the domain, and the server is rejecting that user because it doesn't know that user. Is it normal for the Win 7 client to use the computer name for the username, here? Did I miss something in the HOWTO? Am I supposed to add the client computer name to the Active Directory before trying to join the domain? Thanks for any light you can shed on this. Jared
jared.m.jacobson at L-3com.com
2013-Sep-10 14:27 UTC
[Samba] Windows 7 samba 4 domain join problem
Thanks for your help. I tried configuring the Windows 7 registry settings listed here, even though it says it shouldn't be necessary for an Active Directory domain: https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains. The client acts exactly the same. Are there other registry settings somewhere else, or is this some other problem? Jared From: luisforchesatto at gmail.com [mailto:luisforchesatto at gmail.com] Sent: Friday, September 06, 2013 6:25 AM To: Jacobson, Jared M @ CSG - CSW Subject: Re: [Samba] Windows 7 samba 4 domain join problem Greetings Jared. Let's start the troubleshoot with Win7. Normally you need to modofy it's registry to Win7 work with Samba. Was it done? Att. 2013/9/5 <jared.m.jacobson at l-3com.com> I stood up a samba 4 (4.0.9) Active Directory domain controller on a Red Hat Enterprise Linux 6.3 server, configured in accordance with the Samba AD DC HOWTO <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> , and tailored to the domain name I want. I'm trying to join a Windows 7 Enterprise Edition client to the domain. Windows responds with "Your computer could not be joined to the domain because the following error has occurred: The network path was not found." I used wireshark to capture the message exchange. ... here's a summary of the messages exchanged (C = Win 7 client, S = samba server, pretending client IP is 192.168.0.3, server IP is 192.168.0.4, server name is server, client name is client, and domain name is domain.name): ... 13. C->S: CLDAP search request "<ROOT>" baseobject a. Filter: DnsDomain=domain.name && Host=CLIENT && User=CLIENT && AAC=80:01:00:00 && NtVer=0x20000016 b. Attributes: netlogon 14. S->C: CLDAP serchresentry a. Type: netlogon b. Opcode: LOGON_SAM_USER_UNKNOWN_EX Based on this exchange, it looks like the Win 7 client is trying to use the username CLIENT (message 13) rather than the "Administrator" username I put in when attempting to join the domain, and the server is rejecting that user because it doesn't know that user. Is it normal for the Win 7 client to use the computer name for the username, here? Did I miss something in the HOWTO? Am I supposed to add the client computer name to the Active Directory before trying to join the domain?