samba - Jul 2014 - Windows XP cannot join Samba 4AD but win 7 can.

Hello everybody,

I've got some troubles making Win XP join may samba4 AD, and, well, i'm 
kind of stuck !

I use the binary distribution of Samba 4 for Ubuntu Trusty Server 
(4.1.6), with bind9 DLZ as a DNS backend.

Everything works fine with Win7 workstations, but I get a message 
"Internal Error" on Win XP workstation during the domain join.
The machine account is created on the server, but stated "disabled",
and
the DNS entry is missing...

I've already checked time sync (works fine), and all the typical 
pitfalls, and again, it works just fine with a Win 7 box...

FYI, my server is running on a KVM/Libvirt virtual machine, but I don't 
think this is the issue. Also, I already ran tests with previous 
relesases of samba4 witch worked well.

The log files show me that the Win 7 boxes use SMB2 protocol, and XP 
uses NTLM : is this normal ? (I thought XP could use SMB1, but maybe i'm 
wrong)...

Any idea ? Or course I can show every piece of information you might 
need to resolve my issue...

Thank you very much for your help...


-- 
UBO <http://iut.univ-brest.fr>

NTLM  is related to authentication (The NT Lan Manager password hashing.)
SMB is the "Server Messaging Blocks" -   aka CIFS -     which is the 
network file and print sharing protocol.

So your NTLM and SMB settings are not related to each other.



If I understand correctly - and maybe I don't -   if you are using AD 
then kerberos is used for authentication instead of NTLM.   I don't know 
if Samba 4 AD can fall back to NTLM for backward compatibility.

You can check wikipedia to quickly determine with versions of NTLM and 
SMB work with which clients.



On 07/21/14 05:58, S?bastien Degouzon wrote:
> Hello everybody,
>
> I've got some troubles making Win XP join may samba4 AD, and, well, 
> i'm kind of stuck !
>
> I use the binary distribution of Samba 4 for Ubuntu Trusty Server 
> (4.1.6), with bind9 DLZ as a DNS backend.
>
> Everything works fine with Win7 workstations, but I get a message 
> "Internal Error" on Win XP workstation during the domain join.
> The machine account is created on the server, but stated
"disabled",
> and the DNS entry is missing...
>
> I've already checked time sync (works fine), and all the typical 
> pitfalls, and again, it works just fine with a Win 7 box...
>
> FYI, my server is running on a KVM/Libvirt virtual machine, but I 
> don't think this is the issue. Also, I already ran tests with previous 
> relesases of samba4 witch worked well.
>
> The log files show me that the Win 7 boxes use SMB2 protocol, and XP 
> uses NTLM : is this normal ? (I thought XP could use SMB1, but maybe 
> i'm wrong)...
>
> Any idea ? Or course I can show every piece of information you might 
> need to resolve my issue...
>
> Thank you very much for your help...
>
>

Hello S?bastien,

Am 21.07.2014 11:58, schrieb S?bastien Degouzon:
> I've got some troubles making Win XP join may samba4 AD, and, well,
i'm
> kind of stuck !
> 
> I use the binary distribution of Samba 4 for Ubuntu Trusty Server
> (4.1.6), with bind9 DLZ as a DNS backend.
> 
> Everything works fine with Win7 workstations, but I get a message
> "Internal Error" on Win XP workstation during the domain join.
> The machine account is created on the server, but stated
"disabled", and
> the DNS entry is missing...

Which account do you use to join the machine? The domain admin or have
you delegated the permission to a different account/group?

Domain Admin should always work.

If delegated, then have a look here:
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
In an earlier version of that HowTo I forgot to grant permissions to a
few attributes, what caused that I could join XP, but not Win7 (or was
it the other way around?).

In this context: You haven't changed ACLs on containers?


One more idea: If you provisioned/upgraded your domain with an early 4.0
version, you should fix the ACLs:
https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs

It doessn't hurt, if you check your AD with the two 'samba-tool
dbcheck'
commands without the '--fix', anyway.


Regards,
Marc