samba - May 2016 - Fwd: Not able to join windows 10 clients to samba 3.6.23 NT4 Style PDC

Hi,

I resolved NMBD errors, but still same error in windows 10 pro, Could
please suggest any changes in windows 10 PC. Applied registry changes
suggested by samba wiki but no improvement.

I am able to join windows 7 clients without error.

Regards,
Ram





On Mon, May 16, 2016 at 8:11 PM, Ram Prasad Bikkina
<parvathiprasadb at gmail.com> wrote:
> Hi Gaiseric,
>
> Thank you for quick reply. I configured my PDC as WINS server and
> specified "IP of PDC".
>
> I observed some errors in NMBD log,  "become_domain_master_query
> failed". I am googling these errors.
>
>
>
> On Mon, May 16, 2016 at 6:57 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com> wrote:
>> If this is an NT4-style domain, then DNS is not essential.    Things
like
>> SRV records aren't relevant since a lot of the NT4 is back from the
NetBios
>> days.        It looks like your Win 10 machine thinks it is trying to
join
>> an AD domain.      Windows clients machines typically are using DNS to
>> resolve server names to IP addresses.   However DNS does not provide
info on
>> locating PDC's and BDC's.  That is better handled with the use
of a WINS
>> server (Windows Internet Naming) which is basically name looking up for
>> "netbios" names and services.
>>
>> I have configured my PDC to be the WINS server.
>>
>>
>> In my smb.conf on member server
>>
>>    security = domain
>>    domain master = no
>>    domain logons = no
>>     name resolve order =  host wins  bcast
>>     workgroup = MYDOMAIN
>>     wins server = IP_OF_PDC
>>
>>
>>
>> For a classic domain, make sure you have NOT disable NBT (netbios over
>> tcp/ip) on the client machines.  By default it is left enabled.
>>
>>
>> On 05/14/16 00:10, Ram Prasad Bikkina wrote:
>>>
>>> ---------- Forwarded message ----------
>>> From: Ram Prasad Bikkina <parvathiprasadb at gmail.com>
>>> Date: Sat, May 14, 2016 at 9:39 AM
>>> Subject: Re: [Samba] Not able to join windows 10 clients to samba
3.6.23
>>> NT4 Style PDC
>>> To: gaiseric.vandal at gmail.com
>>>
>>>
>>> Hi Gaiseric Vandal,
>>>
>>> I applied these registry settings in my windows 10 PC but not able
to
>>> join.
>>> It is getting below error.
>>>
>>>   Note: This information is intended for a network administrator. 
If
>>> you are not your network's administrator, notify the
administrator
>>> that you received this information, which has been recorded in the
>>> file C:\Windows\debug\dcdiag.txt.
>>>
>>>   The following error occurred when DNS was queried for the service
>>> location (SRV) resource record used to locate an Active Directory
>>> Domain Controller (AD DC) for domain "samba.local":
>>>
>>>   The error was: "DNS name does not exist."
>>>   (error code 0x0000232B RCODE_NAME_ERROR)
>>>
>>>   The query was for the SRV record for
_ldap._tcp.dc._msdcs.samba.local
>>>
>>>   Common causes of this error include the following:>
>>>
>>>   - The DNS SRV records required to locate a AD DC for the domain
are
>>> not registered in DNS. These records are registered with a DNS
server
>>> automatically when a AD DC is added to a domain. They are updated
by
>>> the AD DC at set intervals. This computer is configured to use DNS
>>> servers with the following IP addresses:
>>>
>>>   192.168.1.2
>>>
>>>   - One or more of the following zones do not include delegation to
its
>>> child zone:
>>>
>>>   samba.local
>>>   local
>>>   . (the root zone)
>>>
>>>
>>>
>>> On Fri, May 13, 2016 at 6:28 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com>
>>> wrote:
>>>
>>>> The registry changes for Windows 7 also apply to Windows 10
>>>>
>>>>
https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 05/13/16 08:17, Ram Prasad Bikkina wrote:
>>>>
>>>>> I prepared samba PDC and not able to join windows 10
clients. Please
>>>>> suggest any windows 10 registry settings.
>>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

Just to verify, did you configure the Win 10 machine as a WINS client 
?    The PDC will not necessarily be the master browser (showing what 
resources are available on the network) -  browser elections are 
weighted towards machines with newer OS's.    You can adjust the "os 
level" parameter in smb.conf to bias the election in favor of the PDC 
but if WINS is being used none of this should really matter.



Does the machine account exist in samba ?   You may need to precreate it 
with "smbpasswd -a -m machinename"   and then verify that the 
"machinename$" account was created.  I have an LDAP backend.   The
unix
machine accounts exist.  When samba creates a samba machine account 
(either when I use smbpasswd or a computer joins the domain) , samba 
updates/adds ldap attributes to the machine account.        All the Win 
10 machines I have added "recycled"  preexisting Windows 7 machine 
accounts.      With some versions of samba with an ldap backend I had to 
manually precreate the samba account and then verify the ldap attributes 
were set correctly.

Can you copy and paste the results of the net join command (sanitized of 
course to remove any company info.)

What OS is the PDC ?  (mine is solaris 11.)   Is this from package or 
precompiled?    Any recent backported patches to fix badblock 
vulnerability?


On the windows machines, does "ipconfig /all" show any ipv6 DNS
servers ?

Some of the "testparm -v" output from my PDC (mostly I disabled lanman
for security and limited SMB versions to CORE and NT1 for file sharing 
issues)


Server role: ROLE_DOMAIN_PDC
...
         interfaces          bind interfaces only = No
         security = USER
         auth methods          encrypt passwords = Yes
         client schannel = Auto
         server schannel = Auto
         allow trusted domains = Yes

...
         lanman auth = No
         ntlm auth = Yes
         client NTLMv2 auth = Yes
         client lanman auth = No
         client plaintext auth = No
         client use spnego principal = No
         send spnego principal = No
...
         smb ports = 445 139
         large readwrite = Yes
         max protocol = NT1
         min protocol = CORE
...
         announce version = 4.9
         announce as = NT
...
         os level = 20
...
         preferred master = Yes
         local master = Yes
         domain master = Yes
         browse list = Yes
         enhanced browsing = Yes
         dns proxy = No
         wins proxy = No
         wins server          wins support = Yes
...
[netlogon]
         comment = Network Logon Service
         path = /export/samba/netlogon
         write list = @Administrators, @sysadmin
         guest ok = Yes
         share modes = No

...












On 05/18/16 00:07, Ram Prasad Bikkina wrote:
> Hi,
>
> I resolved NMBD errors, but still same error in windows 10 pro, Could
> please suggest any changes in windows 10 PC. Applied registry changes
> suggested by samba wiki but no improvement.
>
> I am able to join windows 7 clients without error.
>
> Regards,
> Ram
>
>
>
>
>
> On Mon, May 16, 2016 at 8:11 PM, Ram Prasad Bikkina
> <parvathiprasadb at gmail.com> wrote:
>> Hi Gaiseric,
>>
>> Thank you for quick reply. I configured my PDC as WINS server and
>> specified "IP of PDC".
>>
>> I observed some errors in NMBD log,  "become_domain_master_query
>> failed". I am googling these errors.
>>
>>
>>
>> On Mon, May 16, 2016 at 6:57 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com> wrote:
>>> If this is an NT4-style domain, then DNS is not essential.   
Things like
>>> SRV records aren't relevant since a lot of the NT4 is back from
the NetBios
>>> days.        It looks like your Win 10 machine thinks it is trying
to join
>>> an AD domain.      Windows clients machines typically are using DNS
to
>>> resolve server names to IP addresses.   However DNS does not
provide info on
>>> locating PDC's and BDC's.  That is better handled with the
use of a WINS
>>> server (Windows Internet Naming) which is basically name looking up
for
>>> "netbios" names and services.
>>>
>>> I have configured my PDC to be the WINS server.
>>>
>>>
>>> In my smb.conf on member server
>>>
>>>     security = domain
>>>     domain master = no
>>>     domain logons = no
>>>      name resolve order =  host wins  bcast
>>>      workgroup = MYDOMAIN
>>>      wins server = IP_OF_PDC
>>>
>>>
>>>
>>> For a classic domain, make sure you have NOT disable NBT (netbios
over
>>> tcp/ip) on the client machines.  By default it is left enabled.
>>>
>>>
>>> On 05/14/16 00:10, Ram Prasad Bikkina wrote:
>>>> ---------- Forwarded message ----------
>>>> From: Ram Prasad Bikkina <parvathiprasadb at gmail.com>
>>>> Date: Sat, May 14, 2016 at 9:39 AM
>>>> Subject: Re: [Samba] Not able to join windows 10 clients to
samba 3.6.23
>>>> NT4 Style PDC
>>>> To: gaiseric.vandal at gmail.com
>>>>
>>>>
>>>> Hi Gaiseric Vandal,
>>>>
>>>> I applied these registry settings in my windows 10 PC but not
able to
>>>> join.
>>>> It is getting below error.
>>>>
>>>>    Note: This information is intended for a network
administrator.  If
>>>> you are not your network's administrator, notify the
administrator
>>>> that you received this information, which has been recorded in
the
>>>> file C:\Windows\debug\dcdiag.txt.
>>>>
>>>>    The following error occurred when DNS was queried for the
service
>>>> location (SRV) resource record used to locate an Active
Directory
>>>> Domain Controller (AD DC) for domain "samba.local":
>>>>
>>>>    The error was: "DNS name does not exist."
>>>>    (error code 0x0000232B RCODE_NAME_ERROR)
>>>>
>>>>    The query was for the SRV record for
_ldap._tcp.dc._msdcs.samba.local
>>>>
>>>>    Common causes of this error include the following:>
>>>>
>>>>    - The DNS SRV records required to locate a AD DC for the
domain are
>>>> not registered in DNS. These records are registered with a DNS
server
>>>> automatically when a AD DC is added to a domain. They are
updated by
>>>> the AD DC at set intervals. This computer is configured to use
DNS
>>>> servers with the following IP addresses:
>>>>
>>>>    192.168.1.2
>>>>
>>>>    - One or more of the following zones do not include
delegation to its
>>>> child zone:
>>>>
>>>>    samba.local
>>>>    local
>>>>    . (the root zone)
>>>>
>>>>
>>>>
>>>> On Fri, May 13, 2016 at 6:28 PM, Gaiseric Vandal
>>>> <gaiseric.vandal at gmail.com>
>>>> wrote:
>>>>
>>>>> The registry changes for Windows 7 also apply to Windows 10
>>>>>
>>>>>
https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 05/13/16 08:17, Ram Prasad Bikkina wrote:
>>>>>
>>>>>> I prepared samba PDC and not able to join windows 10
clients. Please
>>>>>> suggest any windows 10 registry settings.
>>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba

A couple of other issues to keep in mind...

Aside from the fact that the errors suggest your W10 box is trying to join
an AD domain, W10 also defaults to a protocol of SMB 3.3 which Samba 3.x
does not support. If you resolve the issue wherein W10 thinks it is joining
an AD domain, there's a strong possibility (if not certainty) you will then
see errors in the log of the W10 box indicating Windows could not log onto
the domain because it could not find a netlogon server. That, in turn,
would be because it could not negotiate a sufficiently secure communication
with the server.

When I encountered this problem, the only solution I found was to disable
SMB 3.3 on the W10 box as noted in
https://support.microsoft.com/en-us/kb/2696547. I re-enabled it when the
version of Samba in the 4.x series that supported SMB 3.3 was released, and
my W10 box has been a content member of my old-style domain since.

Regards,
David


On Wed, May 18, 2016 at 9:00 AM, Gaiseric Vandal <gaiseric.vandal at
gmail.com>
wrote:
> Just to verify, did you configure the Win 10 machine as a WINS client ?
> The PDC will not necessarily be the master browser (showing what resources
> are available on the network) -  browser elections are weighted towards
> machines with newer OS's.    You can adjust the "os level"
parameter in
> smb.conf to bias the election in favor of the PDC but if WINS is being used
> none of this should really matter.
>
>
>
> Does the machine account exist in samba ?   You may need to precreate it
> with "smbpasswd -a -m machinename"   and then verify that the
> "machinename$" account was created.  I have an LDAP backend.  
The unix
> machine accounts exist.  When samba creates a samba machine account (either
> when I use smbpasswd or a computer joins the domain) , samba updates/adds
> ldap attributes to the machine account.        All the Win 10 machines I
> have added "recycled"  preexisting Windows 7 machine accounts.   
With
> some versions of samba with an ldap backend I had to manually precreate the
> samba account and then verify the ldap attributes were set correctly.
>
> Can you copy and paste the results of the net join command (sanitized of
> course to remove any company info.)
>
> What OS is the PDC ?  (mine is solaris 11.)   Is this from package or
> precompiled?    Any recent backported patches to fix badblock
vulnerability?
>
>
> On the windows machines, does "ipconfig /all" show any ipv6 DNS
servers ?
>
> Some of the "testparm -v" output from my PDC (mostly I disabled
lanman for
> security and limited SMB versions to CORE and NT1 for file sharing issues)
>
>
> Server role: ROLE_DOMAIN_PDC
> ...
>         interfaces >         bind interfaces only = No
>         security = USER
>         auth methods >         encrypt passwords = Yes
>         client schannel = Auto
>         server schannel = Auto
>         allow trusted domains = Yes
>
> ...
>         lanman auth = No
>         ntlm auth = Yes
>         client NTLMv2 auth = Yes
>         client lanman auth = No
>         client plaintext auth = No
>         client use spnego principal = No
>         send spnego principal = No
> ...
>         smb ports = 445 139
>         large readwrite = Yes
>         max protocol = NT1
>         min protocol = CORE
> ...
>         announce version = 4.9
>         announce as = NT
> ...
>         os level = 20
> ...
>         preferred master = Yes
>         local master = Yes
>         domain master = Yes
>         browse list = Yes
>         enhanced browsing = Yes
>         dns proxy = No
>         wins proxy = No
>         wins server >         wins support = Yes
> ...
> [netlogon]
>         comment = Network Logon Service
>         path = /export/samba/netlogon
>         write list = @Administrators, @sysadmin
>         guest ok = Yes
>         share modes = No
>
> ...
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 05/18/16 00:07, Ram Prasad Bikkina wrote:
>
>> Hi,
>>
>> I resolved NMBD errors, but still same error in windows 10 pro, Could
>> please suggest any changes in windows 10 PC. Applied registry changes
>> suggested by samba wiki but no improvement.
>>
>> I am able to join windows 7 clients without error.
>>
>> Regards,
>> Ram
>>
>>
>>
>>
>>
>> On Mon, May 16, 2016 at 8:11 PM, Ram Prasad Bikkina
>> <parvathiprasadb at gmail.com> wrote:
>>
>>> Hi Gaiseric,
>>>
>>> Thank you for quick reply. I configured my PDC as WINS server and
>>> specified "IP of PDC".
>>>
>>> I observed some errors in NMBD log, 
"become_domain_master_query
>>> failed". I am googling these errors.
>>>
>>>
>>>
>>> On Mon, May 16, 2016 at 6:57 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com> wrote:
>>>
>>>> If this is an NT4-style domain, then DNS is not essential.   
Things
>>>> like
>>>> SRV records aren't relevant since a lot of the NT4 is back
from the
>>>> NetBios
>>>> days.        It looks like your Win 10 machine thinks it is
trying to
>>>> join
>>>> an AD domain.      Windows clients machines typically are using
DNS to
>>>> resolve server names to IP addresses.   However DNS does not
provide
>>>> info on
>>>> locating PDC's and BDC's.  That is better handled with
the use of a WINS
>>>> server (Windows Internet Naming) which is basically name
looking up for
>>>> "netbios" names and services.
>>>>
>>>> I have configured my PDC to be the WINS server.
>>>>
>>>>
>>>> In my smb.conf on member server
>>>>
>>>>     security = domain
>>>>     domain master = no
>>>>     domain logons = no
>>>>      name resolve order =  host wins  bcast
>>>>      workgroup = MYDOMAIN
>>>>      wins server = IP_OF_PDC
>>>>
>>>>
>>>>
>>>> For a classic domain, make sure you have NOT disable NBT
(netbios over
>>>> tcp/ip) on the client machines.  By default it is left enabled.
>>>>
>>>>
>>>> On 05/14/16 00:10, Ram Prasad Bikkina wrote:
>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: Ram Prasad Bikkina <parvathiprasadb at
gmail.com>
>>>>> Date: Sat, May 14, 2016 at 9:39 AM
>>>>> Subject: Re: [Samba] Not able to join windows 10 clients to
samba
>>>>> 3.6.23
>>>>> NT4 Style PDC
>>>>> To: gaiseric.vandal at gmail.com
>>>>>
>>>>>
>>>>> Hi Gaiseric Vandal,
>>>>>
>>>>> I applied these registry settings in my windows 10 PC but
not able to
>>>>> join.
>>>>> It is getting below error.
>>>>>
>>>>>    Note: This information is intended for a network
administrator.  If
>>>>> you are not your network's administrator, notify the
administrator
>>>>> that you received this information, which has been recorded
in the
>>>>> file C:\Windows\debug\dcdiag.txt.
>>>>>
>>>>>    The following error occurred when DNS was queried for
the service
>>>>> location (SRV) resource record used to locate an Active
Directory
>>>>> Domain Controller (AD DC) for domain
"samba.local":
>>>>>
>>>>>    The error was: "DNS name does not exist."
>>>>>    (error code 0x0000232B RCODE_NAME_ERROR)
>>>>>
>>>>>    The query was for the SRV record for
>>>>> _ldap._tcp.dc._msdcs.samba.local
>>>>>
>>>>>    Common causes of this error include the following:>
>>>>>
>>>>>    - The DNS SRV records required to locate a AD DC for the
domain are
>>>>> not registered in DNS. These records are registered with a
DNS server
>>>>> automatically when a AD DC is added to a domain. They are
updated by
>>>>> the AD DC at set intervals. This computer is configured to
use DNS
>>>>> servers with the following IP addresses:
>>>>>
>>>>>    192.168.1.2
>>>>>
>>>>>    - One or more of the following zones do not include
delegation to
>>>>> its
>>>>> child zone:
>>>>>
>>>>>    samba.local
>>>>>    local
>>>>>    . (the root zone)
>>>>>
>>>>>
>>>>>
>>>>> On Fri, May 13, 2016 at 6:28 PM, Gaiseric Vandal
>>>>> <gaiseric.vandal at gmail.com>
>>>>> wrote:
>>>>>
>>>>> The registry changes for Windows 7 also apply to Windows 10
>>>>>>
>>>>>>
>>>>>>
https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 05/13/16 08:17, Ram Prasad Bikkina wrote:
>>>>>>
>>>>>> I prepared samba PDC and not able to join windows 10
clients. Please
>>>>>>> suggest any windows 10 registry settings.
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
and read the
>>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>