samba - May 2016 - Fwd: Not able to join windows 10 clients to samba 3.6.23 NT4 Style PDC

A couple of other issues to keep in mind...

Aside from the fact that the errors suggest your W10 box is trying to join
an AD domain, W10 also defaults to a protocol of SMB 3.3 which Samba 3.x
does not support. If you resolve the issue wherein W10 thinks it is joining
an AD domain, there's a strong possibility (if not certainty) you will then
see errors in the log of the W10 box indicating Windows could not log onto
the domain because it could not find a netlogon server. That, in turn,
would be because it could not negotiate a sufficiently secure communication
with the server.

When I encountered this problem, the only solution I found was to disable
SMB 3.3 on the W10 box as noted in
https://support.microsoft.com/en-us/kb/2696547. I re-enabled it when the
version of Samba in the 4.x series that supported SMB 3.3 was released, and
my W10 box has been a content member of my old-style domain since.

Regards,
David


On Wed, May 18, 2016 at 9:00 AM, Gaiseric Vandal <gaiseric.vandal at
gmail.com>
wrote:
> Just to verify, did you configure the Win 10 machine as a WINS client ?
> The PDC will not necessarily be the master browser (showing what resources
> are available on the network) -  browser elections are weighted towards
> machines with newer OS's.    You can adjust the "os level"
parameter in
> smb.conf to bias the election in favor of the PDC but if WINS is being used
> none of this should really matter.
>
>
>
> Does the machine account exist in samba ?   You may need to precreate it
> with "smbpasswd -a -m machinename"   and then verify that the
> "machinename$" account was created.  I have an LDAP backend.  
The unix
> machine accounts exist.  When samba creates a samba machine account (either
> when I use smbpasswd or a computer joins the domain) , samba updates/adds
> ldap attributes to the machine account.        All the Win 10 machines I
> have added "recycled"  preexisting Windows 7 machine accounts.   
With
> some versions of samba with an ldap backend I had to manually precreate the
> samba account and then verify the ldap attributes were set correctly.
>
> Can you copy and paste the results of the net join command (sanitized of
> course to remove any company info.)
>
> What OS is the PDC ?  (mine is solaris 11.)   Is this from package or
> precompiled?    Any recent backported patches to fix badblock
vulnerability?
>
>
> On the windows machines, does "ipconfig /all" show any ipv6 DNS
servers ?
>
> Some of the "testparm -v" output from my PDC (mostly I disabled
lanman for
> security and limited SMB versions to CORE and NT1 for file sharing issues)
>
>
> Server role: ROLE_DOMAIN_PDC
> ...
>         interfaces >         bind interfaces only = No
>         security = USER
>         auth methods >         encrypt passwords = Yes
>         client schannel = Auto
>         server schannel = Auto
>         allow trusted domains = Yes
>
> ...
>         lanman auth = No
>         ntlm auth = Yes
>         client NTLMv2 auth = Yes
>         client lanman auth = No
>         client plaintext auth = No
>         client use spnego principal = No
>         send spnego principal = No
> ...
>         smb ports = 445 139
>         large readwrite = Yes
>         max protocol = NT1
>         min protocol = CORE
> ...
>         announce version = 4.9
>         announce as = NT
> ...
>         os level = 20
> ...
>         preferred master = Yes
>         local master = Yes
>         domain master = Yes
>         browse list = Yes
>         enhanced browsing = Yes
>         dns proxy = No
>         wins proxy = No
>         wins server >         wins support = Yes
> ...
> [netlogon]
>         comment = Network Logon Service
>         path = /export/samba/netlogon
>         write list = @Administrators, @sysadmin
>         guest ok = Yes
>         share modes = No
>
> ...
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 05/18/16 00:07, Ram Prasad Bikkina wrote:
>
>> Hi,
>>
>> I resolved NMBD errors, but still same error in windows 10 pro, Could
>> please suggest any changes in windows 10 PC. Applied registry changes
>> suggested by samba wiki but no improvement.
>>
>> I am able to join windows 7 clients without error.
>>
>> Regards,
>> Ram
>>
>>
>>
>>
>>
>> On Mon, May 16, 2016 at 8:11 PM, Ram Prasad Bikkina
>> <parvathiprasadb at gmail.com> wrote:
>>
>>> Hi Gaiseric,
>>>
>>> Thank you for quick reply. I configured my PDC as WINS server and
>>> specified "IP of PDC".
>>>
>>> I observed some errors in NMBD log, 
"become_domain_master_query
>>> failed". I am googling these errors.
>>>
>>>
>>>
>>> On Mon, May 16, 2016 at 6:57 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com> wrote:
>>>
>>>> If this is an NT4-style domain, then DNS is not essential.   
Things
>>>> like
>>>> SRV records aren't relevant since a lot of the NT4 is back
from the
>>>> NetBios
>>>> days.        It looks like your Win 10 machine thinks it is
trying to
>>>> join
>>>> an AD domain.      Windows clients machines typically are using
DNS to
>>>> resolve server names to IP addresses.   However DNS does not
provide
>>>> info on
>>>> locating PDC's and BDC's.  That is better handled with
the use of a WINS
>>>> server (Windows Internet Naming) which is basically name
looking up for
>>>> "netbios" names and services.
>>>>
>>>> I have configured my PDC to be the WINS server.
>>>>
>>>>
>>>> In my smb.conf on member server
>>>>
>>>>     security = domain
>>>>     domain master = no
>>>>     domain logons = no
>>>>      name resolve order =  host wins  bcast
>>>>      workgroup = MYDOMAIN
>>>>      wins server = IP_OF_PDC
>>>>
>>>>
>>>>
>>>> For a classic domain, make sure you have NOT disable NBT
(netbios over
>>>> tcp/ip) on the client machines.  By default it is left enabled.
>>>>
>>>>
>>>> On 05/14/16 00:10, Ram Prasad Bikkina wrote:
>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: Ram Prasad Bikkina <parvathiprasadb at
gmail.com>
>>>>> Date: Sat, May 14, 2016 at 9:39 AM
>>>>> Subject: Re: [Samba] Not able to join windows 10 clients to
samba
>>>>> 3.6.23
>>>>> NT4 Style PDC
>>>>> To: gaiseric.vandal at gmail.com
>>>>>
>>>>>
>>>>> Hi Gaiseric Vandal,
>>>>>
>>>>> I applied these registry settings in my windows 10 PC but
not able to
>>>>> join.
>>>>> It is getting below error.
>>>>>
>>>>>    Note: This information is intended for a network
administrator.  If
>>>>> you are not your network's administrator, notify the
administrator
>>>>> that you received this information, which has been recorded
in the
>>>>> file C:\Windows\debug\dcdiag.txt.
>>>>>
>>>>>    The following error occurred when DNS was queried for
the service
>>>>> location (SRV) resource record used to locate an Active
Directory
>>>>> Domain Controller (AD DC) for domain
"samba.local":
>>>>>
>>>>>    The error was: "DNS name does not exist."
>>>>>    (error code 0x0000232B RCODE_NAME_ERROR)
>>>>>
>>>>>    The query was for the SRV record for
>>>>> _ldap._tcp.dc._msdcs.samba.local
>>>>>
>>>>>    Common causes of this error include the following:>
>>>>>
>>>>>    - The DNS SRV records required to locate a AD DC for the
domain are
>>>>> not registered in DNS. These records are registered with a
DNS server
>>>>> automatically when a AD DC is added to a domain. They are
updated by
>>>>> the AD DC at set intervals. This computer is configured to
use DNS
>>>>> servers with the following IP addresses:
>>>>>
>>>>>    192.168.1.2
>>>>>
>>>>>    - One or more of the following zones do not include
delegation to
>>>>> its
>>>>> child zone:
>>>>>
>>>>>    samba.local
>>>>>    local
>>>>>    . (the root zone)
>>>>>
>>>>>
>>>>>
>>>>> On Fri, May 13, 2016 at 6:28 PM, Gaiseric Vandal
>>>>> <gaiseric.vandal at gmail.com>
>>>>> wrote:
>>>>>
>>>>> The registry changes for Windows 7 also apply to Windows 10
>>>>>>
>>>>>>
>>>>>>
https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 05/13/16 08:17, Ram Prasad Bikkina wrote:
>>>>>>
>>>>>> I prepared samba PDC and not able to join windows 10
clients. Please
>>>>>>> suggest any windows 10 registry settings.
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
and read the
>>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Good Morning,

Thank you for everyone and supported me, I struggled a lot to resolve
the problem. However I got a solution for joining windows 10 clients
to Samba PDC (Samba Version 3.6.23) .

I changed workgroup name is from "example.com" to "example"
( I
removed "." from workgroup name), then i can able to join windows 10
clients to Samba PDC without any other settings.

May I know the reason why it is working without "." in workgroup name,
Is there any specific reason?

I tried several settings in smb.conf as well as registry settings in
windows 10 PC but it was not worked.

Regards,
Ram Prasad Bikkina




On Wed, May 18, 2016 at 8:28 PM, David Whitney <soonerdew at gmail.com>
wrote:
> A couple of other issues to keep in mind...
>
> Aside from the fact that the errors suggest your W10 box is trying to join
> an AD domain, W10 also defaults to a protocol of SMB 3.3 which Samba 3.x
> does not support. If you resolve the issue wherein W10 thinks it is joining
> an AD domain, there's a strong possibility (if not certainty) you will
then
> see errors in the log of the W10 box indicating Windows could not log onto
> the domain because it could not find a netlogon server. That, in turn,
would
> be because it could not negotiate a sufficiently secure communication with
> the server.
>
> When I encountered this problem, the only solution I found was to disable
> SMB 3.3 on the W10 box as noted in
> https://support.microsoft.com/en-us/kb/2696547. I re-enabled it when the
> version of Samba in the 4.x series that supported SMB 3.3 was released, and
> my W10 box has been a content member of my old-style domain since.
>
> Regards,
> David
>
>
> On Wed, May 18, 2016 at 9:00 AM, Gaiseric Vandal <gaiseric.vandal at
gmail.com>
> wrote:
>>
>> Just to verify, did you configure the Win 10 machine as a WINS client ?
>> The PDC will not necessarily be the master browser (showing what
resources
>> are available on the network) -  browser elections are weighted towards
>> machines with newer OS's.    You can adjust the "os
level" parameter in
>> smb.conf to bias the election in favor of the PDC but if WINS is being
used
>> none of this should really matter.
>>
>>
>>
>> Does the machine account exist in samba ?   You may need to precreate
it
>> with "smbpasswd -a -m machinename"   and then verify that the
"machinename$"
>> account was created.  I have an LDAP backend.   The unix machine
accounts
>> exist.  When samba creates a samba machine account (either when I use
>> smbpasswd or a computer joins the domain) , samba updates/adds ldap
>> attributes to the machine account.        All the Win 10 machines I
have
>> added "recycled"  preexisting Windows 7 machine accounts.    
With some
>> versions of samba with an ldap backend I had to manually precreate the
samba
>> account and then verify the ldap attributes were set correctly.
>>
>> Can you copy and paste the results of the net join command (sanitized
of
>> course to remove any company info.)
>>
>> What OS is the PDC ?  (mine is solaris 11.)   Is this from package or
>> precompiled?    Any recent backported patches to fix badblock
vulnerability?
>>
>>
>> On the windows machines, does "ipconfig /all" show any ipv6
DNS servers ?
>>
>> Some of the "testparm -v" output from my PDC (mostly I
disabled lanman for
>> security and limited SMB versions to CORE and NT1 for file sharing
issues)
>>
>>
>> Server role: ROLE_DOMAIN_PDC
>> ...
>>         interfaces >>         bind interfaces only = No
>>         security = USER
>>         auth methods >>         encrypt passwords = Yes
>>         client schannel = Auto
>>         server schannel = Auto
>>         allow trusted domains = Yes
>>
>> ...
>>         lanman auth = No
>>         ntlm auth = Yes
>>         client NTLMv2 auth = Yes
>>         client lanman auth = No
>>         client plaintext auth = No
>>         client use spnego principal = No
>>         send spnego principal = No
>> ...
>>         smb ports = 445 139
>>         large readwrite = Yes
>>         max protocol = NT1
>>         min protocol = CORE
>> ...
>>         announce version = 4.9
>>         announce as = NT
>> ...
>>         os level = 20
>> ...
>>         preferred master = Yes
>>         local master = Yes
>>         domain master = Yes
>>         browse list = Yes
>>         enhanced browsing = Yes
>>         dns proxy = No
>>         wins proxy = No
>>         wins server >>         wins support = Yes
>> ...
>> [netlogon]
>>         comment = Network Logon Service
>>         path = /export/samba/netlogon
>>         write list = @Administrators, @sysadmin
>>         guest ok = Yes
>>         share modes = No
>>
>> ...
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 05/18/16 00:07, Ram Prasad Bikkina wrote:
>>>
>>> Hi,
>>>
>>> I resolved NMBD errors, but still same error in windows 10 pro,
Could
>>> please suggest any changes in windows 10 PC. Applied registry
changes
>>> suggested by samba wiki but no improvement.
>>>
>>> I am able to join windows 7 clients without error.
>>>
>>> Regards,
>>> Ram
>>>
>>>
>>>
>>>
>>>
>>> On Mon, May 16, 2016 at 8:11 PM, Ram Prasad Bikkina
>>> <parvathiprasadb at gmail.com> wrote:
>>>>
>>>> Hi Gaiseric,
>>>>
>>>> Thank you for quick reply. I configured my PDC as WINS server
and
>>>> specified "IP of PDC".
>>>>
>>>> I observed some errors in NMBD log, 
"become_domain_master_query
>>>> failed". I am googling these errors.
>>>>
>>>>
>>>>
>>>> On Mon, May 16, 2016 at 6:57 PM, Gaiseric Vandal
>>>> <gaiseric.vandal at gmail.com> wrote:
>>>>>
>>>>> If this is an NT4-style domain, then DNS is not essential. 
Things
>>>>> like
>>>>> SRV records aren't relevant since a lot of the NT4 is
back from the
>>>>> NetBios
>>>>> days.        It looks like your Win 10 machine thinks it is
trying to
>>>>> join
>>>>> an AD domain.      Windows clients machines typically are
using DNS to
>>>>> resolve server names to IP addresses.   However DNS does
not provide
>>>>> info on
>>>>> locating PDC's and BDC's.  That is better handled
with the use of a
>>>>> WINS
>>>>> server (Windows Internet Naming) which is basically name
looking up for
>>>>> "netbios" names and services.
>>>>>
>>>>> I have configured my PDC to be the WINS server.
>>>>>
>>>>>
>>>>> In my smb.conf on member server
>>>>>
>>>>>     security = domain
>>>>>     domain master = no
>>>>>     domain logons = no
>>>>>      name resolve order =  host wins  bcast
>>>>>      workgroup = MYDOMAIN
>>>>>      wins server = IP_OF_PDC
>>>>>
>>>>>
>>>>>
>>>>> For a classic domain, make sure you have NOT disable NBT
(netbios over
>>>>> tcp/ip) on the client machines.  By default it is left
enabled.
>>>>>
>>>>>
>>>>> On 05/14/16 00:10, Ram Prasad Bikkina wrote:
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: Ram Prasad Bikkina <parvathiprasadb at
gmail.com>
>>>>>> Date: Sat, May 14, 2016 at 9:39 AM
>>>>>> Subject: Re: [Samba] Not able to join windows 10
clients to samba
>>>>>> 3.6.23
>>>>>> NT4 Style PDC
>>>>>> To: gaiseric.vandal at gmail.com
>>>>>>
>>>>>>
>>>>>> Hi Gaiseric Vandal,
>>>>>>
>>>>>> I applied these registry settings in my windows 10 PC
but not able to
>>>>>> join.
>>>>>> It is getting below error.
>>>>>>
>>>>>>    Note: This information is intended for a network
administrator.  If
>>>>>> you are not your network's administrator, notify
the administrator
>>>>>> that you received this information, which has been
recorded in the
>>>>>> file C:\Windows\debug\dcdiag.txt.
>>>>>>
>>>>>>    The following error occurred when DNS was queried
for the service
>>>>>> location (SRV) resource record used to locate an Active
Directory
>>>>>> Domain Controller (AD DC) for domain
"samba.local":
>>>>>>
>>>>>>    The error was: "DNS name does not exist."
>>>>>>    (error code 0x0000232B RCODE_NAME_ERROR)
>>>>>>
>>>>>>    The query was for the SRV record for
>>>>>> _ldap._tcp.dc._msdcs.samba.local
>>>>>>
>>>>>>    Common causes of this error include the
following:>
>>>>>>
>>>>>>    - The DNS SRV records required to locate a AD DC for
the domain are
>>>>>> not registered in DNS. These records are registered
with a DNS server
>>>>>> automatically when a AD DC is added to a domain. They
are updated by
>>>>>> the AD DC at set intervals. This computer is configured
to use DNS
>>>>>> servers with the following IP addresses:
>>>>>>
>>>>>>    192.168.1.2
>>>>>>
>>>>>>    - One or more of the following zones do not include
delegation to
>>>>>> its
>>>>>> child zone:
>>>>>>
>>>>>>    samba.local
>>>>>>    local
>>>>>>    . (the root zone)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, May 13, 2016 at 6:28 PM, Gaiseric Vandal
>>>>>> <gaiseric.vandal at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> The registry changes for Windows 7 also apply to
Windows 10
>>>>>>>
>>>>>>>
>>>>>>>
https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 05/13/16 08:17, Ram Prasad Bikkina wrote:
>>>>>>>
>>>>>>>> I prepared samba PDC and not able to join
windows 10 clients. Please
>>>>>>>> suggest any windows 10 registry settings.
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following
URL and read the
>>>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 27/05/16 07:18, Ram Prasad Bikkina wrote:
> Hi Good Morning,
>
> Thank you for everyone and supported me, I struggled a lot to resolve
> the problem. However I got a solution for joining windows 10 clients
> to Samba PDC (Samba Version 3.6.23) .
>
> I changed workgroup name is from "example.com" to
"example" ( I
> removed "." from workgroup name), then i can able to join windows
10
> clients to Samba PDC without any other settings.
>
> May I know the reason why it is working without "." in workgroup
name,
> Is there any specific reason?
HI, this is has nothing to do with Samba, it's a windows thing. If you 
look here:

https://support.microsoft.com/en-us/kb/909264

Under the heading 'NetBIOS domain names' (note this is another name for 
'workgroup'), you will find this:

Names can contain a period (.). However, the name cannot start with a 
period. The use of non-DNS names with periods is allowed in Microsoft 
Windows NT. However, periods should not be used in Active Directory 
domains. If you are upgrading a domain whose NetBIOS name contains a 
period, change the name by migrating the domain to a new domain 
structure. Do not use periods in new NetBIOS domain names.


This problem has come up before, it may be that Microsoft has tightened 
up on the use of the dot '.' with windows 10.

Rowland