Hi, I'm not able to join a windows XP machine in samba AD DC. This XP machine is a VM. No problems when joining Windows 10 machines to this DC. On XP machine, after inserting the Administrator username\password to join the domain, the error message is - error while attempting to join the domain "VIDROESTE.IND": Internal error. I can see that the XP machine account was created in AD but it is disabled. In this AD account, there is no information at the "DNS name" property. All the tests suggested in wiki where successfully executed https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS For samba AD-DC, I'm using: - OpenSuSE Leap 15.0 - no AppArmor or SELinux active - Samba version is Version 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64 - using Bind9 Does someone passed on something similar? Thanks in advance. My smb.conf is below. # Global parameters [global] dns forwarder = 8.8.8.8 8.8.4.4 bind interfaces only = Yes interfaces = eth0 netbios name = DC1 realm = VIDROESTE.IND server string = Suse Leap 15.0 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE idmap_ldb:use rfc2307 = yes # Global parameters [global] dns forwarder = 8.8.8.8 8.8.4.4 bind interfaces only = Yes interfaces = eth0 netbios name = DC1 realm = VIDROESTE.IND server string = Suse Leap 15.0 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE idmap_ldb:use rfc2307 = yes #To windows XP ntlm auth = yes lanman auth = yes #log level = 10 [netlogon] path = /var/lib/samba/sysvol/vidroeste.ind/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ntlm auth = yes lanman auth = yes #log level = 10 [netlogon] path = /var/lib/samba/sysvol/vidroeste.ind/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
On Tue, 23 Apr 2019 19:27:21 +0000 Rogerio Bettini via samba <samba at lists.samba.org> wrote:> Hi, > I'm not able to join a windows XP machine in samba AD DC. This XP > machine is a VM. No problems when joining Windows 10 machines to this > DC. > > On XP machine, after inserting the Administrator username\password to > join the domain, the error message is - error while attempting to > join the domain "VIDROESTE.IND": Internal error. I can see that the > XP machine account was created in AD but it is disabled. In this AD > account, there is no information at the "DNS name" property. > > All the tests suggested in wiki where successfully executed > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS > > > For samba AD-DC, I'm using: > - OpenSuSE Leap 15.0 > - no AppArmor or SELinux active > - Samba version is Version > 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64 > - using Bind9 > > Does someone passed on something similar? Thanks in advance. > > My smb.conf is below. > # Global parameters > [global] > dns forwarder = 8.8.8.8 8.8.4.4 > bind interfaces only = Yes > interfaces = eth0 > netbios name = DC1 > realm = VIDROESTE.IND > server string = Suse Leap 15.0 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE > idmap_ldb:use rfc2307 = yes > # Global parameters > [global] > dns forwarder = 8.8.8.8 8.8.4.4 > bind interfaces only = Yes > interfaces = eth0 > netbios name = DC1 > realm = VIDROESTE.IND > server string = Suse Leap 15.0 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE > idmap_ldb:use rfc2307 = yes > > #To windows XP > ntlm auth = yes > lanman auth = yes > #log level = 10 > > [netlogon] > path = /var/lib/samba/sysvol/vidroeste.ind/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No ntlm auth = yes > lanman auth = yes > #log level = 10 > > [netlogon] > path = /var/lib/samba/sysvol/vidroeste.ind/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoUnless that is the biggest typo I have seen, you have everything twice, can I suggest you ensure your smb.conf is just this: [global] bind interfaces only = Yes interfaces = eth0 netbios name = DC1 realm = VIDROESTE.IND server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/vidroeste.ind/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Check that you have your forwarders set in your named.conf files (they are in your smb.conf at the moment, where they will do nothing) Next turn your attention to the XP machine and make it use NTLMv2, see here: https://support.symantec.com/en_US/article.HOWTO54187.html Finally, I do not know what kerberos your SUSE packages are using, so you need to find out. If it is MIT, then I would suggest you stop using them, using MIT is experimental and shouldn't be used in production. Rowland
Rowland, it was a typo. Sorry, I paste the smb.conf twice. I changed the smb.conf as you proposed, so: dns forwarder removed - yes it's in named.conf, and ntlm auth / lanman auth removed. I also checked the NTLMv2 configuration in windows XP. But the error is still there. I guess it's MIT as saw this in log: /usr/lib/mit/sbin/krb5kdc: kerberos: 10 But how can I confirm which kerberos I'm using ? The log generated with "log level = 10" is too large to post here, but I can see and can't understand why the machine account has the property ACB_DISABLED = 1 - that part of log is below: [2019/04/24 08:21:29.617310, 6, pid=3872, effective(0, 0), real(0, 0)] ../lib/util/util_ldb.c:60(gendb_search_v) gendb_search_v: CN=VMXPZERO,CN=Computers,DC=vidroeste,DC=ind NULL -> 1 [2019/04/24 08:21:29.617337, 1, pid=3872, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:468(ndr_print_function_debug) samr_QueryUserInfo: struct samr_QueryUserInfo out: struct samr_QueryUserInfo info : * info : * info : union samr_UserInfo(case 16) info16: struct samr_UserInfo16 acct_flags : 0x00000085 (133) 1: ACB_DISABLED 0: ACB_HOMDIRREQ 1: ACB_PWNOTREQ 0: ACB_TEMPDUP 0: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 1: ACB_WSTRUST 0: ACB_SVRTRUST 0: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0: ACB_NO_AUTH_DATA_REQD 0: ACB_PARTIAL_SECRETS_ACCOUNT 0: ACB_USE_AES_KEYS result : NT_STATUS_OK ________________________________ De: samba <samba-bounces at lists.samba.org> em nome de Rowland Penny via samba <samba at lists.samba.org> Enviado: terça-feira, 23 de abril de 2019 20:23 Para: samba at lists.samba.org Assunto: Re: [Samba] Problem to join a windows XP On Tue, 23 Apr 2019 19:27:21 +0000 Rogerio Bettini via samba <samba at lists.samba.org> wrote:> Hi, > I'm not able to join a windows XP machine in samba AD DC. This XP > machine is a VM. No problems when joining Windows 10 machines to this > DC. > > On XP machine, after inserting the Administrator username\password to > join the domain, the error message is - error while attempting to > join the domain "VIDROESTE.IND": Internal error. I can see that the > XP machine account was created in AD but it is disabled. In this AD > account, there is no information at the "DNS name" property. > > All the tests suggested in wiki where successfully executed > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS > > > For samba AD-DC, I'm using: > - OpenSuSE Leap 15.0 > - no AppArmor or SELinux active > - Samba version is Version > 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64 > - using Bind9 > > Does someone passed on something similar? Thanks in advance. > > My smb.conf is below. > # Global parameters > [global] > dns forwarder = 8.8.8.8 8.8.4.4 > bind interfaces only = Yes > interfaces = eth0 > netbios name = DC1 > realm = VIDROESTE.IND > server string = Suse Leap 15.0 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE > idmap_ldb:use rfc2307 = yes > # Global parameters > [global] > dns forwarder = 8.8.8.8 8.8.4.4 > bind interfaces only = Yes > interfaces = eth0 > netbios name = DC1 > realm = VIDROESTE.IND > server string = Suse Leap 15.0 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE > idmap_ldb:use rfc2307 = yes > > #To windows XP > ntlm auth = yes > lanman auth = yes > #log level = 10 > > [netlogon] > path = /var/lib/samba/sysvol/vidroeste.ind/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No ntlm auth = yes > lanman auth = yes > #log level = 10 > > [netlogon] > path = /var/lib/samba/sysvol/vidroeste.ind/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoUnless that is the biggest typo I have seen, you have everything twice, can I suggest you ensure your smb.conf is just this: [global] bind interfaces only = Yes interfaces = eth0 netbios name = DC1 realm = VIDROESTE.IND server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/vidroeste.ind/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Check that you have your forwarders set in your named.conf files (they are in your smb.conf at the moment, where they will do nothing) Next turn your attention to the XP machine and make it use NTLMv2, see here: https://support.symantec.com/en_US/article.HOWTO54187.html Finally, I do not know what kerberos your SUSE packages are using, so you need to find out. If it is MIT, then I would suggest you stop using them, using MIT is experimental and shouldn't be used in production. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
If you have had more attempts, then i suggest, remove the computer from domain. Reboot it. Now first try this: change the workgroup name of the XP pc to the same name as defined in smb.conf (VIDROESTE) Reboot the XP pc. Wait 5 min. Now go join the domain, and did that work? ( old trick, works sometimes. ) I suggest try it since its an easy one to try out. An other thing to check, open CMD: ipconfig /all Is the dns-suffix the same as the search in /etc/resolv.conf ? Is helps if it is. ( and imo, should be if you in the same lan. If its not working, remove the xp pc again from the domain. Clean up dns (a/ptr) Clean up AD, remove old pc names. Read this one. https://www.thomaskay.me/samba-interoperability-with-windows-operating-systems-greater-than-xp/ Try these settings and try to join, if that does not work, add the parameters below to smb.conf lm announce = no lanman auth = no ntlm auth = no client lanman auth = no client ntlmv2 auth = yes This should keep samba secure and allows XP clients, but remember, this maybe work for XP but might give problem for Win10. Please keep in mind, i dont recommend this at all. And note: I DONT RECOMMEND THIS! I think pretty clear.. Its more cost efficient to upgrade XP/buy a cheap win10 pro licence. Search for second hand or imported licences, its a pain for MS, but its legal in EU. Tip, gamekeydiscounter around 10 euro per w10pro lic, remember LEGAL in EU. Check your country if its legal there also. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rogerio Bettini via samba > Verzonden: woensdag 24 april 2019 13:37 > Aan: samba at lists.samba.org; Rowland Penny > Onderwerp: Re: [Samba] Problem to join a windows XP > > Rowland, it was a typo. Sorry, I paste the smb.conf twice. > I changed the smb.conf as you proposed, so: dns forwarder > removed - yes it's in named.conf, and ntlm auth / lanman auth > removed. > I also checked the NTLMv2 configuration in windows XP. > But the error is still there. > > I guess it's MIT as saw this in log: > /usr/lib/mit/sbin/krb5kdc: kerberos: 10 > But how can I confirm which kerberos I'm using ? > > The log generated with "log level = 10" is too large to post > here, but I can see and can't understand why the machine > account has the property ACB_DISABLED = 1 - that part of log is below: > [2019/04/24 08:21:29.617310, 6, pid=3872, effective(0, 0), > real(0, 0)] ../lib/util/util_ldb.c:60(gendb_search_v) > gendb_search_v: > CN=VMXPZERO,CN=Computers,DC=vidroeste,DC=ind NULL -> 1 > [2019/04/24 08:21:29.617337, 1, pid=3872, effective(0, 0), > real(0, 0)] ../librpc/ndr/ndr.c:468(ndr_print_function_debug) > samr_QueryUserInfo: struct samr_QueryUserInfo > out: struct samr_QueryUserInfo > info : * > info : * > info : union > samr_UserInfo(case 16) > info16: struct samr_UserInfo16 > acct_flags : 0x00000085 (133) > 1: ACB_DISABLED > 0: ACB_HOMDIRREQ > 1: ACB_PWNOTREQ > 0: ACB_TEMPDUP > 0: ACB_NORMAL > 0: ACB_MNS > 0: ACB_DOMTRUST > 1: ACB_WSTRUST > 0: ACB_SVRTRUST > 0: ACB_PWNOEXP > 0: ACB_AUTOLOCK > 0: ACB_ENC_TXT_PWD_ALLOWED > 0: ACB_SMARTCARD_REQUIRED > 0: ACB_TRUSTED_FOR_DELEGATION > 0: ACB_NOT_DELEGATED > 0: ACB_USE_DES_KEY_ONLY > 0: ACB_DONT_REQUIRE_PREAUTH > 0: ACB_PW_EXPIRED > 0: > ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION > 0: ACB_NO_AUTH_DATA_REQD > 0: ACB_PARTIAL_SECRETS_ACCOUNT > 0: ACB_USE_AES_KEYS > result : NT_STATUS_OK > > > > > > ________________________________ > De: samba <samba-bounces at lists.samba.org> em nome de Rowland > Penny via samba <samba at lists.samba.org> > Enviado: terça-feira, 23 de abril de 2019 20:23 > Para: samba at lists.samba.org > Assunto: Re: [Samba] Problem to join a windows XP > > On Tue, 23 Apr 2019 19:27:21 +0000 > Rogerio Bettini via samba <samba at lists.samba.org> wrote: > > > Hi, > > I'm not able to join a windows XP machine in samba AD DC. This XP > > machine is a VM. No problems when joining Windows 10 > machines to this > > DC. > > > > On XP machine, after inserting the Administrator > username\password to > > join the domain, the error message is - error while attempting to > > join the domain "VIDROESTE.IND": Internal error. I can see that the > > XP machine account was created in AD but it is disabled. In this AD > > account, there is no information at the "DNS name" property. > > > > All the tests suggested in wiki where successfully executed > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active > _Directory_Domain_Controller#Verifying_DNS > > > > > > For samba AD-DC, I'm using: > > - OpenSuSE Leap 15.0 > > - no AppArmor or SELinux active > > - Samba version is Version > > 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64 > > - using Bind9 > > > > Does someone passed on something similar? Thanks in advance. > > > > My smb.conf is below. > > # Global parameters > > [global] > > dns forwarder = 8.8.8.8 8.8.4.4 > > bind interfaces only = Yes > > interfaces = eth0 > > netbios name = DC1 > > realm = VIDROESTE.IND > > server string = Suse Leap 15.0 > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE > > idmap_ldb:use rfc2307 = yes > > # Global parameters > > [global] > > dns forwarder = 8.8.8.8 8.8.4.4 > > bind interfaces only = Yes > > interfaces = eth0 > > netbios name = DC1 > > realm = VIDROESTE.IND > > server string = Suse Leap 15.0 > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate workgroup = VIDROESTE > > idmap_ldb:use rfc2307 = yes > > > > #To windows XP > > ntlm auth = yes > > lanman auth = yes > > #log level = 10 > > > > [netlogon] > > path = /var/lib/samba/sysvol/vidroeste.ind/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No ntlm auth = yes > > lanman auth = yes > > #log level = 10 > > > > [netlogon] > > path = /var/lib/samba/sysvol/vidroeste.ind/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > Unless that is the biggest typo I have seen, you have > everything twice, > can I suggest you ensure your smb.conf is just this: > > [global] > bind interfaces only = Yes > interfaces = eth0 > netbios name = DC1 > realm = VIDROESTE.IND > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = VIDROESTE > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/vidroeste.ind/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > Check that you have your forwarders set in your named.conf files (they > are in your smb.conf at the moment, where they will do nothing) > > Next turn your attention to the XP machine and make it use NTLMv2, see > here: > > https://support.symantec.com/en_US/article.HOWTO54187.html > > Finally, I do not know what kerberos your SUSE packages are using, so > you need to find out. If it is MIT, then I would suggest you > stop using > them, using MIT is experimental and shouldn't be used in production. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >