samba - Aug 2024 - Problem joining windows clients to Samba AD

On Wed, 21 Aug 2024 14:11:52 +0200
L?o <dlopoel at gmail.com> wrote:
> Hello Rowland,
> 
> Here it is:
> 
> smb.conf:
> ---
> [global]
> dns forwarder = 9.9.9.9
> netbios name = DC1
> realm = AD.EXAMPLE.COM
> server role = active directory domain controller
> workgroup = AD
> idmap_ldb:use rfc2307  = yes
> 
> min protocol = SMB2
The above line is the default.
> ntlm auth = mschapv2-and-ntlmv2-only
Why do you need the line above ?
> 
> restrict anonymous = 2
> disable netbios = yes
I am not sure that is the correct way to do it on a DC, I do know that
the 'nbt' server (the DC variant of nmbd) is running.
 
> smb ports = 445
> 
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
> printing = bsd
> 
> tls enabled = yes
The above line is the default
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> 
> [netlogon]
> path = /var/lib/samba/sysvol/ad.example.com/scripts
> read only = No
> ---
> 
There isn't anything there that should be stopping you joining
computers, which sounds like a dns problem, so I would start by
checking your dns.
The other question I should have asked is, what are the Windows clients
?

Rowland
PS, please do not 'CC' me, just reply to the list.

> > ntlm auth = mschapv2-and-ntlmv2-only
>
> Why do you need the line above ?
This is part of security hardening, to prevent the use of NTLMv1
authentication protocol (except for MSCHAPv2 authentication scheme)
> > restrict anonymous = 2
> > disable netbios = yes
>
> I am not sure that is the correct way to do it on a DC, I do know that
> the 'nbt' server (the DC variant of nmbd) is running.
This is also part of the security hardening. Same for disabling
printing services, etc.
> There isn't anything there that should be stopping you joining
> computers, which sounds like a dns problem, so I would start by
> checking your dns.
Well, I checked all records from this list:
https://learn.microsoft.com/en-us/archive/technet-wiki/7608.srv-records-registered-by-net-logon
and all of them seem to be working.

Also, nltest /dnsgetdc:ad.example.com correctly fetches the two samba
DCs, but nltest /dsgetdc:ad.example.com fails (0x54b
ERROR_NO_SUCH_DOMAIN), like in the logs of my first message. It is
like windows was not actually using DNS to find the domain, but I
think this is the default on recent editions, right?
> The other question I should have asked is, what are the Windows clients
> ?
Clients are Windows Server 2022 or Windows 10.
> PS, please do not 'CC' me, just reply to the list.
Sorry about that :/