samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] unable to join to a Samba4 domain

Re: [Samba] unable to join to a Samba4 domain

From: Michael Wood <esiotrot_at_nospam>
Date: Mon May 31 2010 - 14:20:44 GMT
To: Tomasz Chmielewski <mangoo@wpkg.org>

On 31 May 2010 14:23, Michael Wood <esiotrot@gmail.com> wrote:
> On 31 May 2010 14:18, Michael Wood <esiotrot@gmail.com> wrote:
>> On 31 May 2010 12:53, Tomasz Chmielewski <mangoo@wpkg.org> wrote:
> [...]
>>> http://virtall.com/files/samba4-join-rtl8139.pcap
>>>
>>>
>>> Some more hints?
>>
>> That's weird. It looks like the Windows box is ignoring the DNS
>> responses and just keeps repeating the query. I haven't actually
>> looked at a capture of a working join, but that can't be right.
>
> I see it repeats the CLDAP request too. I will have to capture a join
> here and compare them.

I renamed the client at the same time for no particular reason, and
this is what I see:

1.) First a few NBNS broadcasts to register the new client netbios
name, followed by an NBNS broadcast to release it again.

2.) DNS query for _ldap._tcp.dc._msdcs.samba.example.org and a DNS
reply pointing at port 389 on the DC.

3.) CLDAP request and reply like yours for the OLD netbios name of the client.
Filter: (&(&(DnsDomain=samba.example.org)(Host=OLDHOSTNAME))(NtVer=0x00000006))

4.) ARP request and reply for the DC's MAC address.

5.) A repeat of the DNS request and reply from step 2.

6.) A repeat of the CLDAP request from step 3.

7.) A CLDAP request for and reply again using the old netbios name of
the client. The response says something about netlogon, type=25,
version=5, LM token=0xffff, NT token=0xffff.
Filter: (&(&(&(&(DnsDomain=samba.example.org)(Host=OLDHOSTNAME))(User=OLDHOSTNAME$))(AAC=80:01:00:00))(NtVer=0x00000006))

8.) A repeat of the CLDAP request and response from step 7.

9.) An ICMP echo request to the DC and a response.

10.) An SMB connection to the DC on port 445.

11.) Another ping.

etc.

Later there's some kerberos, DCERPC, etc., etc.

Only about 18 seconds from the start does the client send a request to
the server containing the new netbios name. There are still various
requests containing the old netbios name after that too.

Right near the end (about 17 packets from the end) there's an LDAP
request to modify the DnsDomainName and ServicePrincipalName to the
new client name.

After that, an LDAP search still shows the object as being named
CN=oldname,CN=Computers,DC=samba,DC=example,DC=org, but various
attributes have been updated with the new name:

sAMAccountName: NEWNAME$
displayName: NEWNAME$
dNSHostName: newname.samba.example.org
servicePrincipalName: HOST/newname.samba.example.org
servicePrincipalName: HOST/NEWNAME

Anyway, I'm not sure this helps you except to confirm that there's
something funny going on in your case :)

The only difference I can see is that your netbios DOMAIN name is
different from the first part of the realm, but I don't see why that
should be a problem. Since I have nothing better to suggest, I
suppose you could try with realm samba4.contact-web.de and netbios
domain samba4 just to see if that makes a difference.

-- Michael Wood <esiotrot@gmail.com> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba