Unable to join domain

[Morphaniel]

I too have this problem. My domain controller is Samba 3.3.4 on CentOS 5.3. I am using Win 7 RTM.

My Win 7 system is an in-place upgrade to Vista. The Vista machine was part of the domain but I detached it prior to the upgrade (been here before ).

Several registry mods are required for Win 7 to connect to Samba and I've done those.

The Win 7 machine can see the Samba DC because if I enter a fictitious domain it immediately complains about failing to find an AD with that name. Entering the correct domain name allows me to enter the admin credentials to join but then it fails.

The Samba logs show the Win 7 machine connecting at some low level (perhaps browsing when it boots) but there are no logs showing activity when I try to join the domain.

It's certainly possible that Win 7 RTM requires a Samba patch - most people on the 'net with similar problems are still using the RC..

 

[SquonkSC]

I too have this problem. My domain controller is Samba 3.3.4 on CentOS 5.3. I am using Win 7 RTM.

My Win 7 system is an in-place upgrade to Vista. The Vista machine was part of the domain but I detached it prior to the upgrade (been here before ).

Several registry mods are required for Win 7 to connect to Samba and I've done those.

The Win 7 machine can see the Samba DC because if I enter a fictitious domain it immediately complains about failing to find an AD with that name. Entering the correct domain name allows me to enter the admin credentials to join but then it fails.

The Samba logs show the Win 7 machine connecting at some low level (perhaps browsing when it boots) but there are no logs showing activity when I try to join the domain.

It's certainly possible that Win 7 RTM requires a Samba patch - most people on the 'net with similar problems are still using the RC..

Could it be difference in encryption of passwords?

greetz

 

[NoDoze]

I too have this problem. My domain controller is Samba 3.3.4 on CentOS 5.3. I am using Win 7 RTM.

My Win 7 system is an in-place upgrade to Vista. The Vista machine was part of the domain but I detached it prior to the upgrade (been here before ).

Several registry mods are required for Win 7 to connect to Samba and I've done those.

The Win 7 machine can see the Samba DC because if I enter a fictitious domain it immediately complains about failing to find an AD with that name. Entering the correct domain name allows me to enter the admin credentials to join but then it fails.

The Samba logs show the Win 7 machine connecting at some low level (perhaps browsing when it boots) but there are no logs showing activity when I try to join the domain.

It's certainly possible that Win 7 RTM requires a Samba patch - most people on the 'net with similar problems are still using the RC..

This sounds EXACTLY like my case! I'm able to enter the credentials but then it fails. Only I'm not able to get ANY sign of activity in the samba logs.

What are the registry mods u speak of? Can you share?

@squonksc - The machine is not on the DC...yet...heh

@ - and yes, I am logging in as the domain admin...still fails. Dispite being able to login ok via an XP Pro PC, AND being able to login to the server ok via the workgroup.

Thanks!

 

[Morphaniel]

The four registry mods are:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
“DomainCompatibilityMode”=dword:00000001
“DNSNameResolutionRequired”=dword:00000000


The above need to be added to allow the join to work. Then find the key below and set those values to 0.


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
“RequireSignOnSeal”=dword:00000000
“RequireStrongKey”=dword:00000000


This is definitely reported to work on many occasions across the 'net but doesn't for me. I may be being jinxed by having done an in-place upgrade and although I have a spare machine to try an install with, I haven't yet found the time.


Note that it is reported that you still get an error about the DNS suffix after these mods but the connection works - there is some Samba chatter about DNS suffixes but I only half understood it and since I haven't got that far yet, I didn't apply myself to it

 

[NoDoze]

Uhmmmm....in...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]

I have no:

“DomainCompatibilityMode”=dword:00000001
“DNSNameResolutionRequired”=dword:00000000

or

“RequireSignOnSeal”=dword:00000000
“RequireStrongKey”=dword:00000000

...or anything even close to it...

But I did have a Linkage/Route with this in it:

"Smb" "Tcpip" "{738D6978-CD95-42E2-B3A4-181CFBBA4675}"
"Smb" "Tcpip" "{C40D26E9-E52C-4E5E-B008-3D40E6F26AF0}"
"Smb" "Tcpip6" "{AE370AD5-8723-4B9D-BD28-75C2C25E842C}"
"Smb" "Tcpip6" "{DD6C90D2-D944-4F87-A484-6653D1BD0C17}"
"Smb" "Tcpip6" "{EF8C4B7B-2F1F-4CB5-A59D-B86A61ACA864}"
"Smb" "Tcpip6" "{BD1CD30A-8763-45C0-B146-AA4B6C7A29A0}"
"Smb" "Tcpip6" "{738D6978-CD95-42E2-B3A4-181CFBBA4675}"
"Smb" "Tcpip6" "{C40D26E9-E52C-4E5E-B008-3D40E6F26AF0}"
"Tcpip" "{738D6978-CD95-42E2-B3A4-181CFBBA4675}"
"Tcpip" "{C40D26E9-E52C-4E5E-B008-3D40E6F26AF0}"
"Tcpip6" "{AE370AD5-8723-4B9D-BD28-75C2C25E842C}"
"Tcpip6" "{DD6C90D2-D944-4F87-A484-6653D1BD0C17}"
"Tcpip6" "{EF8C4B7B-2F1F-4CB5-A59D-B86A61ACA864}"
"Tcpip6" "{BD1CD30A-8763-45C0-B146-AA4B6C7A29A0}"
"Tcpip6" "{738D6978-CD95-42E2-B3A4-181CFBBA4675}"
"Tcpip6" "{C40D26E9-E52C-4E5E-B008-3D40E6F26AF0}"
"NetbiosSmb"
"NetBT" "Tcpip" "{738D6978-CD95-42E2-B3A4-181CFBBA4675}"
"NetBT" "Tcpip" "{C40D26E9-E52C-4E5E-B008-3D40E6F26AF0}"
"NetBT" "Tcpip6" "{AE370AD5-8723-4B9D-BD28-75C2C25E842C}"
"NetBT" "Tcpip6" "{DD6C90D2-D944-4F87-A484-6653D1BD0C17}"
"NetBT" "Tcpip6" "{EF8C4B7B-2F1F-4CB5-A59D-B86A61ACA864}"
"NetBT" "Tcpip6" "{BD1CD30A-8763-45C0-B146-AA4B6C7A29A0}"
"NetBT" "Tcpip6" "{738D6978-CD95-42E2-B3A4-181CFBBA4675}"
"NetBT" "Tcpip6" "{C40D26E9-E52C-4E5E-B008-3D40E6F26AF0}"

And all the smb stuff looks like samba stuff, maybe...? ...which looks suspicious...

I also was able to upgrade to rtm....but it made no difference...

...sigh

 

[Morphaniel]

You won't have those values by default - you need to add them...

 

[NoDoze]

Thanks Morphaniel IT WORKED!!

I was able to login to the domain ok, but after restarting the PC, and trying to login with the user account with the DC, I get a:

the trust relationship between this workstation and the primary domain failed

I googled it, and it said it was an issue with a now corrupted machine entry for the machine on the DC...The suggestion was to log back into the workgroup, delete the machine, restart, change back over to the domain, restart, and I should then be able to login to the DC using the user from the DC....However, I get the response quoted above still.

I'm SOOOOO close now! LOL

Any ideas...?

 

[kegobeer]

Thanks Morphaniel IT WORKED!!

I was able to login to the domain ok, but after restarting the PC, and trying to login with the user account with the DC, I get a:

I googled it, and it said it was an issue with a now corrupted machine entry for the machine on the DC...The suggestion was to log back into the workgroup, delete the machine, restart, change back over to the domain, restart, and I should then be able to login to the DC using the user from the DC....However, I get the response quoted above still.

I'm SOOOOO close now! LOL

Any ideas...?

Does Samba require any certificates on the client computers? If so, perhaps the certificate(s) aren't there or they're in the wrong store.

 

[NoDoze]

I found this thread that provided some insight...

Windows 7 joining a Windows NT Server

However it ends with the issue remaining on a NT DC and Windows 7 RC build being the scenario...

I have yet to test this on a RTM version to see if the issue has been resolved with updated builds, as the thread above suggests.

Until then, any ideas? I'll keep searching....

 

[NoDoze]

I'm running rtm now, still getting the same message:

the trust relationship between this workstation and the primary domain failed

 

[ismell]

I'm in the same boat as you... I'm now getting the exact same error! You would think MS would release the regkeys to make samba work with win7. I'm almost tempted to install a windows box just to use as an AD box.

 

[NoDoze]

I had samba version 3.0.33 of something like that prior...with all the registry hacks and info from this link:
Nabble - Samba - General - Windows 7 RC
...basically adding a DNS suffix in the user's network properties, I was able to login to the domain AND using the username and password...everything functioned ok, normal! I was good to go!!

BUT after a reboot, and trying to login with the username and password, it'd FAIL...this time the samba logs for the user machine would say: _net_auth2: creds_server_check failed

So then based ton this link:
[Samba] Windows 7 RC
it stated that is was a samba version compatibility issue...so then I upgraded samba from 3.0.33 to 3.4...

This created a DISASTER! I had to re-setup the samba conf and delete the user and machine, and re-authenticate all!

And now... I'm back to the settings I had prior to the samba upgrade, including the DNS sufix...but instead of being able to login to the domain AND user... I'm back getting the "the trust relationship between this workstation and the primary domain failed".... BUT this time the samba log for the user machine is saying...

netlogon_creds_server_check: credentials check failed.

_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client USER machine account USER$

Anyone have any ideas...?

Thanks!

 

[NoDoze]

I've come to realize that the error from samba 3.0.33

_net_auth2: creds_server_check failed

And the error from samba 3.4

netlogon_creds_server_check: credentials check failed.

Are the SAME error messages! Grrrr...

Cause the line following is the same:

Rejecting auth request from client HOST machine account HOST$

..sigh...

Can anyone help me...!?!

 

[Morphaniel]

OK. Back from a little vacation and it must have done me good because I have built a new Win 7 RTM box and connected it to the domain and it works OK. This new build still required all of the mods in my previous note but there is a spelling mistake in one of my registry keys - corrected below:

The four registry mods are:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
“DomainCompatibilityMode”=dword:00000001
“DNSNameResolutionRequired”=dword:00000000


The above need to be added to allow the join to work. Then find the key below and set those values to 0.


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
“RequireSignOrSeal”=dword:00000000
“RequireStrongKey”=dword:00000000

As I said earlier, on joining the domain you get an error about the primary DNS suffix but it is ignorable.

Now, my upgraded machine (with the corrected key) still fails to join the domain but note that this upgraded box did not have the second two keys in the registry whereas the newly built box did. Clearly, upgrading a Vista machine does not leave the registry in the same state as newly building (or else the MS upgrade process is simply broken :sarc

 

[Morphaniel]

...and so I move on to my network shares, which on this test rig happen to be located on an elderly Buffalo Terastation, which also has Samba. Whilst one can upgrade Buffalo boxes, I wasn't about to make the jump in versions which would be required (if possible) to get to Samba 3.3.4 so I had to add the old tweak to the Win7 Local Security Settings before I could see the shares:

Click Start
Click Control Panel
Click Administrative Tools
Double-Click Local Security Policy
In the left pane, click the triangle next to Local Policy
In the left pane, click Security Options
In the right pane near the bottom, double-click "Network security:
LAN manager authentication level"
Click the drop-down box, and click "Send LM & NTLM - use NTLMv2
session security if negotiated"
Click OK
​

 

[NoDoze]

Hmmm...just found ou the security policy settings all changed when I did my update to RTM...

I'll play with my settings and see what happens, and report back...

What/where was the spelling error? I don't see any error in mine, especially since I copy/pasted...LOL

 

[NoDoze]

As a side note... Should I be restarting the PC after making the Policy changes? Cause I just logoff, then back on....

 

[PeterM42]

Thanx for the above - most useful.
Not sure it is relevant, but in the Control Panel (Detail view!!) > Network and Sharing Center > Local Area Connection > Properties, I also had to set the i/p properties to include the i/p address of my DNS server.
This is similar to a problem I encountered ages ago with 2000 & XP on my local domain.

 

[NoDoze]

Still no success

I still get:

the trust relationship between this workstation and the primary domain failed

I'll keep playing with the settings and researching on google...

 

[NoDoze]

well kids...I'm about to throw in the towel...!

I've messed with this for over 2 weeks now with no success.

If anyone gets any ideas, I'll be keeping an eye out on this thread...

Thanks.