Windows 7 cannot join samba domain
- by Antonis Christofides
I have a 3.5.6 samba server with a LDAP backend (both on Debian 6.0). I've been successfully adding Windows XP machines to the domain for years. I now try to add Windows 7. I have made the recommended registry changes, but I don't have any success so far. Here is what happens:
1. I go to computer name, select "Domain" instead of "Workgroup", type in the domain name, click OK. It asks me for the username and password of an account that can add computers to the domain; I enter them. After about 40 seconds, I get the following message:
The following error occurred attempting to join the domain "ITIA":
The specified computer account could not be found. Contact an administrator to verify the account is in the domain. If the account has been deleted unjoin, reboot, and rejoin the domain.
Despite this, the samba server successfully creates the computer account.
2. Therefore, if I try again a second time, without deleting the already created computer account, I get a different error:
The following error occurred attempting to join the domain "ITIA":
The specified account already exists.
(Note that until a while ago samba wasn't configured to automatically create computer accounts. What I did whenever I wanted an XP to join was to manually create it. When I first attempted to solve the Windows 7 join problem, I setup samba to do this automatically, as this is what most people do, as I understand, and I thought that it might be related. I haven't attempted to add an XP since I made this change, so I don't know if it works, but whether it works or not, the problem remains.)
Update 1: Here are the relevant parts of smb.conf:
[global]
panic action = /usr/share/samba/panic-action %d
workgroup = ITIA
server string = Itia file server
announce as = NT
interfaces = 147.102.160.1
volume = %h
passdb backend = ldapsam:ldap://ldap.itia.ntua.gr:389
ldap admin dn = uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr
ldap ssl = off
ldap suffix = dc=itia,dc=ntua,dc=gr
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
unix password sync = no
add machine script = smbldap-useradd -w -i %u
log file = /var/log/samba/samba-log.all
log level = 3
max log size = 5000
syslog = 2
socket options = SO_KEEPALIVE TCP_NODELAY
encrypt passwords = true
password level = 1
security = user
domain master = yes
local master = no
wins support = yes
domain logons = yes
idmap gid = 1000-2000
Update 2: The server has a single network interface eth1 (also an unused eth0 that shows up only in the kernel boot messages) and two ip addresses; the main, 147.102.160.1, and an additional one, 147.102.160.37, that comes up with "ip addr add 147.102.160.37/32 dev eth1" (used only for a web site that has a different certificate than other web sites served from the same machine). One of the problems I recently faced was that samba was using the latter IP address. I fixed that by adding the "interfaces = 147.102.160.1" statement in smb.conf.
Now:
acheloos:/etc/apache2# tcpdump host 147.102.160.40 and not port 5900
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:13:56.549048 IP lithaios.itia.civil.ntua.gr.netbios-dgm > 147.102.160.255.netbios-dgm: NBT UDP PACKET(138)
13:13:56.549056 ARP, Request who-has acheloos2.itia.civil.ntua.gr tell lithaios.itia.civil.ntua.gr, length 46
13:13:56.549091 ARP, Reply acheloos2.itia.civil.ntua.gr is-at 00:10:4b:b4:9e:59 (oui Unknown), length 28
13:13:56.549324 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
13:13:56.549608 IP lithaios.itia.civil.ntua.gr.netbios-dgm > acheloos2.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
13:13:56.549741 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
13:13:56.550364 IP lithaios.itia.civil.ntua.gr.netbios-dgm > acheloos.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
13:13:56.550468 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
(acheloos2 is the second IP address, 147.102.160.37). The above dump occurs when I click "OK" (to join the domain), until it asks me for the username and password of a user that can join the domain. I don't know why the client is contacting the second IP address. I tried temporarily deactivating it, but I still had some related ARP traffic (though I think not IP traffic).
