[SOLVED] Windows 7 Can't Join in Linux Domain.

[hack3rcon]

Hello.
I installed a Windows 7 in VirtualBox and a CentOS 7 x64 too.
My DHCP config is :

subnet 192.168.72.0 netmask 255.255.255.0
{
option routers 192.168.72.1;
option subnet-mask 255.255.255.0;

option domain-name "linux.dj";
option domain-name-servers 192.168.72.1;

option time-offset -18000;

range 192.168.72.2 192.168.72.100;
}



And I used below links for configure Samba as a DC :

1- http://www.server-world.info/en/note?os ... =samba&f=4
2- http://www.server-world.info/en/note?os ... =samba&f=5

My domain name is "linux.dj" and when I want to join windows in Linux domain it show me an error that you can see it on attached photos.

Must I configure DNS too? or this "samba-tool" did it for me automatically?

What is your idea?

Thank you.

[barry905]

To help resolve your issue we're going to need a little more information. I assume that you used the internal DNS package, but did you test your implementation on your dc to ensure that all was working correctly.You should test to make sure you can access the data store (use smbclient), then that DNS is setup correctly (use host), and finally that kerberos is functioning (use kinit and klist). If you can post the results of these then it would help to isolate your problem.

Just to make it a little easier, I would guess that your problem is within DNS setup, as that is what the "Can't contact dc" message usually points to. So see if you can resolve the service record "_ldap_tcp.dc_msdcs.LINUX.DJ" both from the dc and also from your workstation.

Good luck.

[hack3rcon]

To help resolve your issue we're going to need a little more information. I assume that you used the internal DNS package, but did you test your implementation on your dc to ensure that all was working correctly.You should test to make sure you can access the data store (use smbclient), then that DNS is setup correctly (use host), and finally that kerberos is functioning (use kinit and klist). If you can post the results of these then it would help to isolate your problem.

Just to make it a little easier, I would guess that your problem is within DNS setup, as that is what the "Can't contact dc" message usually points to. So see if you can resolve the service record "_ldap_tcp.dc_msdcs.LINUX.DJ" both from the dc and also from your workstation.

Good luck.

Thank you so much.

# smbclient -L localhost
session setup failed: NT_STATUS_LOGON_FAILURE

# kinit
kinit: Cannot find KDC for realm "LINUX.DJ" while getting initial credentials
# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found


My "bind" service is deactivated too

# service bind start
Redirecting to /bin/systemctl start bind.service
Failed to issue method call: Unit bind.service failed to load: No such file or directory.

my "named.conf" is :

options {
listen-on port 53 { 127.0.0.1; 192.168.72.1; };
# listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.72.0/24; };
forwarders {8.8.8.8; 8.8.4.4;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


Any idea?

[barry905]

Looking at the results of your testing your setup hasn't worked. The dc is not accepting login requests and the kerberos system isn't working. Finally I suspect that DNS is not resolving service requests properly. I note in your reply that you can't get bind to work: this is because you don't have bind installed, you have the sernet internal replacement for bind, which gives the same functionality but is integrated within samba4.

If you read this viewtopic.php?f=50&t=54059&p=228526#p228526 you will see how I implemented a dc using sernet . It gives a more detailed explanation as well as more extensive testing procedures. I ended up installing the dc five or six times before I got it to work.

Good luck, and post if you need more help.

[hack3rcon]

Looking at the results of your testing your setup hasn't worked. The dc is not accepting login requests and the kerberos system isn't working. Finally I suspect that DNS is not resolving service requests properly. I note in your reply that you can't get bind to work: this is because you don't have bind installed, you have the sernet internal replacement for bind, which gives the same functionality but is integrated within samba4.

If you read this viewtopic.php?f=50&t=54059&p=228526#p228526 you will see how I implemented a dc using sernet . It gives a more detailed explanation as well as more extensive testing procedures. I ended up installing the dc five or six times before I got it to work.

Good luck, and post if you need more help.

Thank you a lot. I did step and change DNS forward to my server IP :

DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.2]: 192.168.72.1

but I got below errors in some steps :


# host -t A localhost.linux.dj
localhost.linux.dj has address 10.0.3.15

# kinit administrator@linux.dj
kinit: Cannot contact any KDC for realm 'linux.dj' while getting initial credentials

# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found

why my "localhost.linux.dj" address is "10.0.3.15" ? I guess it is because of my VM has two NICs and one of them is NAT. Can it corrupted my configure?


Excuse me, I guess that I must clear my scenario :

DC,DHCP and DNS server IP is :192.168.72.1
Domain name : linux.dj
client: Windows 7

[hack3rcon]

What is "dc1" ? When you configure it?

[barry905]

First thing that springs to mind is that I think you misunderstand the DNS Forwarder. This tells the DNS where to look if it cannot resolve an address, so if you will it is a higher level server. The way you have it set up when the server cannot resolve an address it will circle back to itself.

Can you run the following and post the results please:

$ samba-tool domain level show
$ smbclient -L localhost -U%
$ smbclient //localhost/netlogon -UAdministrator -c 'ls'

$ host -t SRV _ldap._tcp.linux.dj
$ host -t SRV _kerberos._udp.linux.dj
$ host -t A dc1.linux.dj

$ kinit administrator@LINUX.DJ (Note the CAPS - required)
$ klist

$ samba-tool user list
$ samba-tool user add testuser
$ samba-tool group list


I assume that you moved the generated krb5.conf file to /etc. If you can post this output we can see if samba4 is working correctly and whether DNS is setup correctly.

Thank you.

[hack3rcon]

First thing that springs to mind is that I think you misunderstand the DNS Forwarder. This tells the DNS where to look if it cannot resolve an address, so if you will it is a higher level server. The way you have it set up when the server cannot resolve an address it will circle back to itself.

Can you run the following and post the results please:

$ samba-tool domain level show
$ smbclient -L localhost -U%
$ smbclient //localhost/netlogon -UAdministrator -c 'ls'

$ host -t SRV _ldap._tcp.linux.dj
$ host -t SRV _kerberos._udp.linux.dj
$ host -t A dc1.linux.dj

$ kinit administrator@LINUX.DJ (Note the CAPS - required)
$ klist

$ samba-tool user list
$ samba-tool user add testuser
$ samba-tool group list


I assume that you moved the generated krb5.conf file to /etc. If you can post this output we can see if samba4 is working correctly and whether DNS is setup correctly.

Thank you.

Thank you so much.

The information are :


# samba-tool domain level show

Domain and forest function level for domain 'DC=linux,DC=dj'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2


# smbclient -L localhost -U%

Domain=[LINUX] OS=[Windows 6.1] Server=[Samba 4.2.3-SerNet-RedHat-18.el7]

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.2.3-SerNet-RedHat-18.el7)
Domain=[LINUX] OS=[Windows 6.1] Server=[Samba 4.2.3-SerNet-RedHat-18.el7]

Server Comment
--------- -------

Workgroup Master
--------- -------


# smbclient //localhost/netlogon -UAdministrator -c 'ls'

Domain=[LINUX] OS=[Windows 6.1] Server=[Samba 4.2.3-SerNet-RedHat-18.el7]
. D 0 Tue Sep 8 04:46:06 2015
.. D 0 Tue Sep 8 04:50:49 2015

52403200 blocks of size 1024. 48005424 blocks available


# host -t SRV _ldap._tcp.linux.dj
_ldap._tcp.linux.dj has SRV record 0 100 389 localhost.linux.dj.


# host -t SRV _kerberos._udp.linux.dj

_kerberos._udp.linux.dj has SRV record 0 100 88 localhost.linux.dj.


# host -t A dc1.linux.dj
Host dc1.linux.dj not found: 3(NXDOMAIN)

# kinit administrator@LINUX.DJ
Warning: Your password will expire in 40 days on Mon 16 Nov 2015 03:04:35 AM EST


# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LINUX.DJ

Valid starting Expires Service principal
10/06/2015 04:28:24 10/06/2015 14:28:24 krbtgt/LINUX.DJ@LINUX.DJ
renew until 10/07/2015 04:28:19


# samba-tool user list
Administrator
krbtgt
Guest

#samba-tool user add win
New Password:
Retype Password:
User 'win' created successfully


#samba-tool group list
Allowed RODC Password Replication Group
Enterprise Read-Only Domain Controllers
Denied RODC Password Replication Group
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Certificate Service DCOM Access
Network Configuration Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Read-Only Domain Controllers
Group Policy Creator Owners
Performance Monitor Users
Cryptographic Operators
Distributed COM Users
Performance Log Users
Remote Desktop Users
Account Operators
Event Log Readers
RAS and IAS Servers
Backup Operators
Domain Controllers
Server Operators
Enterprise Admins
Print Operators
Administrators
Domain Computers
Cert Publishers
DnsUpdateProxy
Domain Admins
Domain Guests
Schema Admins
Domain Users
Replicator
IIS_IUSRS
DnsAdmins
Guests
Users


# cat /etc/krb5.conf
[libdefaults]
default_realm = LINUX.DJ
dns_lookup_realm = false
dns_lookup_kdc = true



What is your idea?

[barry905]

The good news is that the dc seems to be running properly on the domain controller now. Now to make sure that the workstation can access it.

One new test: can you run these commands on your dc please?

host -t SRV _ldap._tcp.dc._msdcs.linux.dj
host -t A localhost.linux.dj

And now repeat them on the win7 workstation:

nslookup
set type=SRV
_ldap._tcp.linux.dj
_kerberos._udp.linux.dj
_ldap._tcp.dc._msdcs.linux.dj
exit

What this does is to check to see whether you have the necessary links on the Win7 workstation to enable is to join the domain. If the test results from the workstation match those from the server then try joining the workstation to the domain. Hopefully this time you will get a better result.

If this doesn't work for you could you post the error messages, and particularly the full contents of the "Details" error box which should show the service call that failed.

Thank you.

[hack3rcon]

The good news is that the dc seems to be running properly on the domain controller now. Now to make sure that the workstation can access it.

One new test: can you run these commands on your dc please?

host -t SRV _ldap._tcp.dc._msdcs.linux.dj
host -t A localhost.linux.dj

And now repeat them on the win7 workstation:

nslookup
set type=SRV
_ldap._tcp.linux.dj
_kerberos._udp.linux.dj
_ldap._tcp.dc._msdcs.linux.dj
exit

What this does is to check to see whether you have the necessary links on the Win7 workstation to enable is to join the domain. If the test results from the workstation match those from the server then try joining the workstation to the domain. Hopefully this time you will get a better result.

If this doesn't work for you could you post the error messages, and particularly the full contents of the "Details" error box which should show the service call that failed.

Thank you.

Thank you Again.

The results are :

# host -t SRV _ldap._tcp.dc._msdcs.linux.dj
_ldap._tcp.dc._msdcs.linux.dj has SRV record 0 100 389 localhost.linux.dj.

# host -t A localhost.linux.dj
localhost.linux.dj has address 192.168.72.1


I attached two photos too and I guess that I can join my Windows Box to Linux. But if my number of clients are high, Must I enter the "nslookup" manually on all of them?

My Windows clinet can't take IP from DHCP and I must repair my NIC in windows for take IP.

DHCP on my Linux server is not active by default and I must "start" it manually.

# service dhcpd status
Redirecting to /bin/systemctl status dhcpd.service
dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled)
Active: active (running) since Wed 2015-10-07 04:45:24 EDT; 10s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 3657 (dhcpd)
Status: "Dispatching packets..."
CGroup: /system.slice/dhcpd.service
└─3657 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -gr...

Oct 07 04:45:24 localhost.localdomain dhcpd[3657]: No subnet declaration for ...
Oct 07 04:45:24 localhost.localdomain dhcpd[3657]: ** Ignoring requests on en...
Oct 07 04:45:24 localhost.localdomain dhcpd[3657]: you want, please write a s...
Oct 07 04:45:24 localhost.localdomain dhcpd[3657]: in your dhcpd.conf file fo...
Oct 07 04:45:24 localhost.localdomain dhcpd[3657]: to which interface enp0s8 ...
Oct 07 04:45:24 localhost.localdomain dhcpd[3657]:
Oct 07 04:45:24 localhost.localdomain dhcpd[3657]: Listening on LPF/enp0s3/08...
Oct 07 04:45:24 localhost.localdomain dhcpd[3657]: Sending on LPF/enp0s3/08...
Oct 07 04:45:24 localhost.localdomain dhcpd[3657]: Sending on Socket/fallba...
Oct 07 04:45:24 localhost.localdomain systemd[1]: Started DHCPv4 Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.