Using a non-default NetBIOS domain name

penzoiders · February 20, 2017, 1:36pm

NethServer Version: NethServer release 7.3.1611
Module: Account provider

I’m trying to connect to a win2012r2 AD domain controller.
the FQDN of the AD domain is “mydomain.com”
the proposed (and greyed out) option for netbios name is “MYDOMAIN”
in my case the AD domain is set as “MD” for the NetBIOS naming, and since the field is greyed out I cannot edit it.

I cannot retrive users and groups, probably it’s because of the wrong NetBIOS name that I cannot cange (I see the nethserver computer entry in the active directory users&computers, so the join seems to have worked)

if I go to Status → domain accounts
i get this error:

NetBIOS domain name: MYDOMAIN
LDAP server: 10.0.0.180
LDAP server name: mydc.mydomain.com
Realm: MYDOMAIN.COM
Bind Path: dc=MYDOMAIN,dc=COM
LDAP port: 389
Server time: Mon, 20 Feb 2017 14:27:25 CET
KDC server: 10.0.0.180
Server time offset: -1
Last machine account password change: Mon, 20 Feb 2017 14:27:16 CET

Enter NETHSERVER$@MYDOMAIN.COM’s password:Join to domain is not valid: NT code 0xfffffff6

other thing, don’t know if related, I get an SSL error

Account provider connection reset by peer: check if the server supports SSL/TLS connections

should I set the full path and port eg: ldaps://10.0.0.180:636

is there a manual setup procedure for “custom” AD configurations? I don’t think this is something custom, it’s just a different NetBIOS name that’s not the default-proposed MYDOMAIN (w/o .COM part)

any help appreciated.

EddieA · February 21, 2017, 6:20am

I’m not sure if you can change it after the account provider is initialised, but this link shows how to initially change the domain.

Cheers.

giacomo · February 21, 2017, 7:46am

@EddieA pointed out the correct documentation.

@penzoiders, if you need to change the netbios domain now, switch back ti “None (disabled)”, then you have 2 options:

follow the above documentation
change the machine hostname

penzoiders · February 21, 2017, 1:43pm

yay! that worked, thanks.

I still get SSL/TLS connection error, the port is open on the firewall of ADDC and should be ldaps://10.0.0.180:636… for now I just disabled the STARTLS setting it to “No” and it’s working fine.

can you please be so kind to point me to a SSL/TLS troubleshooting for AD Account Provider? thanks

nrauso · February 21, 2017, 5:39pm

Hi @penzoiders,

from what I know by default Microsoft Active Directory servers will offer only LDAP connections over unencrypted connections (boo!), so you have to disable SSL over LDAP option in NS7 to join an existing Microsoft AD.

You can find a lot of documentation on this topic as well as there’re a lot of how-tos to enable LDAPS on Microsoft DC (veeeeeeeeeery annoying!).

I found helpful this link: Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers

penzoiders · February 24, 2017, 11:50am

yes I’ve managed to link it succesfully (no LDAPS, just plain… and yes: boooo!)

thanks for the helpful link but I think I’ll prefer to switch to a Nethserver DC anytime soon… maybe I’ll start a new topic on this since is for this thread is pretty much OT: Joining NS7 as domain controller in a windows domain and then move FSMO roles on it and demote/destroy the windows boxes.