Cannot join PDC Nethserver domain

Furuvio · February 8, 2016, 2:31pm

Dear all,
I just ended up deploying NethServer release 6.7 (final).
It acts also as DNS, DHCP disabled. It’s configured as PDC for unionfidi.lan domain, IP address 10.0.0.200

[root@dc1 ~]# nslookup 10.0.0.200
Server:         127.0.0.1
Address:        127.0.0.1#53
200.0.0.10.in-addr.arpa name = dc1.unionfidi.lan.

I fired up a Windows 7 virtual machine, to test how it joins the domain, with PDC’s IP address as DNS.
I get this message:

0x0000232D RCODE_REFUSED
An error occurred when DNS was queried for the service location (SRV) 
resource record used to locate an Active Directory Domain Controller (AD
 DC) for domain "unionfidi.lan".
The query was for the SRV record for _ldap._tcp.dc._msdcs.unionfidi.lan

Even not joined to domain, in computer network properties, domain suffix unionfidi.lan is present.
I performed an ipconfig/registerdns on Win 7, waited 15 minutes.
Then I did nslookup onto NethServer

[root@dc1 ~]# nslookup 10.0.1.249
Server:         127.0.0.1
Address:        127.0.0.1#53
** server can't find 249.1.0.10.in-addr.arpa: REFUSED

Drilling through logs, I found this entry:

winbindd/winbindd_dual.c:1342(child_handler) Could not write result

What am I missing to join the domain?
Thank you.

Nas · February 8, 2016, 2:48pm

Hi, please take into consideration that NS use NT Domain not AD Domain.

Furuvio · February 8, 2016, 3:08pm

Hi,
thank you for clarifying.
I hope I’ve been clear in my explanation.
I’m giving a try to NS, to get rid of our medieval Samba 3.0 still running!
So, what can I do to make Win 7 machine member of NT domain?

zamboni · February 8, 2016, 3:20pm

NS is still on samba 3

it can act like a NT style domain controller OR as an AD member, but not as an AD DC

Nas · February 8, 2016, 3:21pm

Add it to aproriate WorkGroup that you have specified in NS WebUI

Furuvio · February 8, 2016, 3:46pm

@zamboni… Lol!!!
@Nas yes, I’m trying to make member of domain unionfidi.lan, the one I wrote on NS WebUI Workgroup page.

so, am I messing some meaning, trying to do somenthing not allowed?

Furuvio · February 8, 2016, 3:53pm

@zamboni we’re running
Samba version 3.0.28a,

zamboni · February 8, 2016, 3:58pm

in your NS workgroup page you have a value… it must be in NT style, like "unionfidi"
use it as the domain to join

Furuvio · February 8, 2016, 4:12pm

well, modified from unionfidi.lan to unionfidi.
doesn’t work.
NS server runs samba 3.6.23-24.el6_7, which should support Windows 7.
I receive a message saying 0x0000232B RCODE_NAME_ERROR non existent DNS name
On Win 7 box, I set DNS correspondint to NS IP.

Nas · February 8, 2016, 4:15pm

try to ping DNS name

Furuvio · February 8, 2016, 4:15pm

should I manually add

wins support = yes

to NS smb.conf, using our existent WINS server?

Furuvio · February 8, 2016, 4:17pm

it pings correctly

C:\Users\master>ping 10.0.0.200

Esecuzione di Ping 10.0.0.200 con 32 byte di dati:
Risposta da 10.0.0.200: byte=32 durata=1ms TTL=63
Risposta da 10.0.0.200: byte=32 durata=1ms TTL=63
Risposta da 10.0.0.200: byte=32 durata=2ms TTL=63
Risposta da 10.0.0.200: byte=32 durata=1ms TTL=63

C:\Users\master>nslookup 10.0.0.200
Server:  dc1.unionfidi.lan
Address:  10.0.0.200

Nome:    dc1.unionfidi.lan
Address:  10.0.0.200

Furuvio · February 8, 2016, 4:19pm

C:\Users\master>ping dc1.unionfidi.lan

Esecuzione di Ping dc1.unionfidi.lan [10.0.0.200] con 32 byte di dati:
Risposta da 10.0.0.200: byte=32 durata=1ms TTL=63
Risposta da 10.0.0.200: byte=32 durata=1ms TTL=63
Risposta da 10.0.0.200: byte=32 durata=1ms TTL=63
Risposta da 10.0.0.200: byte=32 durata=1ms TTL=63

robb · February 8, 2016, 4:20pm

Looks like DNS is not set ok.
Does this help: http://geekswithblogs.net/technetbytes/archive/2011/10/09/147233.aspx

Maybe a longshot, but try to disable ip6.

Furuvio · February 8, 2016, 4:52pm

thank you @robb, already tried that stuff, with no chance.
and IPv6 already deselected.
On NS, primary DNS is itself (10.0.0.200), secondary is Google (8.8.4.4)

Nas · February 8, 2016, 6:35pm

@Furuvio

have you applied WIN7 reg patch ?

Furuvio · February 9, 2016, 3:51pm

@Nas yes, done.
Registry key applied succesfully, part of steps required.

Ctek · February 9, 2016, 8:45pm

Hi Furuvio,
It looks like the Win 7 machine does not know that NS is also DNS responsable.
1 check that you have DNS set up correctly on NS. and that there is a record for NS itself
2 check that on win7 machine you do not have the firewall up
3 dns suffix is correct ?

Are the IP settings for the win client obtained via DHCP or static ?

if you do a dig command on NS console for your domain what does it return ?

giacomo · February 10, 2016, 9:13am

@nrauso @alefattorini any hint on this?

Furuvio · February 10, 2016, 11:35am

hi there.
because of our Sophos UTM, I couldn’t join a workstation on 10.0.1.x to the domain on 10.0.0.x.
My NS IP is 10.0.0.200, former working ldap server was 10.0.0.2
I created a policy allowing ports 389 (ldap) and 445 (microsoft-ds) from 10.0.1.x to 10.0.0.200.

netstat -a | grep mydom
myserver.mydom:microsoft-ds
myserver.mydom.lan:ldap
    
cat /etc/services | grep microsoft
microsoft-ds    445/tcp
microsoft-ds    445/udp

cat /etc/services | grep ldap
ldap 389/tcp
ldap 389/udp

Now the workstaton joins the domain.
The workstation was patched with registry key mentioned by @Nas
I have also modified c:\windows\system32\drivers\etc\hosts with

10.0.0.200 mydom.lan    myserver.mydom.lan

Thank you all.
Cheers.