Bug 7340 - Joining Windows 7 Pro 64 to a Samba 3.5.2 Domain Join Error Problem
Joining Windows 7 Pro 64 to a Samba 3.5.2 Domain Join Error Problem
Status: RESOLVED FIXED
Product: Samba 3.5
Classification: Unclassified
Component: Domain Control
3.5.2
All Linux
: P3 major
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-09 00:35 UTC by John H Terpstra
Modified: 2010-10-14 11:01 UTC (History)
3 users (show)

See Also:


Attachments
This is a loglevel 10 log file from Samba 3.5.2 as the Win7 domain join happens. (157.57 KB, application/x-bzip)
2010-04-09 00:36 UTC, John H Terpstra
no flags Details
Wireshark capture of the domain join up to the error message. (117.04 KB, application/octet-stream)
2010-04-09 00:37 UTC, John H Terpstra
no flags Details
This is the error message seen on the Windows 7 machine after domain join. (11.36 KB, image/png)
2010-04-09 00:38 UTC, John H Terpstra
no flags Details
The Windows 7 NetSetup log file (ASCII format) generated by the join process. (30.01 KB, text/plain)
2010-04-09 00:39 UTC, John H Terpstra
no flags Details
Event Viewer save file for the errors created during the domain join. (68.00 KB, application/octet-stream)
2010-04-09 00:40 UTC, John H Terpstra
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra 2010-04-09 00:35:41 UTC
Joining a Windows 7 Pro machine to a Samba-3.5.2 domain succeeds - BUT - it generates an error message that is unacceptable to commercial users.

This is a request for resolution made by a large managed services provider (MSP) whose customers are most unhappy that when they join their machines to a Samba domain there is an error message.  To quote the CEO: "We spend all out lives telling drivers that when the gas meter is on empty and the light flashes its time to fix the problem. I can not with clear conscience tell my customers to ignore the flashing light when they join a machine to a Samba domain."  They are facing the music as they update several hundred sites from older 3.0.x to the current version.

The MSP asks only that we inform him how to make the error message NOT appear.  It causes too much alarm with customers. He understands that this error message can be ignored.

Detailed log files are provided.
Comment 1 John H Terpstra 2010-04-09 00:36:57 UTC
Created attachment 5614 [details]
This is a loglevel 10 log file from Samba 3.5.2 as the Win7 domain join happens.
Comment 2 John H Terpstra 2010-04-09 00:37:46 UTC
Created attachment 5615 [details]
Wireshark capture of the domain join up to the error message.
Comment 3 John H Terpstra 2010-04-09 00:38:24 UTC
Created attachment 5616 [details]
This is the error message seen on the Windows 7 machine after domain join.
Comment 4 John H Terpstra 2010-04-09 00:39:16 UTC
Created attachment 5617 [details]
The Windows 7 NetSetup log file (ASCII format) generated by the join process.
Comment 5 John H Terpstra 2010-04-09 00:40:00 UTC
Created attachment 5618 [details]
Event Viewer save file for the errors created during the domain join.
Comment 6 John H Terpstra 2010-04-09 00:44:10 UTC
Jeremy,

Please let me know if you need any additional info.  I believe this is more or less what you asked for. Right?

- John T.
Comment 7 David Loper 2010-04-09 11:46:55 UTC
This is a bug report that ClearCenter would like to see addressed as it affects our customers in a domain environment.
Comment 8 John H Terpstra 2010-04-20 16:28:19 UTC
Adding Metze.
Comment 9 John H Terpstra 2010-04-20 16:39:35 UTC
Found the following Microsoft KB article that may be helpful:
http://support.microsoft.com/kb/257623
Comment 10 John H Terpstra 2010-04-20 16:45:24 UTC
Another link that shows this is NOT only a Samba issue.

http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/1bfac433-463e-4fae-a18f-df69eaca84ce
Comment 11 Jeremy Allison 2010-04-20 18:29:07 UTC
John - the note here:

http://wiki.samba.org/index.php/Windows7

tells me this is Win7 attempting to update it's DNS name on the server using encrypted dynamic DNS, which we can't support in S3 smbd (we're not listening on the port).

This thread has much interesting info on registry parameters to do with the domain join DNS resolution.

http://old.nabble.com/Windows-7-RC-td23405949.html

Jeremy.
Comment 12 Stefan Metzmacher 2010-04-21 01:19:17 UTC
John, please ask dochelp@winse.microsoft.com and cc the pfif@tridgell.net and cifs-protocol@samba.org mailing lists.

I don't see how this can be fixed in Samba3.

I think you should disable port 389 for the ip smbd is listening on,
in your capture windows tries to connect to the OpenLDAP server,
but I don't think it has a real impact.
Comment 13 David Loper 2010-04-21 11:43:01 UTC
As you may know, ClearOS is a multi-protocol, multi-service platform. Is the Microsoft performing a standard DDNS update using TLS here or is it doing something wholly proprietary? I don't understand what messages that it may be trying to send port 389. As you know, 389 is not encrypted so I don't understand what the cause is here and how it relates to 389. Is this a failure to replicate RFC 3645 GSS-TSIG functionality on our part? or some other DNS function? http://en.wikipedia.org/wiki/Generic_Security_Service_Algorithm_for_Secret_Key_Transaction

If the solutions is a matter of adding some DNS function that is capable with other open source software like ISC BIND, then please let us know. We have a dramatic update planned for our software in regards to DNS and if this update from the workstation complies with an open standard, we can capture it but I need to know if that is the exact corrective solution or if we are looking at something that must be tightly coupled with Samba like GSS-TSIG appears to be.
Comment 14 John H Terpstra 2010-05-14 11:11:29 UTC
Response from Microsoft:

After reviewing the logs saved in bug 7340,  we found that the Windows is trying to verify the DNS name, which requires locating a domain controller.   Windows  sets the DC required bit (DS_DIRECTORY_SERVICE_REQUIRED, 0x10) in the DsGetDcName query.  Since Samba 3 DC  doesn't support AD , it may not respond to clients in this case.  This operation in the Windows  is  probably unnecessary  and undesirable because there is no DNS name to verify.  Furthermore, this  behavior is not controllable by any  registry or other configuration settings.   Even the domain join itself has succeeded at this point and the error can be safely ignored ,  we understand that the behavior may mislead  end users. 

As an option, we may change this unintended behavior in the future release of  the Windows. [We] filed a request for change.
Comment 15 John H Terpstra 2010-10-14 11:01:12 UTC
This issue has been resolved and Microsoft has patches available.