|FAQ: Troubleshooting AD join CIFS issues step by step|
1. If they are running Win2k8, make sure they are on SP2 or R2.
2. Make sure the user joining the domain is a Domain Admin.
3. Find out how many DCs they have.
4. Set the preferred DC with sharectl set -p pdc=IPADDRESSOFSERVER
5. Check to see if LMAUTH_LEVEL is set to 2. if not, set it using sharectl set -p lmauth_level=2
6. Make sure Netbios is turned on the DC. Client for Microsoft Networks is on and File/Printer Sharing is On in network control panels.
7. From !bash, does #dig @NAMESERVER _ldap._tcp.dc._msdcs.domainname SRV +short return SRV records?
8. From !bash can you do a kinit?
9. restart smb/server service. At this point, see if you can join the domain. If not, as a last resort: Customer may not want this security policy changed.
10. disable SMB packet signing
Start the Group Policy Management tool on the DC and set the following:
Computer Configuration\Policies\Administrative Templates\System\NetLogon\Allow Cryptography Algorithms Compatible with Windows NT 4.0 -> Enabled
Then run: gpupdate /force
To disable SMB packet and secure channel signing enforcement on Windows Server 2003–based domain controllers:
1. Open Active Directory Users and Computers, right-click the Domain Controllers container, and then click Properties.
2. Click the Group Policy tab, then click Edit.
3. Under Computer Configuration, go to the Windows Settings\Security Settings\Local Policies\Security Options folder.
4. In the details pane, double-click Microsoft network server: Digitally sign communications (always), and then click Disabled to prevent SMB packet signing from being required.
5. Click OK.
6. In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always),and then click Disabled to prevent secure channel signing from being required.
7. Click OK.
8. To apply the Group Policy change immediately, either restart the domain controller, or type gpupdate /force at a command line, and then press ENTER.
9. Try rejoining the domain.
On Win2k8 if that doesn't solve it, also make these group policy updates as well:
1. Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Minumum session security for NTLM SSP based (including secure RPC) clients
2. Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Minumum session security for NTLM SSP based (including secure RPC) servers
3. Changed the Default Domain Policy from Not Configured to Configured with the "Require 128-bit encryption" unchecked.
4. Rejoin the domain...
1. Verify you have joined the domain using smbadmlist