Bug: Zentyal unable to act as a Primary Domain Controller for Windows

[samsmith]

Just tried to join a WinXP machine to the domain and I get this error in windows:

"The following error occurred attempting to join the domain "HOME"

The specified domain either does not exist or could not be contacted."

On the Zentyal dashboard domain settings, it lists the realm as "home.com" and the NetBIOS name as "HOME". And yes, I have created a domain user and added him to the domain administrators group, and saved the changes. I used this account to attempt to join the domain HOME on Windows XP machine and is unable to do so.

Is there a patch or workaround for this? What good is Zentyal when it can't even act as a PDC for a Windows machine? Heck even old Red Hat 9 running samba 3.1.18 had no problems whatsoever acting as a PDC for Windows XP machines.

I can log into the Zentyal machine from windows using the \\MACHINENAME in windows explorer but when I try to join it to the domain it says the domain does not exist.

Zentyal is quickly proving itself to be far more trouble than it is worth IMO. Behind it's pretty face lies an entire nest of bugs and annoyances.

EDIT: I have followed the instructions for installing and using zentyal as a PDC from this link:

http://www.tecmint.com/install-zentyal-as-primary-domain-controller-and-integrate-windows-system/

[samsmith]

delete

[expertgeeks]

Shouting at people after waiting only 2 1/2 hrs for a reply isn't the best way to get a helpful response. In fact it's almost a guarantee you'll sink without trace.. This is a community forum. We help because we want to help others, not because we're paid. Ever hear the phrase 'don't bite the hand that feeds you' ?

XP has been EOL for nearly 2yrs.. and you say Win98 ran lightning fast on the same hardware in an earlier post. You're running on a PIII 600MHz... As much as I like to get the max out of working kit, I have to ask - are you from the past?

Do your Win 7 machines able to connect ok ?

[samsmith]

Ever hear the phrase 'don't bite the hand that feeds you'?

Hi Expertgeek,

Your right, I was wrong, I apologize. I was very frustrated when I wrote that post.

We help because we want to help others, not because we're paid.

If you all help me get these issues resolved I'll throw some money to your project. I'll upgrade the commercial edition or paypal you, your choice.

XP has been EOL for nearly 2yrs

EOL = ?

.. and you say Win98 ran lightning fast on the same hardware in an earlier post.

I took Zentyal off it and installed XP SP3. It runs good now. It had '98 on it when I bought it from a yard sale years ago. I am now using it for testing purposes for Zentyal before integrating the Zentyel box into my home environment (2x Win XP, 3x Win 7, 1x Win 8.1). For now, I have that machine (the PIII 600 MHz) and the machine now running Zentyal (a Core 2 duo 2.0 MHz, 1GB RAM) connected to a single router which is isolated from the rest of the network. Did this all yesterday so I can play with Zentyal without disturbing the wifey and kids' computers/network.

My test environment looks like this:

                  (internet)
                        |
                    (router)
                        |
              ----------------
              |                    |
           Win XP           Zentyal

I have done some more playing around, here are the results.

- With Zentyal 3.4 installed on the Core 2 duo, when attempting to join the XP machine to the domain, XP gives the error:

"The following error occurred attempting to join the domain "HOME"

The specified domain either does not exist or could not be contacted."

- With Zentyal 3.5 installed on the Core 2 duo, when attempting to join the XP machine to the domain, XP gives the error:

"Unable to join the domain, unknown username or bad password"

In 3.5, I first tried it's built in "Administrator" account, with no success, then created my own user in Users and Computers and added him to the "Domain Admins" group, then went to Domain > Settings, checked "Enable Roming profiles" then clicked "Save Changes" on the top right of the screen. I then tried joining the XP machine to the domain using that account and it too gave the same error.

However, I can log onto the Zentyal box from the XP machine by giving \\MACHINENAME in windows explorer, it hits me with a login/password dialog and when I enter the same credentials as above, it logs on right away and I see a directory with one "Sysvol" subdirectory in it. I can also ping back and forth between both boxes using each machine's name so I'm pretty sure the NetBIOS/CIFS/NMB stuff is working. But when joining the domain it fails.

You're running on a PIII 600MHz... As much as I like to get the max out of working kit, I have to ask - are you from the past?

haha yeah sure my Delorian is in the shop right now, I blew the flux capacitor again, arrgh! :-) Since that machine (PIII) was too slow for Zentyal, I re-installed XP on it and it and put Zentyal on a Core 2 duo 2.0GHz, which Zentyal runs much better on. Had the Pentium III since years ago and since it is still in good working order and does what I need it to do, I figure why throw it out and add to the planet's electronic waste?

Do your Win 7 machines able to connect ok ?

Haven't tried them yet. I can try them and report back if it will help w/diagnosis.

[samsmith]

tl;dr: does anyone know how to get to the screen shown here? http://i.imgur.com/GDpLJoM.jpg or know how to disable the firewall without killing samba?

Ok, did some major digging through samba documentation and man pages and here's where I'm at now...

- Did a fresh install of Zentyal 3.5 on the core 2 duo. When I got to the graphical screen that asks you to click on the packages you want to install, I selected all the packages I want except domains and users and computers.

- After the install was completed, went to the web interface, logged in, went to Software Management and then I clicked on domains, users and computers. Then clicked install. I saw samba this and kerberos that going by on the progress bar.

- Opened terminal, typed samba. It started with some error or warinig but it wasn't fatal.

- Then I did

Code: [Select]

# samba-tool domain provision --use-rfc2307 --interactive
Realm [DOM.HOME.LAN]: DOM.HOME.LAN
Domain [DOM]: DOM
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:

Now the first one I tried was SAMBA_INTERNAL (the default) but during provisioning it barked at me about it not being a valid choice. So I tried the next one on the list which was BIND9_FLATFILE and it didn't complain. Don't know if I made the right choice here?

Code: [Select]

Administrator password:
Retype password:

I also got barked at here because I didn't pick a password strong enough. I think my first try at a password was "a"

After complaining about a smb.conf file that was present (I'm assuming from my previous unsuccessful attempts to run this command) I removed it, reran samba-tool and the provisioning succeded! It wanted me to put a krb5.conf file that it had generated into /etc so I did that. Then I rebooted with sudo poweroff, then manually turned it back on.

Then, to start populating the new domain's database with users, I tried:

Code: [Select]

kinit domadmin@DOM.HOME.LAN

and got the error:

Code: [Select]

unable to reach any KDC in the realm DOM.HOME.COM

after some searching of the forum (hi Supergeek) I found this thread:

https://forum.zentyal.org/index.php?topic=13864.0

which seems to, if I'm understanding it correctly, indicate that this is some sort of dns / port mapping / firewall issue. A poster on that thread gave a possible remedy but I can't seem to locate the screen he is referring to here:

http://i.imgur.com/GDpLJoM.jpg

So I'm wondering either how to get to that screen or better yet just disable / kill the firewall without killing samba? I'm on a home / small biz LAN that is already behind a firewall so I really don't need another firewall. Any ideas or suggestions welcome.

[expertgeeks]

Ok, good to hear you're making some progress. EOL = End of life. It took me a long while to let go of XP, but unless you have a special need (i.e. drivers or non-compatible software) IMHO it's not worth running an insecure OS. But hey, 1. we can argue whether a fully patched windows machine is ever secure and 2. that's not my decision.

I don't recognise the screenshot you posted. It looks like the services page (Network > Services > then 'Configuration' of a service) but priority, weight and target are not shown here. I've no experience of Zentyal 3.x myself, so that could be the reason. I went from 2.x and then did a clean install of 4.0 and migrated the data etc. However, turning off the firewall doesn't affect samba in a non-domain setup and it's strange to me that it does for you. Did you look at the firewall logs (Logs > firewall > full report) and see whether you can see anything useful there ?

Quick question, is DHCP turned off on your router ? If not, it will be setting it's own DNS servers instead of zentyal to do lookups. Either turn it off & let zentyal do it, or set the ethernet config on your test machine manually. Also, zentyal does everything through the admin pages, so you shouldn't need to provision via the command line.

I'm setting up a domain in VMs with Zentyal 3.4 (that's the closest version I have to hand) and XP SP3, and will report back if I find anything of use.

[samsmith]

Ok, I think I may know what the issue is with kinit failing to find DOM.HOME.LAN is...

After provisioning with samba-tool, it told me to add an entry into /etc/bind/named.conf which is located in the file /var/lib/samba/private/named.conf. The entry it wants included in /etc/bind/named.conf looks like this:

Code: [Select]

zone "dom.home.lan." IN {
type master;
file "/var/lib/samba/private/dns/dom.home.lan.zone";
include "/var/lib/samba/private/named.conf.update";
check-names ignore;
};

so I put it in there and rebooted, tried the kinit domadmin@DOM.HOME.LAN to have it fail. That's where I was last night.

Today I went in /etc/bind/named.conf to double check if I had made a typo there only to find my entire entry was missing! So I put it back in, rebooted and checked /etc/bind/named.conf only to find my entry had been automatically removed again!

So I put the entry back in the file, but before rebooting I did:

Code: [Select]

sudo chmod 444 /etc/bind/named.conf

to deny anyone write privileges on the file. Same result. Entry deleted after reboot. I did an ls -l and found the file belonged to the "bind" group so, after putting the entry samba wanted back in again for the third time, I did:

Code: [Select]

sudo chown root:root /etc/bind/named.conf
sudo chmod 444 /etc/bind/named.conf

to attempt to prevent any process from modifying that file. Rebooted again. Checked /etc/named.conf again only to find my entry GONE again?!?

Somehow there is some process within Zentyal, with higher privledges than root (!) that is able to mess with /etc/bind/named.conf despite not owning the file and the file having 444 permissions, and remove any edits I do every time I reboot.

So does anyone know how to stop Zentyal from automatically removing the above "zone" entry from /etc/bind/named.conf ? Or am I totally barking up the wrong tree here? Thanks again.

EDIT: Could a mod move this thread to the "Directory and Authentication" sub-forum as this seems more like a samba related issue than an install issue, unless again I am missing something, thanks.

[expertgeeks]

In Zentyal the config files are auto-generated every time a service is restarted. Editing the configs directly is a waste of time, as you have found your changes will simply be overwritten. If you need to change something manually, it needs to happen via stub templates and/or hooks. Please see this; https://wiki.zentyal.org/wiki/En/3.5/Development_and_advanced_configuration However what you're trying to achieve should work 'out of the box', there is no need to resort to the command line or editing configs. Please look at the official documentation for guidance setting up your domain server. https://wiki.zentyal.org/wiki/En/3.5/Users,_Computers_and_File_Sharing#Configuring_a_Domain_Server_with_Zentyal

Yes I agree at first the 'Zentyal way' of managing everything is frustrating when you're used to rolling your own services, but it does have its advantages.

[samsmith]

In Zentyal the config files are auto-generated every time a service is restarted. Editing the configs directly is a waste of time, as you have found your changes will simply be overwritten.

Good to know.

If you need to change something manually, it needs to happen via stub templates and/or hooks. Please see this; https://wiki.zentyal.org/wiki/En/3.5/Development_and_advanced_configuration

That stuff sounds like it's way over my head, but I'll have a look anyway. I'm a CPA so my background is in accounting. I know very little about computers. I know even less about linux.

However what you're trying to achieve should work 'out of the box', there is no need to resort to the command line or editing configs.

If what I was trying to achieve worked "out of the box"

1. I wouldn't be here wasting your time and
2. I sure as heck wouldn't be on the command line

Please look at the official documentation for guidance setting up your domain server. https://wiki.zentyal.org/wiki/En/3.5/Users,_Computers_and_File_Sharing#Configuring_a_Domain_Server_with_Zentyal

That is the exact documentation I used at first along with this:

http://www.tecmint.com/install-zentyal-as-primary-domain-controller-and-integrate-windows-system/

but, alas: No joy. Can't join windows systems to the domain.

Yes I agree at first the 'Zentyal way' of managing everything is frustrating when you're used to rolling your own services, but it does have its advantages.

If the "Zentyal way" of managing everything actually worked (for me), I would gladly be using it, believe me! The Web GUI is beautiful, that's why I chose Zentyal in the first place is because I didn't want to have to "roll my own" (i'm a recovering Window$-aholic here).

***

I put the zone entry that samba wanted into /etc/bind/named.conf.local and it stayed there after reboot, but still when I do:

Code: [Select]

# sudo kinit domadmin@DOM.HOME.LAN

I'm still getting

Code: [Select]

krb5_get_init_creds: unable to reach any KDC in realm DOM.HOME.LAN

Ah well, off to eat dinner with wifey and kids. I'll give those links you posted a look when I get done with that.

Thanks again Expertgeek.

EDIT: Fixed typo.

[samsmith]

Oh yeah, I discovered another "feature" of Zentyal - If I do a clean install with the network cable plugged in, after the installation cd ejects and reboots into the graphical environment, the web interface GUI is totally inaccessible. Firefox keeps saying host not found no matter how long I wait or how many times I click on the "Try Again" button, it never comes up.

https://localhost https://hostname and https://192.168.1.2

all fail to bring up the Webadmin GUI.

But if I install with the network cable unplugged, the WebGUI works just fine. Neat, eh? I only mention it if it will help with diagnosis, but if you all want I can start a new thread on it but it's not a big deal for me anyway.

[julio]

Oh yeah, I discovered another "feature" of Zentyal - If I do a clean install with the network cable plugged in, after the installation cd ejects and reboots into the graphical environment, the web interface GUI is totally inaccessible. Firefox keeps saying host not found no matter how long I wait or how many times I click on the "Try Again" button, it never comes up.

https://localhost https://hostname and https://192.168.1.2

all fail to bring up the Webadmin GUI.

But if I install with the network cable unplugged, the WebGUI works just fine. Neat, eh? I only mention it if it will help with diagnosis, but if you all want I can start a new thread on it but it's not a big deal for me anyway.

try with:
https://localhost:8443

[expertgeeks]

Sorry it's taken a day or so, we've got a newborn in the house and I've been pretty busy! I've done as I said and have installed Zentyal 3.4 and Windows XP (SP1 in this instance) as virtual machines on my server. The network adapters are set as bridged adapters and so behave like native machines on the network.

I set up Zentyal with fairly minimal set of packages and currently have the following modules installed;

Network, Firewall, Antivirus, DNS, Events, Logs, Monitoring, NTP, VPN, Users and Computers, Web server, File sharing and domain services, User corner. I've not installed any updates, this is a vanilla copy of Zentyal 3.4. DHCP is installed, but not enabled.

I took the default zentyal domain name (Realm: ZENTYAL-DOMAIN.LAN,  NetBIOS domain name: ZENTYAL-DOMAIN, Enable roaming profiles: ticked), and created a user (Users and Computers > manage) and added this user to the domain admins group. I then installed a VM with XP as a stand alone machine (i.e. workgroup, not domain) and set a static IP with the DNS entry pointed to the Zentyal VM IP, gateway set to my router IP. Both VMs were then restarted.

Once the Zentyal VM was back up & all services started, on the XP VM I went into 'system properties > computer name' and joined the domain using the full domain name in lower case 'zentyal-domain.lan' and XP took the credentials of the user I'd created. It joined the domain and after a reboot, mapped the network drive for the user at logon as expected. I removed this user from domain admins and they are still able to logon to the domain.

Can I suggest you try again, accepting the defaults and see how you get on ? If you're still stuck, backup your configuration (System > Import/Export Configuration) and attach your backup file to a post. I can then try restoring your backup and see if I can find anything wrong with it. Also generate a report file so I can compare this to my working setup.

Good luck.

P.s. if your web interface won't come up when its plugged in, I suspect your gateway has a problem or the settings for it are incorrect.

[half_life]

You haven't mentioned this and your network diagram shows Zentyal as an internal machine so I am going to assume that you are using dhcp from the router and the default gateway and first dns entry are your router.   For you to connect to a samba server, it really should be your first dns entry.  The "out of the box" setup on Zentyal  works quite well so no need to go tinkering with the internals (this is likely compounding your problems).  My suggestion to you would be to setup Zentyal on a private network segment and have a test machine segregated with it.  Does your Zentyal test machine have two nics?   Do you have a spare switch laying around?  Maybe you have Vmware Workstation or VirtualBox on your local desktop?