This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Joining the domain failed.

Having an awful time trying to add the UTM to the domain.

Running 9.106-17

Tried setting the DNS forwarders, ping finds domain and domain controller

AD Server added fine and working.

Hostname is utm.pps.local

SSO Page tried:

Domain: utm.pps.local / UTM.PPS.LOCAL / UTM / PPS.LOCAL / pps.local

tried pre-adding the computer to the domain and tried pre-adding as pre-2000 computer.

utm.pps.local in DNS fine.

AD Server is Server 2012 R2

This thread was automatically locked due to age.

Parents

0 Michael Dunn over 10 years ago

In UTM 9.1 we are using samba-3.6.4-2.

We have confirmed that the UTM can join to a AD 2012r2 server.

Please note that the UTM does not necessarily use resolv.conf and hosts files. You should be using the WebAdmin console for editing that stuff.

What happens if you just:
dig pps.local

Also, is there anything interesting in named.log?
Cancel
Vote Up 0 Vote Down

Cancel
0 wally2511 over 9 years ago in reply to Michael Dunn

In UTM 9.1 we are using samba-3.6.4-2.

We have confirmed that the UTM can join to a AD 2012r2 server.

Please note that the UTM does not necessarily use resolv.conf and hosts files. You should be using the WebAdmin console for editing that stuff.

What happens if you just:
dig pps.local

Also, is there anything interesting in named.log?

I hope I am not jumping the gun but I'm 99.99% sure I have a workaround for this. The Sophos UTM only supports SMB1.0/NTLMv1 (this can be seen in it's SMB ComNegotiate packet it sends to the domain controller on a domain join attempt). LanmanServer in 2012r2 depends on SMB2.0 as a minimum.

Unfortunately until the UTM supports SMB2.0 properly you will have to set your 2012r2 domain controllers to support SMB1.0. This can be done by following this blog Windows XP Clients Cannot Execute Logon Scripts against a Windows Server 2012 R2 Domain Controller – Workaround | Working Hard In IT

I hope this helps someone else.

Regards

Matt
Cancel
Vote Up 0 Vote Down

Cancel
0 poynter over 9 years ago in reply to wally2511

I hope I am not jumping the gun but I'm 99.99% sure I have a workaround for this. The Sophos UTM only supports SMB1.0/NTLMv1 (this can be seen in it's SMB ComNegotiate packet it sends to the domain controller on a domain join attempt). LanmanServer in 2012r2 depends on SMB2.0 as a minimum.

Unfortunately until the UTM supports SMB2.0 properly you will have to set your 2012r2 domain controllers to support SMB1.0. This can be done by following this blog Windows XP Clients Cannot Execute Logon Scripts against a Windows Server 2012 R2 Domain Controller – Workaround | Working Hard In IT

I hope this helps someone else.

Regards

Matt

Thanks for this - I thought I was going mad!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 poynter over 9 years ago in reply to wally2511

I hope I am not jumping the gun but I'm 99.99% sure I have a workaround for this. The Sophos UTM only supports SMB1.0/NTLMv1 (this can be seen in it's SMB ComNegotiate packet it sends to the domain controller on a domain join attempt). LanmanServer in 2012r2 depends on SMB2.0 as a minimum.

Unfortunately until the UTM supports SMB2.0 properly you will have to set your 2012r2 domain controllers to support SMB1.0. This can be done by following this blog Windows XP Clients Cannot Execute Logon Scripts against a Windows Server 2012 R2 Domain Controller – Workaround | Working Hard In IT

I hope this helps someone else.

Regards

Matt

Thanks for this - I thought I was going mad!
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 JamesGolden over 7 years ago in reply to poynter

Yes, I know this is an old thread, but the problem is still relevant. After disabling SMB v1 on servers yesterday in response to closing vulnerabilities that WannaCry ransomware takes advantage of, authentication for web filtering starting breaking. Long story short, even today 2017 running UTM 9.500-9, UTM 9 is STILL USING SMB V1! Come on Sophos, this needs to be fixed.

With smbv1 disabled on AD servers, the UTM cannot join the domain. As soon as you re-enable SMBv1, the domain join works fine.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to JamesGolden

Please open a support ticket, James.

In fact, everyone should do this now if you have a similar problem.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 JamesGolden over 7 years ago in reply to BAlfson

Yes, already did. Thanks.
Cancel
Vote Up 0 Vote Down

Cancel