This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Joining the domain failed.

Having an awful time trying to add the UTM to the domain. 

Running  9.106-17

Tried setting the DNS forwarders, ping finds domain and domain controller

AD Server added fine and working. 

Hostname is utm.pps.local 

SSO Page tried: 

Domain: utm.pps.local / UTM.PPS.LOCAL / UTM / PPS.LOCAL / pps.local

tried pre-adding the computer to the domain and tried pre-adding as pre-2000 computer. 

utm.pps.local in DNS fine. 

AD Server is Server 2012 R2


This thread was automatically locked due to age.
Parents
  • In UTM 9.1 we are using samba-3.6.4-2.

    We have confirmed that the UTM can join to a AD 2012r2 server.

    Please note that the UTM does not necessarily use resolv.conf and hosts files.  You should be using the WebAdmin console for editing that stuff.

    What happens if you just:
    dig pps.local

    Also, is there anything interesting in named.log?
  • In UTM 9.1 we are using samba-3.6.4-2.

    We have confirmed that the UTM can join to a AD 2012r2 server.

    Please note that the UTM does not necessarily use resolv.conf and hosts files.  You should be using the WebAdmin console for editing that stuff.

    What happens if you just:
    dig pps.local

    Also, is there anything interesting in named.log?


    I hope I am not jumping the gun but I'm 99.99% sure I have a workaround for this. The Sophos UTM only supports SMB1.0/NTLMv1 (this can be seen in it's SMB ComNegotiate packet it sends to the domain controller on a domain join attempt). LanmanServer in 2012r2 depends on SMB2.0 as a minimum.

    Unfortunately until the UTM supports SMB2.0 properly you will have to set your 2012r2 domain controllers to support SMB1.0. This can be done by following this blog Windows XP Clients Cannot Execute Logon Scripts against a Windows Server 2012 R2 Domain Controller – Workaround | Working Hard In IT

    I hope this helps someone else.

    Regards

    Matt
  • I hope I am not jumping the gun but I'm 99.99% sure I have a workaround for this. The Sophos UTM only supports SMB1.0/NTLMv1 (this can be seen in it's SMB ComNegotiate packet it sends to the domain controller on a domain join attempt). LanmanServer in 2012r2 depends on SMB2.0 as a minimum.

    Unfortunately until the UTM supports SMB2.0 properly you will have to set your 2012r2 domain controllers to support SMB1.0. This can be done by following this blog Windows XP Clients Cannot Execute Logon Scripts against a Windows Server 2012 R2 Domain Controller – Workaround | Working Hard In IT

    I hope this helps someone else.

    Regards

    Matt


    Thanks for this - I thought I was going mad!
  • Yes, I know this is an old thread, but the problem is still relevant. After disabling SMB v1 on servers yesterday in response to closing vulnerabilities that WannaCry ransomware takes advantage of, authentication  for web filtering starting breaking. Long story short, even today 2017 running UTM 9.500-9, UTM 9 is STILL USING SMB V1!  Come on Sophos, this needs to be fixed. 

    With smbv1 disabled on AD servers, the UTM cannot join the domain. As soon as you re-enable SMBv1, the domain join works fine.

Reply
  • Yes, I know this is an old thread, but the problem is still relevant. After disabling SMB v1 on servers yesterday in response to closing vulnerabilities that WannaCry ransomware takes advantage of, authentication  for web filtering starting breaking. Long story short, even today 2017 running UTM 9.500-9, UTM 9 is STILL USING SMB V1!  Come on Sophos, this needs to be fixed. 

    With smbv1 disabled on AD servers, the UTM cannot join the domain. As soon as you re-enable SMBv1, the domain join works fine.

Children