Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 30 replies
  • Subscribers 3 subscribers
  • Views 135529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Joining the domain failed.

poynter
Having an awful time trying to add the UTM to the domain. 

Running  9.106-17

Tried setting the DNS forwarders, ping finds domain and domain controller

AD Server added fine and working. 

Hostname is utm.pps.local 

SSO Page tried: 

Domain: utm.pps.local / UTM.PPS.LOCAL / UTM / PPS.LOCAL / pps.local

tried pre-adding the computer to the domain and tried pre-adding as pre-2000 computer. 

utm.pps.local in DNS fine. 

AD Server is Server 2012 R2


This thread was automatically locked due to age.
  • 0 in reply to Michael Dunn
    I am talking internally to support to try and determine why they are saying it is not supported.



    Michael I'd be interested in knowing what you found out. My case numbers were  #4207027 and #4343305. When I get the courage I will play around with those NTLM settings and see if I can't break something. I will post the results
  • 0
    I have gone into AD and changed the default domain controllers policy option Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level to "Send LM & NTLM - use NTLMv2 session security if negotiate" from "Not Defined".

    The UTM seems to have joined the domain. I didn't get a "Successful" and the log files said it failed but it has created an AD computer account again and SSO seems to be working for the moment.

    Fingers crossed.
  • 0
    Well bad news... After 4 days of blissful SSO functionality the whole thing has fallen over again. We've tried re-joining the domain over 20 times in the past 2 days and still no go. I'm capturing packets using wireshark at the moment to try and figure out what is going on.
  • 0
    Wally, I've never had much luck with NTLM and SSO with the UTM.  I wonder if this isn't a different issue.

    What happens if you switch the browser's Proxy Settings to use an internally-resolvable FQDN for the UTM's Internal interface instead of the numeric IP of "Internal (Address)?"

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Michael Dunn
    In UTM 9.1 we are using samba-3.6.4-2.

    We have confirmed that the UTM can join to a AD 2012r2 server.

    Please note that the UTM does not necessarily use resolv.conf and hosts files.  You should be using the WebAdmin console for editing that stuff.

    What happens if you just:
    dig pps.local

    Also, is there anything interesting in named.log?


    I hope I am not jumping the gun but I'm 99.99% sure I have a workaround for this. The Sophos UTM only supports SMB1.0/NTLMv1 (this can be seen in it's SMB ComNegotiate packet it sends to the domain controller on a domain join attempt). LanmanServer in 2012r2 depends on SMB2.0 as a minimum.

    Unfortunately until the UTM supports SMB2.0 properly you will have to set your 2012r2 domain controllers to support SMB1.0. This can be done by following this blog Windows XP Clients Cannot Execute Logon Scripts against a Windows Server 2012 R2 Domain Controller – Workaround | Working Hard In IT

    I hope this helps someone else.

    Regards

    Matt
  • 0 in reply to BAlfson
    Wally, I've never had much luck with NTLM and SSO with the UTM.  I wonder if this isn't a different issue.

    What happens if you switch the browser's Proxy Settings to use an internally-resolvable FQDN for the UTM's Internal interface instead of the numeric IP of "Internal (Address)?"

    Cheers - Bob


    Thanks for your suggestion Bob. Fortunately I had already implemented the resolvable FQDN for the proxy settings.
  • 0 in reply to wally2511
    I hope I am not jumping the gun but I'm 99.99% sure I have a workaround for this. The Sophos UTM only supports SMB1.0/NTLMv1 (this can be seen in it's SMB ComNegotiate packet it sends to the domain controller on a domain join attempt). LanmanServer in 2012r2 depends on SMB2.0 as a minimum.

    Unfortunately until the UTM supports SMB2.0 properly you will have to set your 2012r2 domain controllers to support SMB1.0. This can be done by following this blog Windows XP Clients Cannot Execute Logon Scripts against a Windows Server 2012 R2 Domain Controller – Workaround | Working Hard In IT

    I hope this helps someone else.

    Regards

    Matt


    Thanks for this - I thought I was going mad!
  • 0 in reply to poynter

    Yes, I know this is an old thread, but the problem is still relevant. After disabling SMB v1 on servers yesterday in response to closing vulnerabilities that WannaCry ransomware takes advantage of, authentication  for web filtering starting breaking. Long story short, even today 2017 running UTM 9.500-9, UTM 9 is STILL USING SMB V1!  Come on Sophos, this needs to be fixed. 

    With smbv1 disabled on AD servers, the UTM cannot join the domain. As soon as you re-enable SMBv1, the domain join works fine.

  • 0 in reply to JamesGolden

    Please open a support ticket, James.

    In fact, everyone should do this now if you have a similar problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML