Support #285


smbadm join fails if Domain Functional Level later than 2000

Added by Gordon Ross over 11 years ago. Updated about 6 years ago.

Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:


When setting up a Windows AD server, the default "Domain Functional Level" (DFL) is "Windows 2000". If one accepts that default, then the native SMB service can join the domain with "smbadm join ...". However, if the DFL is anything later, "smbadm join" may fail.

Actions #1

Updated by Garrett D'Amore over 11 years ago

  • Assignee set to Gordon Ross
Actions #2

Updated by n2deep n2deep over 11 years ago

I'm not convinced this a bug per se.

Gordon Ross wrote:

When setting up a Windows AD server

Which version of windows server are you referring to? 2000, 2003, 2003 R2, 2008, 2008 R2? Your description in not clear to me.

When setting up my Windows server 2008 R2 domain server I selected a DFL of Windows Server 2008 (not R2). All I have to run on my OpenIndiana or OpenSolaris machines prior to running the smbadm join command is: sharectl set -p lmauth_level=2 smb Then I am successfully able to join the domain. I make no adjustments to the Windows Server 2008 R2 domain controller whatsoever.

Perhaps it would be better if smbadm was able to specify the DFL when running the join command. Then the join would not fail if the above sharectl command was not ran before hand.

(The method I describe works for me on opensolaris b134 and openindiana b147)

Actions #3

Updated by Gordon Ross over 11 years ago

OK, so yes, the bug has a work-around:
sharectl set -p lmauth_level=2 smb
(thanks for reminding us about that).

Nonetheless, the main cause of this is that the SMB service makes its
outbound connections to AD servers without "extended security".
That needs to be fixed.

Actions #4

Updated by Yuri Pankov over 10 years ago

  • Tags set to needs-triage

This should be resolved in #1120, #1121.

Actions #5

Updated by Gordon Ross over 10 years ago

  • Status changed from New to In Progress

This problem is not resolved by #1120, #1121.

We use some old RPC interfaces in our "join" code which are not supported when the DFL is set to later versions. We need to update the join implementation.

Actions #6

Updated by Yuri Pankov over 10 years ago

My bad.

Actions #7

Updated by Gordon Ross about 6 years ago

  • Status changed from In Progress to Closed

Fixed by #1122


Also available in: Atom PDF