smbadm join fails if Domain Functional Level later than 2000
When setting up a Windows AD server, the default "Domain Functional Level" (DFL) is "Windows 2000". If one accepts that default, then the native SMB service can join the domain with "smbadm join ...". However, if the DFL is anything later, "smbadm join" may fail.
Updated by n2deep n2deep over 10 years ago
I'm not convinced this a bug per se.
Gordon Ross wrote:
When setting up a Windows AD server
Which version of windows server are you referring to? 2000, 2003, 2003 R2, 2008, 2008 R2? Your description in not clear to me.
When setting up my Windows server 2008 R2 domain server I selected a DFL of Windows Server 2008 (not R2). All I have to run on my OpenIndiana or OpenSolaris machines prior to running the smbadm join command is: sharectl set -p lmauth_level=2 smb Then I am successfully able to join the domain. I make no adjustments to the Windows Server 2008 R2 domain controller whatsoever.
Perhaps it would be better if smbadm was able to specify the DFL when running the join command. Then the join would not fail if the above sharectl command was not ran before hand.
(The method I describe works for me on opensolaris b134 and openindiana b147)
Updated by Gordon Ross over 10 years ago
OK, so yes, the bug has a work-around:
sharectl set -p lmauth_level=2 smb
(thanks for reminding us about that).
Nonetheless, the main cause of this is that the SMB service makes its
outbound connections to AD servers without "extended security".
That needs to be fixed.