1 2 Previous Next 23 Replies Latest reply on Jan 5, 2018 1:29 AM by 08Martin80

    esxi 6.5 domain join with smb 2.0?

    robertrosit Novice

      host: esxi 6.5.0 vmkernel release build 5969303
      domain controller: server 2016 standard with latest cumulative update
      no firewall in place.

       

      when adding the esxi host to the domain with SMB 1.0 protocol (default setting), there are no issues. it works fine, tested via webgui and via command line.


      unfortunately in our environment we want to get rid of SMB 1.0 completely and uninstall it from the domain controllers. so we followed this (ESXi 6 hangs when joining Active Directory Domain ) post to modify likewise to use smb 2.0

       

       

      after this change the domain join via webgui "hangs" and does not complete. then the entire webgui becomes unresponsive and from this moment on, we have to reboot the esxi host.

       

       

      we followed various troubleshooting guides, like this one  (ESXi and Likewise – troubleshooting guide – part 2 – Virtual Village )
      for example, we disabled ipv6 on the domain controller like suggested, we disabled the windows firewall on the DC, we disabled the esx firewall.... did not help. dns config, hosts file, etc.. should all be fine and good, as domain join with SMB1.0 works.

       

       

      to get better debugging info we then tried a manual join with this procedure:

       

      /usr/lib/vmware/likewise/bin/lwsm restart lwio
      /etc/init.d/lwsmd stop
      /etc/init.d/lwsmd start
      esxcli network firewall unload
      /usr/lib/vmware/likewise/bin/lwsm set-log file /var/log/likewise.log
      /usr/lib/vmware/likewise/bin/lwsm set-log-level debug
      /usr/lib/vmware/likewise/bin/domainjoin-cli join domain.local domainadmin@domain.local somepassword

       

      the command prints two messages:

           Joining to AD Domain:   domain.local
           With Computer DNS Name: HV001.domain.local

       

      and then just hangs.

       

      after a failed join attempt like this we have to  ps | grep lwsmd  and kill -9 *pid* - otherwise, we can't interact with lwio/lsass anymore.


      the verbose logging gives the following information:


      20170814141140:DEBUG:lwio:IoCreateFile():ioapi.c:218: LEAVE: -> 0x00000103 (EE = 0)
      20170814141140:DEBUG:lwio:IopIpcCreateFile():ioipc.c:438: LEAVE_IF: -> 0x00000103 (STATUS_PENDING) (EE = 0)
      20170814141140:DEBUG:lwio:RdrResolveToDomain():driver.c:889: Error at ../lwio/server/rdr/driver.c:889 [status: STATUS_NOT_FOUND = 0xC0000225 (-1073741275)]
      20170814141140:DEBUG:lwio:RdrSocketTaskConnect():socket.c:1019: Error at ../lwio/server/rdr/socket.c:1019 [status: STATUS_PENDING = 0x00000103 (259)]
      20170814141140:DEBUG:lwio:RdrSocketTask():socket.c:1246: Error at ../lwio/server/rdr/socket.c:1246 [status: STATUS_PENDING = 0x00000103 (259)]
      20170814141140:DEBUG:lwio:RdrSocketRead():socket.c:1773: Error at ../lwio/server/rdr/socket.c:1773 [status: STATUS_PENDING = 0x00000103 (259)]
      20170814141140:DEBUG:lwio:RdrSocketReceivePacket():socket.c:701: Error at ../lwio/server/rdr/socket.c:701 [status: STATUS_PENDING = 0x00000103 (259)]
      20170814141140:DEBUG:lwio:RdrSocketDispatchPacket2():socket.c:1423: Error at ../lwio/server/rdr/socket.c:1423 [status: STATUS_INVALID_NETWORK_RESPONSE = 0xC00000C3 (-1073741629)]
      20170814141140:DEBUG:lwio:RdrSocketTaskTransceive():socket.c:1134: Error at ../lwio/server/rdr/socket.c:1134 [status: STATUS_INVALID_NETWORK_RESPONSE = 0xC00000C3 (-1073741629)]
      20170814141140:DEBUG:lwio:RdrSocketTask():socket.c:1251: Error at ../lwio/server/rdr/socket.c:1251 [status: STATUS_INVALID_NETWORK_RESPONSE = 0xC00000C3 (-1073741629)]
      20170814141223:VERBOSE:lsass:LsaSrvIpcCheckPermissions():ipc_state.c:79: Permission granted for (uid = 0, gid = 0, pid = 72438) to open LsaIpcServer
      20170814141223:VERBOSE:lsass-ipc:lwmsg_peer_log_accept():peer-task.c:271: (session:04df4955d842942b-f5af40d405e6b03c) Accepted association 0xb1016b8
      20170814141223:VERBOSE:lwreg:RegDbOpenKey():sqldb.c:1068: Registry::sqldb.c RegDbOpenKey() finished
      20170814141223:DEBUG:lwreg:RegDbGetKeyValue_inlock():sqldb_p.c:1227: Error at ../lwreg/server/providers/sqlite/sqldb_p.c:1227 [status: LW_STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034 (-1073741772)]
      20170814141223:DEBUG:lwreg:RegDbGetValueAttributes_inlock():sqldb_schema.c:846: Error at ../lwreg/server/providers/sqlite/sqldb_schema.c:846 [status: LW_STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034 (-1073741772)]

       

      STATUS_INVALID_NETWORK_RESPONSE gives me no additional clue of what's going wrong except that this may simply be a bug in likewise or esxi.


      is there any way to get domain join working with SMB 2.0 ?

        • 1. Re: esxi 6.5 domain join with smb 2.0?
          msripada Expert
          vExpert

          Hello Robertrosit,

           

          Likewise is common in vCSA and ESXi host so you can try the steps mentioned in the below VMware community

           

          Unable to join VCSA 6 u1 back to domain. Error messages are not found anywhere online.

           

          Note : Please try it in lab first and check if that works and do not try directly on a production ESXi

           

          Thanks,

          MS

          • 2. Re: esxi 6.5 domain join with smb 2.0?
            robertrosit Novice

            thank you for trying to help, but the post you linked just describes what i have discovered so far -> SMB1.0 (srv.sys) needs to be enabled for domain join to work.

            how to make domain join work with SMB2.0 instead?

            • 3. Re: esxi 6.5 domain join with smb 2.0?
              Seniore Novice

              Hi,

               

              please have a look at the following entry:

              Re: VMWare ESXi 6.0 Domain Integration - SMB1 Disabled on AD side through GPO, ESXi Domain Join Fails - How to force VMWare ESXi to use SMB2.0 +

               

              Login to the ESXi via SSH and execute:

              "

              Check Values:

                  /usr/lib/vmware/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]'

              Change SMB2 to be Enabled:

                  /usr/lib/vmware/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' SMB2Enabled 1

              Restart lwio:

                  /usr/lib/vmware/likewise/bin/lwsm restart lwio

              "

              • 4. Re: esxi 6.5 domain join with smb 2.0?
                robertrosit Novice

                we have done this (so we followed this (ESXi 6 hangs when joining Active Directory Domain ) post to modify likewise to use smb 2.0)

                 

                it results in the error i have described in the initial posting.

                • 5. Re: esxi 6.5 domain join with smb 2.0?
                  msripada Expert
                  vExpert

                  As per this KB VMware ESXi 6.0, Patch ESXi600-201706401-BG: Updates esx-base, vsan, and vsanhealth VIBs (2149955) | VMware KB 

                   

                  vsphere 6.0 latest release has the smb2 enabled.. I guess the same time released update for 6.5 or the latest for 6.5 should have the same smb2 updated as well. can you update to 6.5 update 1 and check once.

                   

                  Thanks,

                  MS

                  • 6. Re: esxi 6.5 domain join with smb 2.0?
                    msripada Expert
                    vExpert

                    Its released on June 6, 2017

                     

                    Windows 2012 domain controller supports SMBv2, whereas Likewise stack on ESXi supports only SMBv1.

                    With this release, the likewise stack on ESXi is enabled to support SMBv2.

                    The only release after June 6 2017 for esxi 6.5 is 6.5 update 1 but I do not see any info from the release notes but worth a try to check

                    VMware ESXi 6.0, Patch ESXi600-201706401-BG: Updates esx-base, vsan, and vsanhealth VIBs (2149955) | VMware KB

                     

                    Thanks,

                    MS

                    • 7. Re: esxi 6.5 domain join with smb 2.0?
                      msripada Expert
                      vExpert

                      I got it confirmed that the 6.5 Update 1 has the SMB2 enabled by default.

                       

                      VMware ESXi 6.5 Update 1 Release Notes

                       

                      Security Issues

                      • Update to the libcurl libraryThe ESXi userworld libcurl library is updated to version 7.53.1.
                      • Update to the NTP packageThe ESXi NTP package is updated to version 4.2.8p10.
                      • Update to the OpenSSH versionThe OpenSSH version is updated to version 7.5p1.
                      • The likewise stack on ESXi is not enabled to support SMBv2The Windows 2012 domain controller supports SMBv2, whereas likewise stack on ESXi supports only SMBv1. With this release, the likewise stack on ESXi is enabled to support SMBv2. This issue is resolved in this release.
                      • 8. Re: esxi 6.5 domain join with smb 2.0?
                        robertrosit Novice

                        thank you for your response.

                        however our esxi host is a fresh install from ISO 6.5.0 U1, done in the second week of august 2017.

                         

                        The webgui says:

                        Version info: 6.5.0 Update 1 (Build 5969303)

                         

                        this is the same version as mentioned on VMware ESXi 6.5 Update 1 Release Notes

                        ESXi 6.5 Update 1 | 27 JULY 2017 | ISO Build 5969303

                         

                        so we're 100% sure we have the latest version in place.

                         

                        still, lwregshell shows SMB2Enabled with value 0.

                        lwregshell1.png

                         

                         

                         

                        ook, lets try again. enable SMB2:

                         

                        lwregshell2.PNG

                         

                        aand it fails with ERROR_GEN_FAILURE [code 0x0000001f]

                        join fail.PNG

                         

                        i have then disabled the esxi firewall, and now i am back to where i started. the command just hangs, no error message, but also no domain join:

                         

                        join hangs.PNG

                        • 9. Re: esxi 6.5 domain join with smb 2.0?
                          robertrosit Novice

                          for completeness, here's the logfile:

                           

                          20170829084549:INFO:netlogon:LWNetSrvGetDCTime():dcinfo.c:442: Determining the current time for domain 'DOMAIN.LOCAL'

                          20170829084549:INFO:netlogon:LWNetSrvGetDCName():dcinfo.c:97: Looking for a DC in domain 'DOMAIN.LOCAL', site '<null>' with flags 10

                          20170829084550:DEBUG:lsass:LsaSetSMBCreds():lsakrb5smb.c:174: Switching default credentials path for new access token

                          20170829084550:DEBUG:LwKrb5SetThreadDefaultCachePath():lwkrb5.c:410: Switched gss krb5 credentials path from FILE:/tmp/krb5cc_0 to FILE:/tmp/tktp1kjHc

                          20170829084550:INFO:netlogon:LWNetSrvGetDCName():dcinfo.c:97: Looking for a DC in domain 'DOMAIN.LOCAL', site '<null>' with flags 1001

                          20170829084550:DEBUG:netlogon:LWNetGetPreferredDcList():lwnet-plugin.c:184: Error at ../netlogon/server/api/lwnet-plugin.c:184 [code: 2453]

                          20170829084550:DEBUG:netlogon:LWNetSrvGetDCNameDiscoverInternal():lwnet.c:887: Error at ../netlogon/server/api/lwnet.c:887 [code: 2453]

                          20170829084550:INFO:netlogon:LWNetFilterFromBlackList():lwnet.c:725: Filtering list of 1 servers with list of 0 black listed servers

                          20170829084550:DEBUG:lwio:RdrCreateContext():driver.c:475: Created op context 0x854e828 for IRP 0x854e790

                          20170829084550:DEBUG:lwio:RdrCreateContext():driver.c:479: Created op context 0x854e918

                          20170829084550:DEBUG:lwio:RdrCreateContext():driver.c:479: Created op context 0x854ea50

                          20170829084550:DEBUG:lwio:RdrTreeConnect():connect.c:1106: Tree connect context 0x854ea50 will continue 0x854e918

                          20170829084550:DEBUG:lwio:RdrTransceiveNegotiate():connect.c:899: Error at ../lwio/server/rdr/connect.c:899 [status: STATUS_PENDING = 0x00000103 (259)]

                          20170829084550:DEBUG:lwio:RdrTreeConnect():connect.c:1151: Error at ../lwio/server/rdr/connect.c:1151 [status: STATUS_PENDING = 0x00000103 (259)]

                          20170829084550:DEBUG:lwio:RdrDfsConnectAttempt():dfs.c:559: Error at ../lwio/server/rdr/dfs.c:559 [status: STATUS_PENDING = 0x00000103 (259)]

                          20170829084550:DEBUG:lwio:RdrDfsConnect():dfs.c:751: Error at ../lwio/server/rdr/dfs.c:751 [status: STATUS_PENDING = 0x00000103 (259)]

                          20170829084550:DEBUG:lwio:IoCreateFile():ioapi.c:218: LEAVE: -> 0x00000103 (EE = 0)

                          20170829084550:DEBUG:lwio:IopIpcCreateFile():ioipc.c:438: LEAVE_IF: -> 0x00000103 (STATUS_PENDING) (EE = 0)

                          20170829084550:DEBUG:lwio:RdrResolveToDomain():driver.c:889: Error at ../lwio/server/rdr/driver.c:889 [status: STATUS_NOT_FOUND = 0xC0000225 (-1073741275)]

                          20170829084550:DEBUG:lwio:RdrSocketTaskConnect():socket.c:1019: Error at ../lwio/server/rdr/socket.c:1019 [status: STATUS_PENDING = 0x00000103 (259)]

                          20170829084550:DEBUG:lwio:RdrSocketTask():socket.c:1246: Error at ../lwio/server/rdr/socket.c:1246 [status: STATUS_PENDING = 0x00000103 (259)]

                          20170829084550:DEBUG:lwio:RdrSocketRead():socket.c:1773: Error at ../lwio/server/rdr/socket.c:1773 [status: STATUS_PENDING = 0x00000103 (259)]

                          20170829084550:DEBUG:lwio:RdrSocketReceivePacket():socket.c:701: Error at ../lwio/server/rdr/socket.c:701 [status: STATUS_PENDING = 0x00000103 (259)]

                          20170829084550:DEBUG:lwio:RdrSocketDispatchPacket2():socket.c:1423: Error at ../lwio/server/rdr/socket.c:1423 [status: STATUS_INVALID_NETWORK_RESPONSE = 0xC00000C3 (-1073741629)]

                          20170829084550:DEBUG:lwio:RdrSocketTaskTransceive():socket.c:1134: Error at ../lwio/server/rdr/socket.c:1134 [status: STATUS_INVALID_NETWORK_RESPONSE = 0xC00000C3 (-1073741629)]

                          20170829084550:DEBUG:lwio:RdrSocketTask():socket.c:1251: Error at ../lwio/server/rdr/socket.c:1251 [status: STATUS_INVALID_NETWORK_RESPONSE = 0xC00000C3 (-1073741629)]

                          • 10. Re: esxi 6.5 domain join with smb 2.0?
                            msripada Expert
                            vExpert

                            Hello Robert,

                             

                            Thank you for the log snippet.

                             

                            SMB2 is already enabled on the ESXi host as per the screenshot (may be you might have corrected it if it is not)

                             

                            Ensure that the SMB1 is disabled on the AD.

                             

                            Ping the domain from ESXi host and check if the ping is responding from specific DC or is it load balanced to multiple domain controllers, possibly, there is a chance that the request might be reaching to a DC (which might be unreachable)

                             

                            Ensure DNS is configured for AD before joining and then try to join.

                             

                            Thanks,

                            MS

                            • 11. Re: esxi 6.5 domain join with smb 2.0?
                              robertrosit Novice

                              There is only one domain controller, the logfile confirms this:

                              20170829084550:INFO:netlogon:LWNetFilterFromBlackList():lwnet.c:725: Filtering list of 1 servers with list of 0 black listed servers

                               

                              i can lookup and ping the domain correctly from esxi.

                              what do you mean with "Ensure DNS is configured for AD before joining and then try to join" ? in esxi configuration, i set the DNS server to be the ip of the DC (which is the DNS server), and set a hostname in FQDN format (hv001.domain.local). anything else to do in this regard?

                               

                              both esxi and domain controller are fresh installs with most recent patch levels (this is a lab environment).

                               

                              i started monitoring the connection between esxi and DC, i can see ms-ds-smbv2, kerberos, ldap, ntp and dns packets. all looks good.

                               

                              still, the domain join command just hangs, no domain join happens, and the likewise logfile mentions 20170829084550:DEBUG:lwio:RdrSocketTask():socket.c:1251: Error at ../lwio/server/rdr/socket.c:1251 [status: STATUS_INVALID_NETWORK_RESPONSE = 0xC00000C3 (-1073741629)] in the end.

                              • 12. Re: esxi 6.5 domain join with smb 2.0?
                                jfene72 Enthusiast
                                vExpert

                                I have, give and take, your same lab setup the only difference being that I'm running AD on Windows 2012 Server; just 1 DC. I gave this a go and disabled SMB 1.0 on the DC and enabled SMB 2.0 on an ESXi 6.5 U1 host. I then joined ESXi using the domainjoin-cli command and found no issues. Disjoined and rejoined it again just to test it twice.

                                 

                                I'm running everything on the same subnet. Firewall is enabled on ESXi but it is disabled on the Windows DC and there's no additional firewalling in between. ESXi is using the DC's DNS server for name resolution.

                                 

                                I know this is not a solution but maybe it will help you narrow down the issue.

                                 

                                • 13. Re: esxi 6.5 domain join with smb 2.0?
                                  robertrosit Novice

                                  hy jfene72

                                  thanks for trying to help (i already found some of your info on the net, i recognize your domain name)

                                  out of options i went the far way and installed a fresh 2012R2 server, promoted it to a new domain ("test.local"), and put it in the same ip subnet as the esxi server. so the settings should be similar.

                                  unfortunately i get the exact same error in esxi log (STATUS_INVALID_NETWORK_RESPONSE = 0xC00000C3)

                                   

                                   

                                   

                                  so i went a step further, disabled SMB2 on esxi side, and enabled SMB1 on DC side - just to make sure that at least this works fine. and it does.

                                  domain join to test.local on server2012r2 works flawless with smb1.

                                   

                                  then i disabled SMB1 on the DC with powershell, and tried again.

                                   

                                  and domain join still worked.....

                                   

                                  ... untill i rebooted the DC.

                                  could you be so kind and test this again after rebooting your dc? it seems the powershell command will not have any effect before that.

                                  • 14. Re: esxi 6.5 domain join with smb 2.0?
                                    jfene72 Enthusiast
                                    vExpert

                                    So, I rebooted the DC and verified that SMB 1.0 was still disabled on the DC and that SMB 2.0 was still enabled on ESXi. Both were. I then tried rejoining ESXi and this time it failed with the following:

                                     

                                    Error: ERROR_GEN_FAILURE [code 0x0000001f]

                                     

                                    Under syslog, you'll find multiple entries like this one:

                                     

                                    2017-08-30T14:59:46Z lwsmd: [lsass] Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 2111170

                                     

                                    It took something like 20 seconds before throwing the error.

                                     

                                    So I re-enabled SMB 1.0 and disable SMB 2.0 on the DC using Powershell. I did the same on ESXi using lwregshell. The ESXi host joined the domain just fine after doing this. Why? Your guess is as good as mine!

                                     

                                    I'll try and dig deeper tomorrow if I find some time to spare.

                                     

                                    Hope this helps.

                                    1 2 Previous Next