• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Unable to join Domain (Error 87)

    Scheduled Pinned Locked Moved Solved
    Windows Problems
    3
    6
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      allan0027
      last edited by allan0027

      Hello,
      I’m trying to include a computer in my domain with FOG, but it’s not working. I have already updated the FOG server, the FOG Client, used different credentials, but nothing had any effect.

      The inclusion works when the manual process is done, or using the Netdom described in the Wiki, both using the credentials passed below.
      There is no computer with this name in the domain, and I have changed its name several times to test the HostnameChanger.
      In the Debugger log, the credentials are correct, but it still does not work.

      Below are the information for my environment and some logs that can help.

      FOG Server Version: 1.5.2
      FOG Client Version: 0.11.16
      Computer: Windows 10 PRO 1803

      AD: Samba 4.5.12-Debian
      Domain name: atleticopr.com.br
      OU: Blank, i’m using default “Computers”
      Domain Username: domainjoin
      Domain Password: DomainJoin2018 (Don’t worry, only for test purpose)
      Domain Password Legacy: Blank.

      Fog.txt

      ------------------------------------------------------------------------------
      --------------------------------HostnameChanger-------------------------------
      ------------------------------------------------------------------------------
       28/05/2018 15:46 Client-Info Client Version: 0.11.16
       28/05/2018 15:46 Client-Info Client OS:      Windows
       28/05/2018 15:46 Client-Info Server Version: 1.5.2
       28/05/2018 15:46 Middleware::Response Success
       28/05/2018 15:46 HostnameChanger Checking Hostname
       28/05/2018 15:46 HostnameChanger Hostname is correct
       28/05/2018 15:46 HostnameChanger Attempting to join domain
       28/05/2018 15:46 HostnameChanger The parameter is incorrect, code =  87
      ------------------------------------------------------------------------------
      

      Debugger Log

      fog: dump cycle save
       28/05/2018 15:46 Middleware::Communication URL: http://fogserver.atleticopr.com.br/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:A4:57:5D&newService&json
       28/05/2018 15:46 Console::Dump Dumping decrypted response
      ------------------------------------------------------------------------------
      {"autologout":{"error":"ng"},"displaymanager":{"error":"ng"},"hostnamechanger":{"enforce":true,"hostname":"6outracoisa","AD":true,"ADDom":"atleticopr.com.br","ADOU":"","ADUser":"atleticopr.com.br\\domainjoin","ADPass":"DomainJoin2018"},"powermanagement":{"onDemand":"","tasks":[]},"printermanager":{"error":"ng"},"snapinclient":{"error":"ns"},"taskreboot":{"job":false},"usertracker":{"":""}}
      

      Samba log (Some parts):

        Allowed connection from 10.42.2.111 (10.42.2.111)
        user_ok_token: share IPC$ is ok for unix user ATLETICOPR\domainjoin
        set_conn_connectpath: service IPC$, connectpath = /tmp
        Connect path is '/tmp' for service [IPC$]
        user_ok_token: share IPC$ is ok for unix user ATLETICOPR\domainjoin
      [...]
        10.42.2.111 (ipv4:10.42.2.111:49750) connect to service IPC$ initially as user ATLETICOPR\domainjoin (uid=3000060, gid=100) (pid 5646)
      [...]
        10.42.2.111 (ipv4:10.42.2.111:49750) closed connection to service IPC$
      

      Edit:
      I forgot the screenshots…

      “Sucesso da Auditoria” means “Audit Success”
      0_1527603380668_Screenshot_1.jpg
      1_1527603380668_Screenshot_2.jpg
      2_1527603380668_Screenshot_3.jpg

      Wayne WorkmanW 1 Reply Last reply Reply Quote 0
      • A
        allan0027
        last edited by

        I’m sorry for the delay in replying. I was doing some tests based on what you wrote and I have some great news.
        As recommended, I switched to test in another OU and it worked. Thanks for the help, my problem solved.

        Here is a comment that might help:
        I do not know if it occurs in Microsoft AD, but in Samba 4 it does not work if you leave the “Organizational Unit” field empty. You can set the default “CN = Computers” or any other OU and the FGO Client will be able to join the domain, but using this in a blank option will give the error 87 even if you use “redircmp” to save to another OU.

        JJ FullmerJ 1 Reply Last reply Reply Quote 5
        • Wayne WorkmanW
          Wayne Workman @allan0027
          last edited by

          Asking @joe-schmitt to look at this.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
          Daily Clean Installation Results:
          https://fogtesting.fogproject.us/
          FOG Reporting:
          https://fog-external-reporting-results.fogproject.us/

          1 Reply Last reply Reply Quote 0
          • A
            allan0027
            last edited by

            Thanks! Still awaiting.

            One important information:
            I do not have a log, but there was a moment the FOG Client was able to join. I had not changed anything, just restarted a few times.
            After that, I removed it from the domain and rebooted to see if it happened again, but it did not.

            1 Reply Last reply Reply Quote 0
            • JJ FullmerJ
              JJ Fullmer Testers
              last edited by

              What OS is your domain controller running and what version/release of windows 10 is the image? (Just noticed that you put 1803 in your description, but I already wrote the rest of this, it still applies)

              I ask because in 1709 and 1803 there are new smb version rules (it was an update released after 1709 was initially released, but I think it’s embedded in the latest version of the 1709 iso). SMB v1 isn’t super supported anymore as a patch to that wannacry ransomware. They also by default disabled being able to access public shares. I have also had some issues with needing to add *.mydomain.com as a trusted host before being able to mount any domain joined shares from a non domain joined 1803 install.

              Point is, windows is trying to be more secure, but as security tends to, it’s created unintended inconveniences. For example if you have one of your domain controllers on windows server 2003, you pretty much have to make a new domain controller on 2012 R2 or newer, with 2016 being the preference. This would only be the problem though if you maybe have one older dc and a newer one and the manual process is getting the newer dc for the join task and the fog client is querying the older one. So it may be more of a long shot in this case.

              However the problem may also be simpler than a network update issue.
              Error 87 means parameter incorrect, so maybe we should check each paramter. Maybe make a test OU in your domain called ‘fogWorkstations’
              then set the OU on your host to “OU=fogWorkstation,DC=atleticopr,DC=com,DC=br”

              Some other questions though,
              Do other workstations join with the fog service?
              Can you perform other tasks with the fog service? Maybe a rename without the domain joining, a simple reboot, queue a snapin, add a printer, or anything like that?

              Have you tried the FogApi powershell module? It's pretty cool IMHO
              https://github.com/darksidemilk/FogApi
              https://fogapi.readthedocs.io/en/latest/
              https://www.powershellgallery.com/packages/FogApi
              https://forums.fogproject.org/topic/12026/powershell-api-module

              1 Reply Last reply Reply Quote 0
              • A
                allan0027
                last edited by

                I’m sorry for the delay in replying. I was doing some tests based on what you wrote and I have some great news.
                As recommended, I switched to test in another OU and it worked. Thanks for the help, my problem solved.

                Here is a comment that might help:
                I do not know if it occurs in Microsoft AD, but in Samba 4 it does not work if you leave the “Organizational Unit” field empty. You can set the default “CN = Computers” or any other OU and the FGO Client will be able to join the domain, but using this in a blank option will give the error 87 even if you use “redircmp” to save to another OU.

                JJ FullmerJ 1 Reply Last reply Reply Quote 5
                • JJ FullmerJ
                  JJ Fullmer Testers @allan0027
                  last edited by

                  @allan0027 Excellent! Glad to hear it worked and happy it was something simple.

                  Have you tried the FogApi powershell module? It's pretty cool IMHO
                  https://github.com/darksidemilk/FogApi
                  https://fogapi.readthedocs.io/en/latest/
                  https://www.powershellgallery.com/packages/FogApi
                  https://forums.fogproject.org/topic/12026/powershell-api-module

                  1 Reply Last reply Reply Quote 0
                  • 1 / 1
                  • First post
                    Last post

                  195

                  Online

                  12.0k

                  Users

                  17.3k

                  Topics

                  155.2k

                  Posts
                  Copyright © 2012-2024 FOG Project