Unable to join ActiveDirectory with smbv1 disabled on domain controller

  • 2
  • Question
  • Updated 4 months ago
Hello,

I'm having some problem to join ActiveDirectory with AD user account on hivemanager.
For secutity reasons we decided to disable smbv1 on domain controllers.
Since that, i'm unable to join active directory and can't use 802.1X with EAP on windows computers.

I tried domain join in cli:
exec aaa net-join domain test.loc fullname test.loc server 192.168.1.2 username aerohive password aerohivepassword

I get the following error:
HiveAP AH-D2SI-3EME was unable to join the Active Directory domain test.loc

and when i look at logs

2017-06-12 14:28:26 debug   net: net: restart winbindd.
2017-06-12 14:28:26 debug   net: return code = -1
2017-06-12 14:28:26 debug   net: failed negprot
2017-06-12 14:28:26 debug   net: Receiving SMB: Server stopped responding
2017-06-12 14:28:26 debug   net: read_socket_with_timeout: timeout read. read error = Connection reset by peer.
2017-06-12 14:28:26 debug   net: Connecting to 192.168.1.2 at port 445
2017-06-12 14:28:26 debug   net: resolve_hosts: Attempting host lookup for name WAD01.test.loc<0x20>
2017-06-12 14:28:26 debug   net: resolve_wins: WINS server resolution selected and no WINS servers listed.
2017-06-12 14:28:26 debug   net: resolve_wins: Attempting wins lookup for name WAD01.test.loc<0x20>
2017-06-12 14:28:26 debug   net: resolve_lmhosts: Attempting lmhosts lookup for name WAD01.test.loc<0x20>
2017-06-12 14:28:26 debug   net: Connecting to host=WAD01.test.loc
2017-06-12 14:28:26 debug   net: netmask=255.255.255.0
2017-06-12 14:28:26 debug   net: bcast=192.168.75.255
2017-06-12 14:28:26 debug   net: added interface mgt0 ip=192.168.75.3
2017-06-12 14:28:26 debug   net: creating default valid table
2017-06-12 14:28:26 debug   net: Processing section "[global]"
2017-06-12 14:28:26 debug   net: params.c:pm_process() - Processing configuration file "/usr/local/etc/smb/lib/smb.conf"

When i test services
exec _test tcp-service host 192.168.1.2 port 445
Test successfully

exec _test tcp-service host 192.168.1.2 port 445
Test successfully

Can you help me?

Thanks
Photo of julien desnos

julien desnos

  • 2 Posts
  • 0 Reply Likes
  • anxious

Posted 10 months ago

  • 2
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
When you modified your AD servers, you removed the support for the protocol that Aerohive (and most other Linux-based systems) uses to query it. Since you did that for security reasons, I won't suggest you revert back.

You may need to implement Microsoft's NPS as a bridge to the Active Directory user-store, and have the access points authenticate users via RADIUS against the NPS. 
Photo of julien desnos

julien desnos

  • 2 Posts
  • 0 Reply Likes
Hello,

Thanks for your answer, is it possible to force hive os to use smbv2?

Regards
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Julien,
No, not in current versions of HiveOS. That's why I suggested you implement Microsoft's NPS as a bridge to the Active Directory user-store, and have the access points authenticate users via RADIUS against the NPS. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Julien,

Going forward, so no cast iron promises yet, I understand that we're busy looking at the feasibility of adding support for SMBv2 in HiveOS with future updates with the intention of doing this. Stay tuned...

Cheers,

Nick
(Edited)
Photo of Tal Widerman

Tal Widerman

  • 1 Post
  • 0 Reply Likes
Nick,
That will be a good solution.
Please contact me directly when you can:
talw@visualitynq.com
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Julien,

The HiveOS 8.2r1 update removes the SMBv1 dependency from HiveOS. (The SMB protocol is used for AD integration purposes with the built-in RADIUS server.)

Release notes for HiveOS 8.2r1 are available here:

http://docs.aerohive.com/330000/docs/help/english/documentation/8.2r1_HiveOS_ReleaseNotes.pdf



Thanks,

Nick