I recently had a Riverbed Steelhead CX3070 fail (fan tray was screaming randomly so I did an RMA to replace the unit). Upon reconfiguring the replacment for the life of me I couldn’t get the unit joined to the domain (Active Directory).
Here is the log file output after a failed attempt at joining the domain:
Jan 1 22:26:31 rb-rma rcud[14771]: [rcud/req/.NOTICE] - {- -} Received action: /rbt/rcu/action/domain_config
Jan 1 22:26:31 rb-rma mgmtd[11988]: [mgmtd.NOTICE]: Join domain in progress...
Jan 1 22:26:31 rb-rma rcud[14771]: [rcud/main/.NOTICE] - {- -} joining with join type = win2k3-mode
Jan 1 22:26:32 rb-rma rcud[14771]: [rcud/main/.NOTICE] - {- -} No printing template found. Printing support will NOT be present
Jan 1 22:26:34 rb-rma rcud[14771]: [rcud/main/.ERR] - {- -} Failed to join domain using ads: failed to lookup DC info for domain 'company.com'
Jan 1 22:26:34 rb-rma rcud[14771]: [rcud/main/.NOTICE] - {- -} Sending action /rbt/rcu/event/rcu/terminate_winbind
Jan 1 22:26:34 rb-rma mgmtd[11988]: [mgmtd.ERR]: Domain configuration failed: 1 Join domain failed
Jan 1 22:26:34 rb-rma rcud[14771]: [rcud/main/.NOTICE] - {- -} No printing template found. Printing support will NOT be present
Jan 1 22:26:34 rb-rma sport[14788]: [domain_auth/config.WARN] - {- -} RCUD configuration does not have realm/workgroup info. Device has not joined a domain. SMB Signing/Encrypted MAPI will NOT work.
Jan 1 22:26:34 rb-rma sport[14788]: [domain_auth/config.NOTICE] - {- -} Turning OFF NTLMv2 pass-through auth support.
Jan 1 22:26:34 rb-rma sport[14788]: [domain_auth/trusted_domains.NOTICE] - {- -} Clearing list of trusted domains
As you can see from above, the log points to a communication issue. Tested all the usual suspects (icmp, firewall, bypass primary interface with in-path rule), still not working. Logged a ticket with Riverbed support (uploading the sysdump to the case) and they came back with the following:
For communication to the domain you must enable smb2 via the CLI if using Windows 2016 Server / 2019 Server and above:
1. How can I enable SteelHead to use SMB2/3 to communicate with Domain Controllers?
From server-side SteelHead, execute the following hidden commands:
rb-rma > en
rb-rma # config t
rb-rma (config) # domain settings smb2 enable
rb-rma (config) # write mem
rb-rma (config) # pm process rcud restart
rb-rma (config) # show pm process rcud
The issue was that the primary interface on the steelhead was sending SMB1 negotiation requests during the domain join and Server 2016/2019 block these requests (security etc).
This information is depicted in the Riverbed knowledge base article S30252
I hope this helps someone else, a really quick fix once you know whats causing the problem!
Comments