Required Settings for Samba NT4 Domains: Difference between revisions

From SambaWiki
No edit summary
m (/* Added powershell join method)
 
(32 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= General Information =
== Samba versions supporting Windows7 Domain Logon ==


Microsoft discontinued the official support for NT4 domains in the Windows operating systems. However, with some modifications, you are still able to use later released Windows operating systems with a Samba NT4 domain. Anyway, consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes no longer supported NT4 features. For details about migrating, see [[Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)|Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade)]].
Support for Windows 7 and Windows Server 2008 R2 using Samba Domain Controllers has been added to the following versions:


{{Imbox
* Samba 3.4 or later
| type = important
* Samba 3.3.5 or later
| text = If you are running Samba Active Directory (AD), do not set any of the modifications mentioned on this page.
* Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES)
}}
* Samba 3.2.12 or later


We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions. Also tested Windows Server 2008 R2 Enterprise with Samba 3.5.6.


If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user.


-- [[User:Monyo|Monyo]] 16:22, 5 June 2011 (UTC)


== Windows 7 Registry settings ==


= Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain =
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:


During the join, the following error message is displayed:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0


The following error occurred attempting to join the domain "SA":
Samba also ships with a registry patchfile that users can apply directly.
The specified domain either does not exist or could not be contacted.
The patchfile can be found in recent Samba sourcecode: $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg or in Samba Bugzilla here:
https://bugzilla.samba.org/attachment.cgi?id=4988&action=view


To enable the client to join the Samba NT4 domain:
Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.


* Save the following content to a plain text file named <code>samba_7_2008_fix.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Do '''not''' edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.


Windows Registry Editor Version 5.00
If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000


* Log in using the local <code>Administrator</code> account.
HKLM\System\CCS\Services\Netlogon\Parameters
DWORD RequireSignOrSeal = 1
DWORD RequireStrongKey = 1


* Double-click the file to import it to the Windows registry.


* Reboot to take the changes effect.


--[[User:stwestbrook, Gd|Gd]] 15:47, 29 November 2009 (EDT)


'''Special Warning:''' If, as is likely the case, you are using the Windows Operating System to view this page and double-click the registry value (DNSNameResolutionRequired or DomainCompatibilityMode) to CnP into Windows' regedit, that one must take special care to make sure that when pasting the clipboard into the new value created in regedit to remove the space at the end of the value name that is likely included in the double-clicking of the registry value name.


''Sidebar for the purpose of impressing importance of this Special Warning'': Embarrassingly, it took me 8 hours today (1 June 2012) to troubleshoot a problem where DNSNameResolutionRequired in this Wiki was pasted "DNSNameResolutionRequired " into regedit. Obviously, no one could join the domain and no one thought twice about the fact that DNSNameResolutionRequired ''which looked right was actually very wrong''. When it comes to Windows 7 joining a Samba PDC, as the Internet echos loudly, have these registry entries set and '''make sure these registry values are named correctly'''.


--[[User:s1037989|s1037989]] 16:25, 4 June 2012 (CDT)


= Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed. =
== NOTES: with Samba 3.3.2, 3.3.3 and 3.3.4 ==


During joining the machine to the NT4 domain the following error message is displayed:
'''Only for these versions''', you have to change the NETLOGON parameters.


Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
HKLM\System\CCS\Services\Netlogon\Parameters
The error was:
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0
The specified domain either does not exist or could not be contacted


You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see [http://support.microsoft.com/kb/2171571 KB2171571].
For other versions, you must not change them.


--[[User:Monyo|Monyo]] 12:42, 6 April 2011 (CDT)


The changes of RequireSignOrSeal and RequireStrongKey are '''NOT''' recommended by the Samba Team. They will break interoperability with other Windows and Samba versions!


--[[User:bjacke|bjacke]] 17 Jul 2011 (CEST)


== NOTES: Error message during joining to the Domain ==
You will receive one warning about DNS domain name configuration after the join has succeeded:


"Changing the Primary Domain DNS name of this computer to "" failed.
The name will remain "MYDOM". The error was:
The specified domain either does not exist or could not be contacted"


= Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager =
This warning can be ignored or silenced with setting other registry keys.


After installing the [https://support.microsoft.com/en-us/kb/3000850 November 2014 update rollup (KB3000850)] the following error is displayed:
There is a hotfix available from Microsoft to address this, see KB2171571:[http://support.microsoft.com/kb/2171571 You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain] for details.


Error code 0x80090345 launching Windows Credential Manager
== Windows 7 Performance and Time Registry settings ==


To fix this problem:
I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional:


* Save the following content to a plain text file named <code>samba_8_2012_fix.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
echo 'Windows Registry Editor Version 5.00
; Win7_Samba3DomainMember
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
; Speedup settings
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"SlowLinkDetectEnabled"=dword:00000000
"DeleteRoamingCache"=dword:00000001
"WaitForNetwork"=dword:00000000
"CompatibleRUPSecurity"=dword:00000001
; Can drive you nuts
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000' | tee Win7_Samba3DomainMember_jelledj.reg
unix2dos Win7_Samba3DomainMember_jelledj.reg


Windows Registry Editor Version 5.00
echo '@echo off
echo.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
echo WARNING: Do not close this window!!!
"ProtectionPolicy"=dword:00000001
echo.
c:\"Program Files\Windows Resource Kits\Tools\ntrights.exe" +r SeSystemTimePrivilege -u "Domain Users"
echo.
echo WARNING: You may now close this window!!!
echo.' | tee SeSystemTimePrivilege_jelledj.bat
unix2dos SeSystemTimePrivilege_jelledj.bat


* Log in using the local <code>Administrator</code> account.
echo '@echo off
echo.
echo WARNING: Do not close this window!!!
echo.
"C:\Program Files\Mozilla Firefox\firefox.exe" http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe
echo.
echo WARNING: You may now close this window!!!
echo.' | tee rktools_jelledj.bat
unix2dos rktools_jelledj.bat


* Double-click the file to import it to the Windows registry.
echo '@echo off
echo.
echo WARNING: Do not close this window!!!
echo.
NET USE Y: /DELETE
NET USE Y: \\server\documenten /PERSISTENT:YES
NET TIME \\server /SET /YES
echo.
echo WARNING: You may now close this window!!!
echo.' | tee /srv/storage/samba/netlogon/netlogon.bat
unix2dos /srv/storage/samba/netlogon/netlogon.bat
setfacl --recursive --modify u::rw,g::r,m:---,o:--- /srv/storage/samba/netlogon/netlogon.bat
chmod g+r /srv/storage/samba/netlogon/netlogon.bat
cat /srv/storage/samba/netlogon/netlogon.bat
su -c "cat /srv/storage/samba/netlogon/netlogon.bat" jelledj


* Reboot to take the changes effect.
--[[User:Tuxcrafter|Tuxcrafter]] 15:12, 18 January 2011 (CST)





= Windows 10 =

{{Imbox
| type = important
| text = Microsoft seems to be trying to get everybody to run Active Directory (AD), You may not be able to join a Windows 10 PC to an NT4-style domain. It has been reported that rolling back to an earlier version of Windows 10 does allow the join to occur. You should plan to upgrade to AD as soon as possible.
}}





= Windows 10 and Windows Server 2016: There Are Currently No Logon Servers Available to Service the Logon Request =

After you successfully joined Windows 10 or Windows Server 2016 to your Samba NT4 domain, logging in failed and the following error is displayed:

There are currently no logon servers available to service the logon request.

To work around this problem, configure the Samba Primary Domain Controller (PDC) to support only the SMB 1 protocol. However, Microsoft deprecated the SMB 1 protocol in Windows and will remove the protocol in a future version. Windows 10 and Windows Server 2016 Fall Creators Update 1709 and later do no longer install SMB 1 by default. For details, see [https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709 SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709]. Before you re-enable SMB 1 on Windows, the workaround described in this section will fail. For details about re-enabling SMB 1 on Windows, see your Windows documentation.

To configure the PDC to only support the SMB 1 protocol:

* Set the following parameter in the <code>[global]</code> section in the <code>smb.conf</code> file:

server max protocol = NT1

:{{Imbox
| type = note
| text = This setting prevent all your clients to use a newer SMB protocol version than SMB 1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with <u>all</u> Samba/Windows hosts.
}}

* Restart Samba.





= Using Powershell =

It has been reported by Alexandru Joni, that is possible to join Windows 10 to an NT4-style domain using Powershell:

Add a local computer to a domain using credentials
Add-Computer -ComputerName Server01 -LocalCredential Server01\Admin01 -DomainName Domain02 -Credential Domain02\Admin02 -Restart –Force





= IMPORTANT: Registry Changes That You Should Never Set! =

{{Imbox
| type = warning
| text = You must not to change the values of the <code>RequireSignOrSeal</code> or <code>RequireStrongKey</code>. Changing the settings breaks the interoperability with Windows and Samba installations.
}}

If you changed these parameters, reset the values of both keys back to <code>1</code>:

* Save the following content to a plain text file named <code>reset_RequireSignOrSeal_RequireStrongKey.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001

* Log in using the local "<code>Administrator</code> account.

* Double-click the file to import it to the Windows registry.

* Reboot to take the changes effect.





----
[[Category:NT4 Domains]]

Latest revision as of 10:26, 24 January 2020

General Information

Microsoft discontinued the official support for NT4 domains in the Windows operating systems. However, with some modifications, you are still able to use later released Windows operating systems with a Samba NT4 domain. Anyway, consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes no longer supported NT4 features. For details about migrating, see Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade).



Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain

During the join, the following error message is displayed:

The following error occurred attempting to join the domain "SA":
The specified domain either does not exist or could not be contacted.

To enable the client to join the Samba NT4 domain:

  • Save the following content to a plain text file named samba_7_2008_fix.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
  • Log in using the local Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed.

During joining the machine to the NT4 domain the following error message is displayed:

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
The error was:

The specified domain either does not exist or could not be contacted

You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see KB2171571.




Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager

After installing the November 2014 update rollup (KB3000850) the following error is displayed:

Error code 0x80090345 launching Windows Credential Manager

To fix this problem:

  • Save the following content to a plain text file named samba_8_2012_fix.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001
  • Log in using the local Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 10



Windows 10 and Windows Server 2016: There Are Currently No Logon Servers Available to Service the Logon Request

After you successfully joined Windows 10 or Windows Server 2016 to your Samba NT4 domain, logging in failed and the following error is displayed:

There are currently no logon servers available to service the logon request.

To work around this problem, configure the Samba Primary Domain Controller (PDC) to support only the SMB 1 protocol. However, Microsoft deprecated the SMB 1 protocol in Windows and will remove the protocol in a future version. Windows 10 and Windows Server 2016 Fall Creators Update 1709 and later do no longer install SMB 1 by default. For details, see SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709. Before you re-enable SMB 1 on Windows, the workaround described in this section will fail. For details about re-enabling SMB 1 on Windows, see your Windows documentation.

To configure the PDC to only support the SMB 1 protocol:

  • Set the following parameter in the [global] section in the smb.conf file:
server max protocol = NT1
  • Restart Samba.



Using Powershell

It has been reported by Alexandru Joni, that is possible to join Windows 10 to an NT4-style domain using Powershell:

Add a local computer to a domain using credentials

   Add-Computer -ComputerName Server01 -LocalCredential Server01\Admin01 -DomainName Domain02 -Credential Domain02\Admin02 -Restart –Force



IMPORTANT: Registry Changes That You Should Never Set!

If you changed these parameters, reset the values of both keys back to 1:

  • Save the following content to a plain text file named reset_RequireSignOrSeal_RequireStrongKey.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001
  • Log in using the local "Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.