Difference between revisions of "Required Settings for Samba NT4 Domains"

m (/* Added powershell join method)
 
(32 intermediate revisions by 5 users not shown)
Line 1: Line 1:
== Samba versions supporting Windows7 Domain Logon ==
+
= General Information =
  
Support for Windows 7 and Windows Server 2008 R2 using Samba Domain Controllers has been added to the following versions:
+
Microsoft discontinued the official support for NT4 domains in the Windows operating systems. However, with some modifications, you are still able to use later released Windows operating systems with a Samba NT4 domain. Anyway, consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes no longer supported NT4 features. For details about migrating, see [[Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)|Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade)]].
  
* Samba 3.4 or later
+
{{Imbox
* Samba 3.3.5 or later
+
| type = important
* Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES)
+
| text = If you are running Samba Active Directory (AD), do not set any of the modifications mentioned on this page.
* Samba 3.2.12 or later
+
}}
  
We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions. Also tested Windows Server 2008 R2 Enterprise with Samba 3.5.6.
 
  
If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user.
 
  
-- [[User:Monyo|Monyo]] 16:22, 5 June 2011 (UTC)
 
  
== Windows 7 Registry settings ==
 
  
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:
+
= Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain =
  
        HKLM\System\CCS\Services\LanmanWorkstation\Parameters
+
During the join, the following error message is displayed:
            DWORD  DomainCompatibilityMode = 1
 
            DWORD  DNSNameResolutionRequired = 0
 
  
Samba also ships with a registry patchfile that users can apply directly.
+
The following error occurred attempting to join the domain "SA":
The patchfile can be found in recent Samba sourcecode: $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg or in Samba Bugzilla here:
+
The specified domain either does not exist or could not be contacted.
https://bugzilla.samba.org/attachment.cgi?id=4988&action=view
 
  
Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.
+
To enable the client to join the Samba NT4 domain:
  
Do '''not''' edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.
+
* Save the following content to a plain text file named <code>samba_7_2008_fix.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
  
If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:
+
Windows Registry Editor Version 5.00
 +
 +
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
 +
"DomainCompatibilityMode"=dword:00000001
 +
"DNSNameResolutionRequired"=dword:00000000
  
        HKLM\System\CCS\Services\Netlogon\Parameters
+
* Log in using the local <code>Administrator</code> account.
            DWORD  RequireSignOrSeal = 1
 
            DWORD  RequireStrongKey = 1
 
  
 +
* Double-click the file to import it to the Windows registry.
  
 +
* Reboot to take the changes effect.
  
--[[User:stwestbrook, Gd|Gd]] 15:47, 29 November 2009 (EDT)
 
  
'''Special Warning:''' If, as is likely the case, you are using the Windows Operating System to view this page and double-click the registry value (DNSNameResolutionRequired or DomainCompatibilityMode) to CnP into Windows' regedit, that one must take special care to make sure that when pasting the clipboard into the new value created in regedit to remove the space at the end of the value name that is likely included in the double-clicking of the registry value name.
 
  
''Sidebar for the purpose of impressing importance of this Special Warning'': Embarrassingly, it took me 8 hours today (1 June 2012) to troubleshoot a problem where DNSNameResolutionRequired in this Wiki was pasted "DNSNameResolutionRequired " into regedit.  Obviously, no one could join the domain and no one thought twice about the fact that DNSNameResolutionRequired ''which looked right was actually very wrong''.  When it comes to Windows 7 joining a Samba PDC, as the Internet echos loudly, have these registry entries set and '''make sure these registry values are named correctly'''.
 
  
--[[User:s1037989|s1037989]] 16:25, 4 June 2012 (CDT)
 
  
== NOTES: with Samba 3.3.2, 3.3.3 and 3.3.4 ==
+
= Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed. =
  
'''Only for these versions''', you have to change the NETLOGON parameters.
+
During joining the machine to the NT4 domain the following error message is displayed:
  
        HKLM\System\CCS\Services\Netlogon\Parameters
+
Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
            DWORD RequireSignOrSeal = 0
+
The error was:
            DWORD RequireStrongKey = 0
+
   
 +
  The specified domain either does not exist or could not be contacted
  
For other versions, you must not change them.
+
You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see [http://support.microsoft.com/kb/2171571 KB2171571].
  
--[[User:Monyo|Monyo]] 12:42, 6 April 2011 (CDT)
 
  
The changes of RequireSignOrSeal and RequireStrongKey are '''NOT''' recommended by the Samba Team. They will break interoperability with other Windows and Samba versions!
 
  
--[[User:bjacke|bjacke]] 17 Jul 2011 (CEST)
 
  
== NOTES: Error message during joining to the Domain ==
 
You will receive one warning about DNS domain name configuration after the join has succeeded:
 
  
    "Changing the Primary Domain DNS name of this computer to "" failed.
 
    The name will remain "MYDOM".  The error was:
 
   
 
    The specified domain either does not exist or could not be contacted"
 
  
This warning can be ignored or silenced with setting other registry keys.
+
= Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager =
  
There is a hotfix available from Microsoft to address this, see KB2171571:[http://support.microsoft.com/kb/2171571 You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain] for details.
+
After installing the [https://support.microsoft.com/en-us/kb/3000850 November 2014 update rollup (KB3000850)] the following error is displayed:
  
== Windows 7 Performance and Time Registry settings ==
+
Error code 0x80090345 launching Windows Credential Manager
  
I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional:
+
To fix this problem:
  
        echo 'Windows Registry Editor Version 5.00
+
* Save the following content to a plain text file named <code>samba_8_2012_fix.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):  
       
 
        ; Win7_Samba3DomainMember
 
        [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
 
        "DNSNameResolutionRequired"=dword:00000000
 
        "DomainCompatibilityMode"=dword:00000001
 
       
 
        ; Speedup settings
 
        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
 
        "SlowLinkDetectEnabled"=dword:00000000
 
        "DeleteRoamingCache"=dword:00000001
 
        "WaitForNetwork"=dword:00000000
 
        "CompatibleRUPSecurity"=dword:00000001
 
       
 
        ; Can drive you nuts
 
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
 
        "EnableLUA"=dword:00000000' | tee Win7_Samba3DomainMember_jelledj.reg
 
       
 
        unix2dos Win7_Samba3DomainMember_jelledj.reg
 
  
        echo '@echo off
+
Windows Registry Editor Version 5.00
        echo.
+
        echo WARNING: Do not close this window!!!
+
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
        echo.
+
"ProtectionPolicy"=dword:00000001
        c:\"Program Files\Windows Resource Kits\Tools\ntrights.exe" +r SeSystemTimePrivilege -u "Domain Users"
 
        echo.
 
        echo WARNING: You may now close this window!!!
 
        echo.' | tee SeSystemTimePrivilege_jelledj.bat
 
       
 
        unix2dos SeSystemTimePrivilege_jelledj.bat
 
  
        echo '@echo off
+
* Log in using the local <code>Administrator</code> account.
        echo.
 
        echo WARNING: Do not close this window!!!
 
        echo.
 
        "C:\Program Files\Mozilla Firefox\firefox.exe" http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe
 
        echo.
 
        echo WARNING: You may now close this window!!!
 
        echo.' | tee rktools_jelledj.bat
 
       
 
        unix2dos rktools_jelledj.bat
 
  
        echo '@echo off
+
* Double-click the file to import it to the Windows registry.
        echo.
 
        echo WARNING: Do not close this window!!!
 
        echo.
 
        NET USE Y: /DELETE
 
        NET USE Y: \\server\documenten /PERSISTENT:YES
 
        NET TIME \\server /SET /YES
 
        echo.
 
        echo WARNING: You may now close this window!!!
 
        echo.' | tee /srv/storage/samba/netlogon/netlogon.bat
 
       
 
        unix2dos /srv/storage/samba/netlogon/netlogon.bat
 
       
 
        setfacl --recursive --modify u::rw,g::r,m:---,o:--- /srv/storage/samba/netlogon/netlogon.bat
 
        chmod g+r /srv/storage/samba/netlogon/netlogon.bat
 
       
 
        cat /srv/storage/samba/netlogon/netlogon.bat
 
        su -c "cat /srv/storage/samba/netlogon/netlogon.bat" jelledj
 
  
--[[User:Tuxcrafter|Tuxcrafter]] 15:12, 18 January 2011 (CST)
+
* Reboot to take the changes effect.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Windows 10 =
 +
 
 +
{{Imbox
 +
| type = important
 +
| text = Microsoft seems to be trying to get everybody to run Active Directory (AD), You may not be able to join a Windows 10 PC to an NT4-style domain. It has been reported that rolling back to an earlier version of Windows 10 does allow the join to occur. You should plan to upgrade to AD as soon as possible.
 +
}}
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Windows 10 and Windows Server 2016: There Are Currently No Logon Servers Available to Service the Logon Request =
 +
 
 +
After you successfully joined Windows 10 or Windows Server 2016 to your Samba NT4 domain, logging in failed and the following error is displayed:
 +
 
 +
There are currently no logon servers available to service the logon request.
 +
 
 +
To work around this problem, configure the Samba Primary Domain Controller (PDC) to support only the SMB 1 protocol. However, Microsoft deprecated the SMB 1 protocol in Windows and will remove the protocol in a future version. Windows 10 and Windows Server 2016 Fall Creators Update 1709 and later do no longer install SMB 1 by default. For details, see [https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709 SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709]. Before you re-enable SMB 1 on Windows, the workaround described in this section will fail. For details about re-enabling SMB 1 on Windows, see your Windows documentation.
 +
 
 +
To configure the PDC to only support the SMB 1 protocol:
 +
 
 +
* Set the following parameter in the <code>[global]</code> section in the <code>smb.conf</code> file:
 +
 
 +
server max protocol = NT1
 +
 
 +
:{{Imbox
 +
| type = note
 +
| text = This setting prevent all your clients to use a newer SMB protocol version than SMB 1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with <u>all</u> Samba/Windows hosts.
 +
}}
 +
 
 +
* Restart Samba.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Using Powershell =
 +
 
 +
It has been reported by Alexandru Joni, that is possible to join Windows 10 to an NT4-style domain using Powershell:
 +
 
 +
Add a local computer to a domain using credentials
 +
    Add-Computer -ComputerName Server01 -LocalCredential Server01\Admin01 -DomainName Domain02 -Credential Domain02\Admin02 -Restart –Force
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= IMPORTANT: Registry Changes That You Should Never Set! =
 +
 
 +
{{Imbox
 +
| type = warning
 +
| text = You must not to change the values of the <code>RequireSignOrSeal</code> or <code>RequireStrongKey</code>. Changing the settings breaks the interoperability with Windows and Samba installations.
 +
}}
 +
 
 +
If you changed these parameters, reset the values of both keys back to <code>1</code>:
 +
 
 +
* Save the following content to a plain text file named <code>reset_RequireSignOrSeal_RequireStrongKey.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
 +
 
 +
Windows Registry Editor Version 5.00
 +
 +
[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
 +
"RequireSignOrSeal"=dword:00000001
 +
"RequireStrongKey"=dword:00000001
 +
 
 +
* Log in using the local "<code>Administrator</code> account.
 +
 
 +
* Double-click the file to import it to the Windows registry.
 +
 
 +
* Reboot to take the changes effect.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
----
 +
[[Category:NT4 Domains]]

Latest revision as of 10:26, 24 January 2020

General Information

Microsoft discontinued the official support for NT4 domains in the Windows operating systems. However, with some modifications, you are still able to use later released Windows operating systems with a Samba NT4 domain. Anyway, consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes no longer supported NT4 features. For details about migrating, see Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade).



Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain

During the join, the following error message is displayed:

The following error occurred attempting to join the domain "SA":
The specified domain either does not exist or could not be contacted.

To enable the client to join the Samba NT4 domain:

  • Save the following content to a plain text file named samba_7_2008_fix.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
  • Log in using the local Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed.

During joining the machine to the NT4 domain the following error message is displayed:

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
The error was:

The specified domain either does not exist or could not be contacted

You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see KB2171571.




Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager

After installing the November 2014 update rollup (KB3000850) the following error is displayed:

Error code 0x80090345 launching Windows Credential Manager

To fix this problem:

  • Save the following content to a plain text file named samba_8_2012_fix.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001
  • Log in using the local Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 10



Windows 10 and Windows Server 2016: There Are Currently No Logon Servers Available to Service the Logon Request

After you successfully joined Windows 10 or Windows Server 2016 to your Samba NT4 domain, logging in failed and the following error is displayed:

There are currently no logon servers available to service the logon request.

To work around this problem, configure the Samba Primary Domain Controller (PDC) to support only the SMB 1 protocol. However, Microsoft deprecated the SMB 1 protocol in Windows and will remove the protocol in a future version. Windows 10 and Windows Server 2016 Fall Creators Update 1709 and later do no longer install SMB 1 by default. For details, see SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709. Before you re-enable SMB 1 on Windows, the workaround described in this section will fail. For details about re-enabling SMB 1 on Windows, see your Windows documentation.

To configure the PDC to only support the SMB 1 protocol:

  • Set the following parameter in the [global] section in the smb.conf file:
server max protocol = NT1
  • Restart Samba.



Using Powershell

It has been reported by Alexandru Joni, that is possible to join Windows 10 to an NT4-style domain using Powershell:

Add a local computer to a domain using credentials

   Add-Computer -ComputerName Server01 -LocalCredential Server01\Admin01 -DomainName Domain02 -Credential Domain02\Admin02 -Restart –Force



IMPORTANT: Registry Changes That You Should Never Set!

If you changed these parameters, reset the values of both keys back to 1:

  • Save the following content to a plain text file named reset_RequireSignOrSeal_RequireStrongKey.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001
  • Log in using the local "Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.