Required Settings for Samba NT4 Domains: Difference between revisions
Tuxcrafter (talk | contribs) (share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server) |
(Added more version info (especially Samba 3.2.X) and NOTES about Samba 3.3.2 - 3.3.4) |
||
Line 3: | Line 3: | ||
Support for Windows 7 and Windows 2008 using Samba Domain Controllers has been added to the following versions: |
Support for Windows 7 and Windows 2008 using Samba Domain Controllers has been added to the following versions: |
||
* Samba 3.4 |
* Samba 3.4 or later |
||
* Samba 3.3 |
* Samba 3.3.5 or later |
||
* Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES) |
|||
* Samba 3.2.12 or later |
|||
We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0 |
We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions. |
||
If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user. |
|||
--[[User:Monyo|Monyo]] 12:42, 6 April 2011 (CDT) |
|||
== Windows 7 Registry settings == |
== Windows 7 Registry settings == |
||
Line 41: | Line 46: | ||
DWORD RequireSignOrSeal = 1 |
DWORD RequireSignOrSeal = 1 |
||
DWORD RequireStrongKey = 1 |
DWORD RequireStrongKey = 1 |
||
--[[User:stwestbrook, Gd|Gd]] 15:47, 29 November 2009 (EDT) |
--[[User:stwestbrook, Gd|Gd]] 15:47, 29 November 2009 (EDT) |
||
== NOTES with Samba 3.3.2, 3.3.3 and 3.3.4 == |
|||
'''Only for these versions''', you have to change the NETLOGON parameters. |
|||
HKLM\System\CCS\Services\Netlogon\Parameters |
|||
DWORD RequireSignOrSeal = 0 |
|||
DWORD RequireStrongKey = 0 |
|||
For other versions, you must not change them. |
|||
--[[User:Monyo|Monyo]] 12:42, 6 April 2011 (CDT) |
|||
== Windows 7 |
== Windows 7 Performance and Time Registry settings == |
||
I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional: |
I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional: |
Revision as of 17:42, 6 April 2011
Samba versions supporting Windows7 Domain Logon
Support for Windows 7 and Windows 2008 using Samba Domain Controllers has been added to the following versions:
- Samba 3.4 or later
- Samba 3.3.5 or later
- Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES)
- Samba 3.2.12 or later
We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions.
If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user.
--Monyo 12:42, 6 April 2011 (CDT)
Windows 7 Registry settings
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0
Samba also ships with a registry patchfile that users can apply directly. The patchfile can be found in recent Samba sourcecode: $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg or in Samba Bugzilla here: https://bugzilla.samba.org/attachment.cgi?id=4988&action=view
Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.
You will receive one warning about DNS domain name configuration after the join has succeeded:
"Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "MYDOM". The error was: The specified domain either does not exist or could not be contacted"
This warning can be ignored or silenced with setting other registry keys.
Update: There is a hotfix available from Microsoft to address this, see this http://support.microsoft.com/kb/2171571 Knowledge Base article for details
Do not edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.
If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:
HKLM\System\CCS\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 1 DWORD RequireStrongKey = 1
--Gd 15:47, 29 November 2009 (EDT)
NOTES with Samba 3.3.2, 3.3.3 and 3.3.4
Only for these versions, you have to change the NETLOGON parameters.
HKLM\System\CCS\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0 DWORD RequireStrongKey = 0
For other versions, you must not change them.
--Monyo 12:42, 6 April 2011 (CDT)
Windows 7 Performance and Time Registry settings
I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional:
echo 'Windows Registry Editor Version 5.00 ; Win7_Samba3DomainMember [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001 ; Speedup settings [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "SlowLinkDetectEnabled"=dword:00000000 "DeleteRoamingCache"=dword:00000001 "WaitForNetwork"=dword:00000000 "CompatibleRUPSecurity"=dword:00000001 ; Can drive you nuts [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=dword:00000000' | tee Win7_Samba3DomainMember_jelledj.reg unix2dos Win7_Samba3DomainMember_jelledj.reg
echo '@echo off echo. echo WARNING: Do not close this window!!! echo. c:\"Program Files\Windows Resource Kits\Tools\ntrights.exe" +r SeSystemTimePrivilege -u "Domain Users" echo. echo WARNING: You may now close this window!!! echo.' | tee SeSystemTimePrivilege_jelledj.bat unix2dos SeSystemTimePrivilege_jelledj.bat
echo '@echo off echo. echo WARNING: Do not close this window!!! echo. "C:\Program Files\Mozilla Firefox\firefox.exe" http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe echo. echo WARNING: You may now close this window!!! echo.' | tee rktools_jelledj.bat unix2dos rktools_jelledj.bat
echo '@echo off echo. echo WARNING: Do not close this window!!! echo. NET USE Y: /DELETE NET USE Y: \\server\documenten /PERSISTENT:YES NET TIME \\server /SET /YES echo. echo WARNING: You may now close this window!!! echo.' | tee /srv/storage/samba/netlogon/netlogon.bat unix2dos /srv/storage/samba/netlogon/netlogon.bat setfacl --recursive --modify u::rw,g::r,m:---,o:--- /srv/storage/samba/netlogon/netlogon.bat chmod g+r /srv/storage/samba/netlogon/netlogon.bat cat /srv/storage/samba/netlogon/netlogon.bat su -c "cat /srv/storage/samba/netlogon/netlogon.bat" jelledj
--Tuxcrafter 15:12, 18 January 2011 (CST)