Difference between revisions of "Required Settings for Samba NT4 Domains"

(IMPORTANT: Registry changes that never should be done!: fix RequireStrongKey value)
(Roll back to the 30 July 2013, 22:17 version. The later changes are not correct (e. g. it's not just related to s3) or have nothing to do with this topic (W8 and dots in domain name))
Line 1: Line 1:
'''Samba usually doesn't require any changes on your Windows OS.''' So please read very carefully on the sections below why and when you should do them! If your situation or problem isn't mentioned here, then it's highly recommented to <u>NOT</u> do any registry changes!'''
+
= When do I need Registry changes? =
  
'''This does not apply if Windows is joining to AD (Active Directory) style domain (ie. Samba 4).'''
+
'''Samba usually doesn't require any changes on your Windows OS.
  
== Joining Windows to classic DC ==
+
So please read very carefully on the sections below why and when you should do them!
Joining '''Windows 7''', '''Windows Server 2008''', '''Windows Server 2008 R2''', '''Windows Server 2012''' or '''Windows 8''' to the ''classical windows domain'' (aka NT-4 style domain) requires registry change in those systems. This is the only situation, when domain controller is Samba 3 (ie. before Samba 4) which means Samba is in role PDC or BDC (Primary Domain Controller, Backup Domain Controller). Samba 3 is not able to create AD (Active Directory) while Samba 4 creates AD by default (which means to provide Kerberos/LDAP services).
 
  
If you try to join any of the mentioned OS you'll encounter an error:
+
If your situation or problem isn't mentioned here, then it's highly recommented to <u>NOT</u> do any registry changes!'''
  
  The following error occurred attempting to join the domain „.....“:
+
 
 +
 
 +
 
 +
= Joining Windows7/8 or Windows Server 2008r2/2012 to an Samba NT4-style domain =
 +
 
 +
'''This changes are only necessary if you want to join a Windows7/8 or Windows Server 2008r2/2012 machine to a <u>Samba NT4-style domain</u>!
 +
 
 +
It's not required and not recommended if you run Samba as AD DC!'''
 +
 
 +
If you try to join any of the mentioned OS you'll encounter an error
 +
 
 +
  The following error occourred attempting to join the domain „.....“:
 
   
 
   
 
  The specified domain either does not exist or could not be contacted.
 
  The specified domain either does not exist or could not be contacted.
Line 14: Line 24:
 
The following registry change work with any Samba version that isn't already [[Samba_Release_Planning|discontinued]]:
 
The following registry change work with any Samba version that isn't already [[Samba_Release_Planning|discontinued]]:
  
Windows Registry Editor Version 5.00
 
 
 
  [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
 
  [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
 
   
 
   
  "DomainCompatibilityMode"=dword:00000001
+
  DWORD DomainCompatibilityMode 1
  "DNSNameResolutionRequired"=dword:00000000
+
  DWORD DNSNameResolutionRequired 0
  
 
Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.
 
Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.
  
After the next reboot you can join the machine to your domain.
+
After the next reboot you can join the machine to your domain, but you'll still encounter an error:
 
 
=== Possible problem with joining ===
 
Sometimes you may still encounter an error when joining classical domain:
 
  
 
  Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
 
  Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
Line 35: Line 40:
 
But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: [http://support.microsoft.com/kb/2171571 KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain].
 
But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: [http://support.microsoft.com/kb/2171571 KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain].
  
== Windows 8 and classic domain (NT-4 style) with a dot in its name ==
 
There is a problem with Windows 8, where Microsoft raises new domain name policy. When a domain contain a dot (".") in its name (ie. ''example.com''), Windows 8 treat this name as a Active Directory name and is trying to contact Kerberos/LDAP server even there is none. So this is impossible to join this domain and there is no known fix or workaround yet.
 
  
Links:
 
* [https://www.multifake.net/2013/01/windows-8-not-joining-certain-samba-domains/ Windows 8 joining Samba domains, and which ones it just fails to join (those with dots in their names)]
 
* [https://lists.samba.org/archive/samba/2013-June/174065.html Fix the Issue Windows 8 cannot join if a example.com domain]
 
  
== IMPORTANT: Registry changes that never should be done! ==
+
 
 +
 
 +
= IMPORTANT: Registry changes that never should be done! =
 +
 
 
There are many pages on the internet, which suggest to change the values of <tt>RequireSignOrSeal</tt> and <tt>RequireStrongKey</tt>. '''This is <u>NOT</u> recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!'''
 
There are many pages on the internet, which suggest to change the values of <tt>RequireSignOrSeal</tt> and <tt>RequireStrongKey</tt>. '''This is <u>NOT</u> recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!'''
  
 
If you have already changed these parameters, turn them back to <tt>1</tt> as shown below and reboot:
 
If you have already changed these parameters, turn them back to <tt>1</tt> as shown below and reboot:
  
Windows Registry Editor Version 5.00
 
 
 
  [HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
 
  [HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
 
   
 
   
  "RequireSignOrSeal"=dword:00000001
+
  DWORD RequireSignOrSeal = 1
  "RequireStrongKey"=dword:00000001
+
  DWORD RequireStrongKey = 1

Revision as of 17:16, 18 May 2014

When do I need Registry changes?

Samba usually doesn't require any changes on your Windows OS.

So please read very carefully on the sections below why and when you should do them!

If your situation or problem isn't mentioned here, then it's highly recommented to NOT do any registry changes!



Joining Windows7/8 or Windows Server 2008r2/2012 to an Samba NT4-style domain

This changes are only necessary if you want to join a Windows7/8 or Windows Server 2008r2/2012 machine to a Samba NT4-style domain!

It's not required and not recommended if you run Samba as AD DC!

If you try to join any of the mentioned OS you'll encounter an error

The following error occourred attempting to join the domain „.....“:

The specified domain either does not exist or could not be contacted.

The following registry change work with any Samba version that isn't already discontinued:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]

DWORD DomainCompatibilityMode 1
DWORD DNSNameResolutionRequired 0

Do the changes manually in regedit.exe or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it sambafix.reg. Make sure, that the file has the ending .reg. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.

After the next reboot you can join the machine to your domain, but you'll still encounter an error:

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
The error was:

The specified domain either does not exist or could not be contacted

But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain.



IMPORTANT: Registry changes that never should be done!

There are many pages on the internet, which suggest to change the values of RequireSignOrSeal and RequireStrongKey. This is NOT recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!

If you have already changed these parameters, turn them back to 1 as shown below and reboot:

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]

DWORD RequireSignOrSeal = 1
DWORD RequireStrongKey = 1