Required Settings for Samba NT4 Domains: Difference between revisions

From SambaWiki
m (Remove information about AD, because this page is about NT4 domains only)
m (/* Added powershell join method)
 
(18 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= General Information =
= Introduction =


Microsoft discontinued the official support for NT4 domains in the Windows operating systems. However, with some modifications, you are still able to use later released Windows operating systems with a Samba NT4 domain. Anyway, consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes no longer supported NT4 features. For details about migrating, see [[Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)|Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade)]].
'''Samba usually doesn't require any changes on your Windows OS!'''


{{Imbox
Please read very carefully, why and when you should do them: The changes mentioned on this page are only necessary if you want to join a Windows7 and later or Server 2008 and later to a <u>Samba NT4-style domain</u>. If this isn't your situation, then it's highly recommented <u>NOT</u> do do any registry changes! '''It's not required and not recommended if you run Samba as an AD DC!'''
| type = important
| text = If you are running Samba Active Directory (AD), do not set any of the modifications mentioned on this page.
}}




Line 9: Line 12:




= Joining Windows to a Samba NT4-style domain =
= Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain =


During the join, the following error message is displayed:
If you try to join any of the above mentioned OS you'll encounter an error


The following error occourred attempting to join the domain „.....“:
The following error occurred attempting to join the domain "SA":
The specified domain either does not exist or could not be contacted.
The specified domain either does not exist or could not be contacted.


To enable the client to join the Samba NT4 domain:
The following registry change work with any Samba version that isn't already [[Samba_Release_Planning|discontinued]]:

* Save the following content to a plain text file named <code>samba_7_2008_fix.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
"DNSNameResolutionRequired"=dword:00000000


* Log in using the local <code>Administrator</code> account.
Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.


* Double-click the file to import it to the Windows registry.
After the next reboot you can join the machine to your domain, but you may still encounter an error:


* Reboot to take the changes effect.
Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".





= Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed. =

During joining the machine to the NT4 domain the following error message is displayed:

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
The error was:
The error was:
The specified domain either does not exist or could not be contacted
The specified domain either does not exist or could not be contacted


But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: [http://support.microsoft.com/kb/2171571 KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain].
You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see [http://support.microsoft.com/kb/2171571 KB2171571].




Line 41: Line 54:




= Windows 8.1: Encountering Error code 0x80090345 launching Windows Credential Manager =


= Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager =
If you are joined to a samba NT4-style domain then the following registry change should work for you see Workaround section in [https://support.microsoft.com/en-us/kb/3000850 KB3000850] for more details

After installing the [https://support.microsoft.com/en-us/kb/3000850 November 2014 update rollup (KB3000850)] the following error is displayed:

Error code 0x80090345 launching Windows Credential Manager

To fix this problem:

* Save the following content to a plain text file named <code>samba_8_2012_fix.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
Line 50: Line 70:
"ProtectionPolicy"=dword:00000001
"ProtectionPolicy"=dword:00000001


* Log in using the local <code>Administrator</code> account.
you will need to reboot after making the above registry change.


* Double-click the file to import it to the Windows registry.


* Reboot to take the changes effect.






= Windows 10: „No logon servers available“=


If you have successfully joined Windows 10 to your Samba NT4 domain and try to login, you may encounter the error „No logon servers available“. To workaround, set in your PDCs smb.conf:


= Windows 10 =
max protocol = NT1
# Be aware, that this setting prevent your clients to use
# newer SMB protocol versions, than SMB1 with this server!


{{Imbox
After you've restarted Samba, you will be able to login with a domain account on Windows 10.
| type = important
| text = Microsoft seems to be trying to get everybody to run Active Directory (AD), You may not be able to join a Windows 10 PC to an NT4-style domain. It has been reported that rolling back to an earlier version of Windows 10 does allow the join to occur. You should plan to upgrade to AD as soon as possible.
}}




Line 70: Line 91:




= Windows 10 and Windows Server 2016: There Are Currently No Logon Servers Available to Service the Logon Request =
= IMPORTANT: Registry changes that should never be done! =


After you successfully joined Windows 10 or Windows Server 2016 to your Samba NT4 domain, logging in failed and the following error is displayed:
There are many pages on the internet, which suggest to change the values of <tt>RequireSignOrSeal</tt> and <tt>RequireStrongKey</tt>. '''This is <u>NOT</u> recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!'''


There are currently no logon servers available to service the logon request.
If you have already changed these parameters, turn them back to <tt>1</tt> as shown below and reboot:

To work around this problem, configure the Samba Primary Domain Controller (PDC) to support only the SMB 1 protocol. However, Microsoft deprecated the SMB 1 protocol in Windows and will remove the protocol in a future version. Windows 10 and Windows Server 2016 Fall Creators Update 1709 and later do no longer install SMB 1 by default. For details, see [https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709 SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709]. Before you re-enable SMB 1 on Windows, the workaround described in this section will fail. For details about re-enabling SMB 1 on Windows, see your Windows documentation.

To configure the PDC to only support the SMB 1 protocol:

* Set the following parameter in the <code>[global]</code> section in the <code>smb.conf</code> file:

server max protocol = NT1

:{{Imbox
| type = note
| text = This setting prevent all your clients to use a newer SMB protocol version than SMB 1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with <u>all</u> Samba/Windows hosts.
}}

* Restart Samba.





= Using Powershell =

It has been reported by Alexandru Joni, that is possible to join Windows 10 to an NT4-style domain using Powershell:

Add a local computer to a domain using credentials
Add-Computer -ComputerName Server01 -LocalCredential Server01\Admin01 -DomainName Domain02 -Credential Domain02\Admin02 -Restart –Force





= IMPORTANT: Registry Changes That You Should Never Set! =

{{Imbox
| type = warning
| text = You must not to change the values of the <code>RequireSignOrSeal</code> or <code>RequireStrongKey</code>. Changing the settings breaks the interoperability with Windows and Samba installations.
}}

If you changed these parameters, reset the values of both keys back to <code>1</code>:

* Save the following content to a plain text file named <code>reset_RequireSignOrSeal_RequireStrongKey.reg</code> using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
"RequireSignOrSeal"=dword:00000001
"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001
"RequireStrongKey"=dword:00000001

* Log in using the local "<code>Administrator</code> account.

* Double-click the file to import it to the Windows registry.

* Reboot to take the changes effect.





----
[[Category:NT4 Domains]]

Latest revision as of 10:26, 24 January 2020

General Information

Microsoft discontinued the official support for NT4 domains in the Windows operating systems. However, with some modifications, you are still able to use later released Windows operating systems with a Samba NT4 domain. Anyway, consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes no longer supported NT4 features. For details about migrating, see Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade).



Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain

During the join, the following error message is displayed:

The following error occurred attempting to join the domain "SA":
The specified domain either does not exist or could not be contacted.

To enable the client to join the Samba NT4 domain:

  • Save the following content to a plain text file named samba_7_2008_fix.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
  • Log in using the local Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed.

During joining the machine to the NT4 domain the following error message is displayed:

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
The error was:

The specified domain either does not exist or could not be contacted

You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see KB2171571.




Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager

After installing the November 2014 update rollup (KB3000850) the following error is displayed:

Error code 0x80090345 launching Windows Credential Manager

To fix this problem:

  • Save the following content to a plain text file named samba_8_2012_fix.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001
  • Log in using the local Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 10



Windows 10 and Windows Server 2016: There Are Currently No Logon Servers Available to Service the Logon Request

After you successfully joined Windows 10 or Windows Server 2016 to your Samba NT4 domain, logging in failed and the following error is displayed:

There are currently no logon servers available to service the logon request.

To work around this problem, configure the Samba Primary Domain Controller (PDC) to support only the SMB 1 protocol. However, Microsoft deprecated the SMB 1 protocol in Windows and will remove the protocol in a future version. Windows 10 and Windows Server 2016 Fall Creators Update 1709 and later do no longer install SMB 1 by default. For details, see SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709. Before you re-enable SMB 1 on Windows, the workaround described in this section will fail. For details about re-enabling SMB 1 on Windows, see your Windows documentation.

To configure the PDC to only support the SMB 1 protocol:

  • Set the following parameter in the [global] section in the smb.conf file:
server max protocol = NT1
  • Restart Samba.



Using Powershell

It has been reported by Alexandru Joni, that is possible to join Windows 10 to an NT4-style domain using Powershell:

Add a local computer to a domain using credentials

   Add-Computer -ComputerName Server01 -LocalCredential Server01\Admin01 -DomainName Domain02 -Credential Domain02\Admin02 -Restart –Force



IMPORTANT: Registry Changes That You Should Never Set!

If you changed these parameters, reset the values of both keys back to 1:

  • Save the following content to a plain text file named reset_RequireSignOrSeal_RequireStrongKey.reg using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001
  • Log in using the local "Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.