Required Settings for Samba NT4 Domains: Difference between revisions

From SambaWiki
m (Remove information about AD, because this page is about NT4 domains only)
(Reformatting, re-writes, several text changes.)
Line 1: Line 1:
= General information =
= Introduction =


'''Samba usually doesn't require any changes on your Windows OS! Please read very carefully, why and in which situations you should do them! The changes mentioned on this page are only necessary if you want to join Windows 7 and later or Server 2008 and later to a <u>Samba NT4-style domain</u>. If this isn't your situation, then it's highly recommended <u>NOT</u> do do any registry changes! None of this modifications described on this page is required/recommended, if you run Samba as an Active Directory Domain Controller!'''
'''Samba usually doesn't require any changes on your Windows OS!'''


Please read very carefully, why and when you should do them: The changes mentioned on this page are only necessary if you want to join a Windows7 and later or Server 2008 and later to a <u>Samba NT4-style domain</u>. If this isn't your situation, then it's highly recommented <u>NOT</u> do do any registry changes! '''It's not required and not recommended if you run Samba as an AD DC!'''








= Joining Windows 7 or later / Windows Server 2008 or later to a Samba NT4-style domain =


If you try to join any Windows 7 or later / Windows Server 2008 or later, you'll encounter an error
= Joining Windows to a Samba NT4-style domain =


The following error occourred attempting to join the domain "SAMDOM":
If you try to join any of the above mentioned OS you'll encounter an error

The following error occourred attempting to join the domain „.....“:
The specified domain either does not exist or could not be contacted.
The specified domain either does not exist or could not be contacted.


The following registry change work with any Samba version that isn't already [[Samba_Release_Planning|discontinued]]:
The following registry change work with any Samba version, that isn't already [[Samba_Release_Planning|discontinued]]:


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
Line 28: Line 26:
Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.
Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.


After the next reboot you can join the machine to your domain, but you may still encounter an error:
After the next reboot, you can join the machine to your domain.

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
The error was:
The specified domain either does not exist or could not be contacted

But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: [http://support.microsoft.com/kb/2171571 KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain].




Line 58: Line 49:
= Windows 10: „No logon servers available“=
= Windows 10: „No logon servers available“=


If you have successfully joined Windows 10 to your Samba NT4 domain and try to login, you may encounter the error „No logon servers available“. To workaround, set in your PDCs smb.conf:
If you have successfully joined Windows 10 to your Samba NT4 domain and try to login, you may encounter the error "No logon servers available". To workaround, set in your PDCs smb.conf:


max protocol = NT1
max protocol = NT1
# Be aware, that this setting prevent your clients to use
# newer SMB protocol versions, than SMB1 with this server!


After you've restarted Samba, you will be able to login with a domain account on Windows 10.
After you've restarted Samba, you will be able to login with a domain account on Windows 10.

Be aware, that this setting prevent your clients to use newer SMB protocol versions than SMB1 with this server! However, this is the way the Samba team recommends. There are suggestions out there, to disable newer SMB version on Windows 10 client(s) in general. However this will prevent them from using newer protocol version with <u>any</u> SMB servers, instead of a single one (PDC)!





= Error: Changing the Primary Domain DNS name of this computer to "" failed =

If you encounter the following error on Windows 7 or Windows Server 2008R2, it can safely be ignored or silenced by a Microsoft hotfix (See [http://support.microsoft.com/kb/2171571 KB2171571]).

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
The error was:
The specified domain either does not exist or could not be contacted





Revision as of 14:16, 30 March 2016

General information

Samba usually doesn't require any changes on your Windows OS! Please read very carefully, why and in which situations you should do them! The changes mentioned on this page are only necessary if you want to join Windows 7 and later or Server 2008 and later to a Samba NT4-style domain. If this isn't your situation, then it's highly recommended NOT do do any registry changes! None of this modifications described on this page is required/recommended, if you run Samba as an Active Directory Domain Controller!



Joining Windows 7 or later / Windows Server 2008 or later to a Samba NT4-style domain

If you try to join any Windows 7 or later / Windows Server 2008 or later, you'll encounter an error

The following error occourred attempting to join the domain "SAMDOM":

The specified domain either does not exist or could not be contacted.

The following registry change work with any Samba version, that isn't already discontinued:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]

"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

Do the changes manually in regedit.exe or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it sambafix.reg. Make sure, that the file has the ending .reg. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.

After the next reboot, you can join the machine to your domain.



Windows 8.1: Encountering Error code 0x80090345 launching Windows Credential Manager

If you are joined to a samba NT4-style domain then the following registry change should work for you see Workaround section in KB3000850 for more details

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001

you will need to reboot after making the above registry change.



Windows 10: „No logon servers available“

If you have successfully joined Windows 10 to your Samba NT4 domain and try to login, you may encounter the error "No logon servers available". To workaround, set in your PDCs smb.conf:

max protocol = NT1

After you've restarted Samba, you will be able to login with a domain account on Windows 10.

Be aware, that this setting prevent your clients to use newer SMB protocol versions than SMB1 with this server! However, this is the way the Samba team recommends. There are suggestions out there, to disable newer SMB version on Windows 10 client(s) in general. However this will prevent them from using newer protocol version with any SMB servers, instead of a single one (PDC)!



Error: Changing the Primary Domain DNS name of this computer to "" failed

If you encounter the following error on Windows 7 or Windows Server 2008R2, it can safely be ignored or silenced by a Microsoft hotfix (See KB2171571).

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
The error was:

The specified domain either does not exist or could not be contacted



IMPORTANT: Registry changes that should never be done!

There are many pages on the internet, which suggest to change the values of RequireSignOrSeal and RequireStrongKey. This is NOT recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!

If you have already changed these parameters, turn them back to 1 as shown below and reboot:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]

"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001