Required Settings for Samba NT4 Domains: Difference between revisions
Mmuehlfeld (talk | contribs) m (Mmuehlfeld moved page Required settings for NT4-style domains to Required Settings for Samba NT4 Domains: Update title to TitleCase) |
Mmuehlfeld (talk | contribs) (Rewrote "Required Settings for Samba NT4 Domains") |
||
Line 1: | Line 1: | ||
= General |
= General Information = |
||
Microsoft discontinued the official support for NT4 domains many years ago. However, with some modifications, you can still use later published Windows operating systems with a Samba NT4 domain. Anyway consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes the unsupported NT4 features. For details about migrating, see [[Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)|Migrating a Samba NT4 Domain to Samba AD (classic upgrade)]]. |
|||
'''Samba usually doesn't require any changes on your Windows OS! Please read very carefully, why and in which situations you should do them! The changes mentioned on this page are only necessary if you want to join Windows 7 and later or Server 2008 and later to a <u>Samba NT4-style domain</u>. If this isn't your situation, then it's highly recommended <u>NOT</u> do do any registry changes! None of this modifications described on this page is required/recommended, if you run Samba as an Active Directory Domain Controller!''' |
|||
'''If your operating system is not mentioned on this page, or you are running a Samba Active Directory (AD), the Samba team highly recommends <u>NOT</u> to set any registry modification!''' |
|||
= Joining Windows 7 or later / Windows Server 2008 or later to a Samba NT4-style domain = |
|||
= Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain = |
|||
During the join, you see the following error message: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
The specified domain either does not exist or could not be contacted. |
The specified domain either does not exist or could not be contacted. |
||
To enable the client to join the Samba NT4 domain: |
|||
The following registry change work with any Samba version, that isn't already [[Samba_Release_Planning|discontinued]]: |
|||
* Save the following content to a plain text file named "samba_7_2008_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.): |
|||
Windows Registry Editor Version 5.00 |
Windows Registry Editor Version 5.00 |
||
Line 24: | Line 27: | ||
"DNSNameResolutionRequired"=dword:00000000 |
"DNSNameResolutionRequired"=dword:00000000 |
||
* Log in using the local "Administrator" account. |
|||
Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions. |
|||
* Double-click the file to import it to the Windows registry. |
|||
* Reboot to take the changes effect. |
|||
⚫ | |||
⚫ | |||
If you are joined to a samba NT4-style domain then the following registry change should work for you see Workaround section in [https://support.microsoft.com/en-us/kb/3000850 KB3000850] for more details |
|||
During joining the machine to the NT4 domain you receive the following error: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see [http://support.microsoft.com/kb/2171571 KB2171571]. |
|||
you will need to reboot after making the above registry change. |
|||
Line 47: | Line 52: | ||
⚫ | |||
⚫ | |||
⚫ | |||
After installing the [https://support.microsoft.com/en-us/kb/3000850 November 2014 update rollup (KB3000850)] you see the following error: |
|||
There are currently no logon servers available to service the logon request. |
|||
Error code 0x80090345 launching Windows Credential Manager |
|||
To workaround, set in your PDCs smb.conf: |
|||
To fix this problem: |
|||
⚫ | |||
* Save the following content to a plain text file named "samba_8_2012_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.): |
|||
After you've restarted Samba, you will be able to login with a domain account on Windows 10. |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
* Log in using the local "Administrator" account. |
|||
* Double-click the file to import it to the Windows registry. |
|||
* Reboot to take the changes effect. |
|||
⚫ | |||
If you encounter the following error on Windows 7 or Windows Server 2008R2, it can safely be ignored or silenced by a Microsoft hotfix (See [http://support.microsoft.com/kb/2171571 KB2171571]). |
|||
⚫ | |||
⚫ | |||
⚫ | |||
= Windows 10: There Are Currently No Logon Servers Available to Service the Logon Request = |
|||
⚫ | |||
⚫ | |||
To fix the problem: |
|||
* Set in your primary domain controllers (PDC) "smb.conf" file: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | :Note that this setting prevent all your clients to use a newer SMB protocol version than SMB1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with <u>all</u> Samba/Windows hosts. |
||
If you have already changed these parameters, turn them back to <tt>1</tt> as shown below and reboot: |
|||
* Restart Samba. |
|||
⚫ | |||
⚫ | |||
If you changed these parameters, reset the values of both keys back to "1": |
|||
* Save the following content to a plain text file named "reset_RequireSignOrSeal_RequireStrongKey.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.): |
|||
Windows Registry Editor Version 5.00 |
Windows Registry Editor Version 5.00 |
||
Line 90: | Line 112: | ||
"RequireSignOrSeal"=dword:00000001 |
"RequireSignOrSeal"=dword:00000001 |
||
"RequireStrongKey"=dword:00000001 |
"RequireStrongKey"=dword:00000001 |
||
* Log in using the local "Administrator" account. |
|||
* Double-click the file to import it to the Windows registry. |
|||
* Reboot to take the changes effect. |
Revision as of 01:50, 27 August 2016
General Information
Microsoft discontinued the official support for NT4 domains many years ago. However, with some modifications, you can still use later published Windows operating systems with a Samba NT4 domain. Anyway consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes the unsupported NT4 features. For details about migrating, see Migrating a Samba NT4 Domain to Samba AD (classic upgrade).
If your operating system is not mentioned on this page, or you are running a Samba Active Directory (AD), the Samba team highly recommends NOT to set any registry modification!
Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain
During the join, you see the following error message:
The following error occurred attempting to join the domain "SA": The specified domain either does not exist or could not be contacted.
To enable the client to join the Samba NT4 domain:
- Save the following content to a plain text file named "samba_7_2008_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] "DomainCompatibilityMode"=dword:00000001 "DNSNameResolutionRequired"=dword:00000000
- Log in using the local "Administrator" account.
- Double-click the file to import it to the Windows registry.
- Reboot to take the changes effect.
Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed.
During joining the machine to the NT4 domain you receive the following error:
Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...". The error was: The specified domain either does not exist or could not be contacted
You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see KB2171571.
Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager
After installing the November 2014 update rollup (KB3000850) you see the following error:
Error code 0x80090345 launching Windows Credential Manager
To fix this problem:
- Save the following content to a plain text file named "samba_8_2012_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb] "ProtectionPolicy"=dword:00000001
- Log in using the local "Administrator" account.
- Double-click the file to import it to the Windows registry.
- Reboot to take the changes effect.
Windows 10: There Are Currently No Logon Servers Available to Service the Logon Request
After you have successfully joined Windows 10 to your Samba NT4 domain, you fail to log on and receive the error:
There are currently no logon servers available to service the logon request.
To fix the problem:
- Set in your primary domain controllers (PDC) "smb.conf" file:
server max protocol = NT1
- Note that this setting prevent all your clients to use a newer SMB protocol version than SMB1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with all Samba/Windows hosts.
- Restart Samba.
IMPORTANT: Registry Changes That You Should Never Set!
The Samba team recommends not to change the values of "RequireSignOrSeal" and "RequireStrongKey". It will break the interoperability with other Windows and Samba installations!
If you changed these parameters, reset the values of both keys back to "1":
- Save the following content to a plain text file named "reset_RequireSignOrSeal_RequireStrongKey.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters] "RequireSignOrSeal"=dword:00000001 "RequireStrongKey"=dword:00000001
- Log in using the local "Administrator" account.
- Double-click the file to import it to the Windows registry.
- Reboot to take the changes effect.