|
|
| Line 1: |
Line 1: |
| − | == Samba versions supporting Windows7 Domain Logon == | + | = When do I need Registry changes? = |
| | | | |
| − | Support for Windows 7 and Windows Server 2008 R2 using Samba Domain Controllers has been added to the following versions:
| + | '''Samba usually doesn't require any changes on your Windows OS. |
| | | | |
| − | * Samba 3.4 or later
| + | So please read very carefully on the sections below why and when you should do them! |
| − | * Samba 3.3.5 or later
| |
| − | * Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES)
| |
| − | * Samba 3.2.12 or later
| |
| | | | |
| − | We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions. Also tested Windows Server 2008 R2 Enterprise with Samba 3.5.6.
| + | If your situation or problem isn't mentioned here, then it's highly recommented to <u>NOT</u> do any registry changes!''' |
| | | | |
| − | If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user.
| |
| | | | |
| − | -- [[User:Monyo|Monyo]] 16:22, 5 June 2011 (UTC)
| |
| | | | |
| − | == Windows 7 Registry settings ==
| |
| | | | |
| − | There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:
| + | = Joining Windows7/8 or Windows Server 2008r2/2012 to an Samba NT4-style domain = |
| | | | |
| − | HKLM\System\CCS\Services\LanmanWorkstation\Parameters
| + | '''This changes are only necessary if you want to join a Windows7/8 or Windows Server 2008r2/2012 machine to a <u>Samba NT4-style domain</u>! |
| − | DWORD DomainCompatibilityMode = 1
| |
| − | DWORD DNSNameResolutionRequired = 0
| |
| | | | |
| − | Samba also ships with a registry patchfile that users can apply directly. | + | It's not required and not recommended if you run Samba as AD DC!''' |
| − | The patchfile can be found in recent Samba sourcecode: $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg or in Samba Bugzilla here:
| |
| − | https://bugzilla.samba.org/attachment.cgi?id=4988&action=view
| |
| | | | |
| − | Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.
| + | If you try to join any of the mentioned OS you'll encounter an error |
| | | | |
| − | Do '''not''' edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.
| + | The following error occourred attempting to join the domain „.....“: |
| | + | |
| | + | The specified domain either does not exist or could not be contacted. |
| | | | |
| − | If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:
| + | The following registry change work with any Samba version that isn't already [[Samba_Release_Planning|discontinued]]: |
| | | | |
| − | HKLM\System\CCS\Services\Netlogon\Parameters
| + | [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] |
| − | DWORD RequireSignOrSeal = 1
| + | |
| − | DWORD RequireStrongKey = 1
| + | DWORD DomainCompatibilityMode 1 |
| | + | DWORD DNSNameResolutionRequired 0 |
| | | | |
| | + | Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions. |
| | | | |
| | + | After the next reboot you can join the machine to your domain, but you'll still encounter an error: |
| | | | |
| − | --[[User:stwestbrook, Gd|Gd]] 15:47, 29 November 2009 (EDT)
| + | Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....". |
| | + | The error was: |
| | + | |
| | + | The specified domain either does not exist or could not be contacted |
| | | | |
| − | '''Special Warning:''' If, as is likely the case, you are using the Windows Operating System to view this page and double-click the registry value (DNSNameResolutionRequired or DomainCompatibilityMode) to CnP into Windows' regedit, that one must take special care to make sure that when pasting the clipboard into the new value created in regedit to remove the space at the end of the value name that is likely included in the double-clicking of the registry value name.
| + | But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: [http://support.microsoft.com/kb/2171571 KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain]. |
| | | | |
| − | ''Sidebar for the purpose of impressing importance of this Special Warning'': Embarrassingly, it took me 8 hours today (1 June 2012) to troubleshoot a problem where DNSNameResolutionRequired in this Wiki was pasted "DNSNameResolutionRequired " into regedit. Obviously, no one could join the domain and no one thought twice about the fact that DNSNameResolutionRequired ''which looked right was actually very wrong''. When it comes to Windows 7 joining a Samba PDC, as the Internet echos loudly, have these registry entries set and '''make sure these registry values are named correctly'''.
| |
| | | | |
| − | --[[User:s1037989|s1037989]] 16:25, 4 June 2012 (CDT)
| |
| | | | |
| − | == NOTES: with Samba 3.3.2, 3.3.3 and 3.3.4 ==
| |
| | | | |
| − | '''Only for these versions''', you have to change the NETLOGON parameters.
| |
| | | | |
| − | HKLM\System\CCS\Services\Netlogon\Parameters
| + | = IMPORTANT: Registry changes that never should be done! = |
| − | DWORD RequireSignOrSeal = 0
| |
| − | DWORD RequireStrongKey = 0
| |
| | | | |
| − | For other versions, you must not change them.
| + | There are many pages on the internet, which suggest to change the values of <tt>RequireSignOrSeal</tt> and <tt>RequireStrongKey</tt>. '''This is <u>NOT</u> recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!''' |
| | | | |
| − | --[[User:Monyo|Monyo]] 12:42, 6 April 2011 (CDT)
| + | If you have already changed these parameters, turn them back to <tt>1</tt> as shown below and reboot: |
| | | | |
| − | The changes of RequireSignOrSeal and RequireStrongKey are '''NOT''' recommended by the Samba Team. They will break interoperability with other Windows and Samba versions!
| + | [HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters] |
| − | | + | |
| − | --[[User:bjacke|bjacke]] 17 Jul 2011 (CEST)
| + | DWORD RequireSignOrSeal = 1 |
| − | | + | DWORD RequireStrongKey = 1 |
| − | == NOTES: Error message during joining to the Domain ==
| |
| − | You will receive one warning about DNS domain name configuration after the join has succeeded:
| |
| − | | |
| − | "Changing the Primary Domain DNS name of this computer to "" failed.
| |
| − | The name will remain "MYDOM". The error was:
| |
| − |
| |
| − | The specified domain either does not exist or could not be contacted"
| |
| − | | |
| − | This warning can be ignored or silenced with setting other registry keys.
| |
| − | | |
| − | There is a hotfix available from Microsoft to address this, see KB2171571:[http://support.microsoft.com/kb/2171571 You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain] for details.
| |
| − | | |
| − | == Windows 7 Performance and Time Registry settings ==
| |
| − | | |
| − | I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional:
| |
| − | | |
| − | echo 'Windows Registry Editor Version 5.00
| |
| − |
| |
| − | ; Win7_Samba3DomainMember
| |
| − | [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
| |
| − | "DNSNameResolutionRequired"=dword:00000000
| |
| − | "DomainCompatibilityMode"=dword:00000001
| |
| − |
| |
| − | ; Speedup settings
| |
| − | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
| |
| − | "SlowLinkDetectEnabled"=dword:00000000
| |
| − | "DeleteRoamingCache"=dword:00000001
| |
| − | "WaitForNetwork"=dword:00000000
| |
| − | "CompatibleRUPSecurity"=dword:00000001
| |
| − |
| |
| − | ; Can drive you nuts
| |
| − | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
| |
| − | "EnableLUA"=dword:00000000' | tee Win7_Samba3DomainMember_jelledj.reg
| |
| − |
| |
| − | unix2dos Win7_Samba3DomainMember_jelledj.reg
| |
| − | | |
| − | echo '@echo off
| |
| − | echo.
| |
| − | echo WARNING: Do not close this window!!!
| |
| − | echo.
| |
| − | c:\"Program Files\Windows Resource Kits\Tools\ntrights.exe" +r SeSystemTimePrivilege -u "Domain Users"
| |
| − | echo.
| |
| − | echo WARNING: You may now close this window!!!
| |
| − | echo.' | tee SeSystemTimePrivilege_jelledj.bat
| |
| − |
| |
| − | unix2dos SeSystemTimePrivilege_jelledj.bat
| |
| − | | |
| − | echo '@echo off
| |
| − | echo.
| |
| − | echo WARNING: Do not close this window!!!
| |
| − | echo.
| |
| − | "C:\Program Files\Mozilla Firefox\firefox.exe" http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe
| |
| − | echo.
| |
| − | echo WARNING: You may now close this window!!!
| |
| − | echo.' | tee rktools_jelledj.bat
| |
| − |
| |
| − | unix2dos rktools_jelledj.bat
| |
| − | | |
| − | echo '@echo off
| |
| − | echo.
| |
| − | echo WARNING: Do not close this window!!!
| |
| − | echo.
| |
| − | NET USE Y: /DELETE
| |
| − | NET USE Y: \\server\documenten /PERSISTENT:YES
| |
| − | NET TIME \\server /SET /YES
| |
| − | echo.
| |
| − | echo WARNING: You may now close this window!!!
| |
| − | echo.' | tee /srv/storage/samba/netlogon/netlogon.bat
| |
| − |
| |
| − | unix2dos /srv/storage/samba/netlogon/netlogon.bat
| |
| − |
| |
| − | setfacl --recursive --modify u::rw,g::r,m:---,o:--- /srv/storage/samba/netlogon/netlogon.bat
| |
| − | chmod g+r /srv/storage/samba/netlogon/netlogon.bat
| |
| − |
| |
| − | cat /srv/storage/samba/netlogon/netlogon.bat
| |
| − | su -c "cat /srv/storage/samba/netlogon/netlogon.bat" jelledj
| |
| − | | |
| − | --[[User:Tuxcrafter|Tuxcrafter]] 15:12, 18 January 2011 (CST)
| |
When do I need Registry changes?
Samba usually doesn't require any changes on your Windows OS.
So please read very carefully on the sections below why and when you should do them!
If your situation or problem isn't mentioned here, then it's highly recommented to NOT do any registry changes!
Joining Windows7/8 or Windows Server 2008r2/2012 to an Samba NT4-style domain
This changes are only necessary if you want to join a Windows7/8 or Windows Server 2008r2/2012 machine to a Samba NT4-style domain!
It's not required and not recommended if you run Samba as AD DC!
If you try to join any of the mentioned OS you'll encounter an error
The following error occourred attempting to join the domain „.....“:
The specified domain either does not exist or could not be contacted.
The following registry change work with any Samba version that isn't already discontinued:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
DWORD DomainCompatibilityMode 1
DWORD DNSNameResolutionRequired 0
Do the changes manually in regedit.exe or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it sambafix.reg. Make sure, that the file has the ending .reg. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.
After the next reboot you can join the machine to your domain, but you'll still encounter an error:
Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
The error was:
The specified domain either does not exist or could not be contacted
But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain.
IMPORTANT: Registry changes that never should be done!
There are many pages on the internet, which suggest to change the values of RequireSignOrSeal and RequireStrongKey. This is NOT recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!
If you have already changed these parameters, turn them back to 1 as shown below and reboot:
[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
DWORD RequireSignOrSeal = 1
DWORD RequireStrongKey = 1