Required Settings for Samba NT4 Domains: Difference between revisions

From SambaWiki
m (moved Windows7 to Registry changes for NT4-style domains: The changes mentioned on the page are not required for Samba AD DC only for NT4-style domains.)
(Completely overworked the whole page. Made it more clear and removed old information. Also restructured the page.)
Line 1: Line 1:
= When do I need Registry changes? =
== Samba versions supporting Windows7 Domain Logon ==


'''Samba usually doesn't require any changes on your Windows OS.
Support for Windows 7 and Windows Server 2008 R2 using Samba Domain Controllers has been added to the following versions:


So please read very carefully on the sections below why and when you should do them!
* Samba 3.4 or later
* Samba 3.3.5 or later
* Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES)
* Samba 3.2.12 or later


If your situation or problem isn't mentioned here, then it's highly recommented to <u>NOT</u> do any registry changes!'''
We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions. Also tested Windows Server 2008 R2 Enterprise with Samba 3.5.6.


If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user.


-- [[User:Monyo|Monyo]] 16:22, 5 June 2011 (UTC)


== Windows 7 Registry settings ==


= Joining Windows7/8 or Windows Server 2008r2/2012 to an Samba NT4-style domain =
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:


'''This changes are only necessary if you want to join a Windows7/8 or Windows Server 2008r2/2012 machine to a <u>Samba NT4-style domain</u>!
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0


It's not required and not recommended if you run Samba as AD DC!'''
Samba also ships with a registry patchfile that users can apply directly.
The patchfile can be found in recent Samba sourcecode: $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg or in Samba Bugzilla here:
https://bugzilla.samba.org/attachment.cgi?id=4988&action=view


If you try to join any of the mentioned OS you'll encounter an error
Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.


The following error occourred attempting to join the domain „.....“:
Do '''not''' edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.
The specified domain either does not exist or could not be contacted.


The following registry change work with any Samba version that isn't already [[Samba_Release_Planning|discontinued]]:
If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:


HKLM\System\CCS\Services\Netlogon\Parameters
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
DWORD RequireSignOrSeal = 1
DWORD DomainCompatibilityMode 1
DWORD RequireStrongKey = 1
DWORD DNSNameResolutionRequired 0


Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.


After the next reboot you can join the machine to your domain, but you'll still encounter an error:


Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
--[[User:stwestbrook, Gd|Gd]] 15:47, 29 November 2009 (EDT)
The error was:
The specified domain either does not exist or could not be contacted


But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: [http://support.microsoft.com/kb/2171571 KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain].
'''Special Warning:''' If, as is likely the case, you are using the Windows Operating System to view this page and double-click the registry value (DNSNameResolutionRequired or DomainCompatibilityMode) to CnP into Windows' regedit, that one must take special care to make sure that when pasting the clipboard into the new value created in regedit to remove the space at the end of the value name that is likely included in the double-clicking of the registry value name.


''Sidebar for the purpose of impressing importance of this Special Warning'': Embarrassingly, it took me 8 hours today (1 June 2012) to troubleshoot a problem where DNSNameResolutionRequired in this Wiki was pasted "DNSNameResolutionRequired " into regedit. Obviously, no one could join the domain and no one thought twice about the fact that DNSNameResolutionRequired ''which looked right was actually very wrong''. When it comes to Windows 7 joining a Samba PDC, as the Internet echos loudly, have these registry entries set and '''make sure these registry values are named correctly'''.


--[[User:s1037989|s1037989]] 16:25, 4 June 2012 (CDT)


== NOTES: with Samba 3.3.2, 3.3.3 and 3.3.4 ==


'''Only for these versions''', you have to change the NETLOGON parameters.


= IMPORTANT: Registry changes that never should be done! =
HKLM\System\CCS\Services\Netlogon\Parameters
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0


There are many pages on the internet, which suggest to change the values of <tt>RequireSignOrSeal</tt> and <tt>RequireStrongKey</tt>. '''This is <u>NOT</u> recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!'''
For other versions, you must not change them.


If you have already changed these parameters, turn them back to <tt>1</tt> as shown below and reboot:
--[[User:Monyo|Monyo]] 12:42, 6 April 2011 (CDT)


[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]
The changes of RequireSignOrSeal and RequireStrongKey are '''NOT''' recommended by the Samba Team. They will break interoperability with other Windows and Samba versions!

DWORD RequireSignOrSeal = 1
--[[User:bjacke|bjacke]] 17 Jul 2011 (CEST)
DWORD RequireStrongKey = 1

== NOTES: Error message during joining to the Domain ==
You will receive one warning about DNS domain name configuration after the join has succeeded:

"Changing the Primary Domain DNS name of this computer to "" failed.
The name will remain "MYDOM". The error was:
The specified domain either does not exist or could not be contacted"

This warning can be ignored or silenced with setting other registry keys.

There is a hotfix available from Microsoft to address this, see KB2171571:[http://support.microsoft.com/kb/2171571 You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain] for details.

== Windows 7 Performance and Time Registry settings ==

I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional:

echo 'Windows Registry Editor Version 5.00
; Win7_Samba3DomainMember
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
; Speedup settings
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"SlowLinkDetectEnabled"=dword:00000000
"DeleteRoamingCache"=dword:00000001
"WaitForNetwork"=dword:00000000
"CompatibleRUPSecurity"=dword:00000001
; Can drive you nuts
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000' | tee Win7_Samba3DomainMember_jelledj.reg
unix2dos Win7_Samba3DomainMember_jelledj.reg

echo '@echo off
echo.
echo WARNING: Do not close this window!!!
echo.
c:\"Program Files\Windows Resource Kits\Tools\ntrights.exe" +r SeSystemTimePrivilege -u "Domain Users"
echo.
echo WARNING: You may now close this window!!!
echo.' | tee SeSystemTimePrivilege_jelledj.bat
unix2dos SeSystemTimePrivilege_jelledj.bat

echo '@echo off
echo.
echo WARNING: Do not close this window!!!
echo.
"C:\Program Files\Mozilla Firefox\firefox.exe" http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe
echo.
echo WARNING: You may now close this window!!!
echo.' | tee rktools_jelledj.bat
unix2dos rktools_jelledj.bat

echo '@echo off
echo.
echo WARNING: Do not close this window!!!
echo.
NET USE Y: /DELETE
NET USE Y: \\server\documenten /PERSISTENT:YES
NET TIME \\server /SET /YES
echo.
echo WARNING: You may now close this window!!!
echo.' | tee /srv/storage/samba/netlogon/netlogon.bat
unix2dos /srv/storage/samba/netlogon/netlogon.bat
setfacl --recursive --modify u::rw,g::r,m:---,o:--- /srv/storage/samba/netlogon/netlogon.bat
chmod g+r /srv/storage/samba/netlogon/netlogon.bat
cat /srv/storage/samba/netlogon/netlogon.bat
su -c "cat /srv/storage/samba/netlogon/netlogon.bat" jelledj

--[[User:Tuxcrafter|Tuxcrafter]] 15:12, 18 January 2011 (CST)

Revision as of 20:17, 30 July 2013

When do I need Registry changes?

Samba usually doesn't require any changes on your Windows OS.

So please read very carefully on the sections below why and when you should do them!

If your situation or problem isn't mentioned here, then it's highly recommented to NOT do any registry changes!



Joining Windows7/8 or Windows Server 2008r2/2012 to an Samba NT4-style domain

This changes are only necessary if you want to join a Windows7/8 or Windows Server 2008r2/2012 machine to a Samba NT4-style domain!

It's not required and not recommended if you run Samba as AD DC!

If you try to join any of the mentioned OS you'll encounter an error 

The following error occourred attempting to join the domain „.....“:

The specified domain either does not exist or could not be contacted.

The following registry change work with any Samba version that isn't already discontinued: 

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]

DWORD DomainCompatibilityMode 1
DWORD DNSNameResolutionRequired 0

Do the changes manually in regedit.exe or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it sambafix.reg. Make sure, that the file has the ending .reg. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.

After the next reboot you can join the machine to your domain, but you'll still encounter an error: 

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
The error was:

The specified domain either does not exist or could not be contacted

But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain.



IMPORTANT: Registry changes that never should be done!

There are many pages on the internet, which suggest to change the values of RequireSignOrSeal and RequireStrongKey. This is NOT recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!

If you have already changed these parameters, turn them back to 1 as shown below and reboot: 

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]

DWORD RequireSignOrSeal = 1
DWORD RequireStrongKey = 1
Retrieved from "https://wiki.samba.org/index.php?title=Required_Settings_for_Samba_NT4_Domains&oldid=7889"