Required Settings for Samba NT4 Domains

From SambaWiki
Revision as of 17:42, 6 April 2011 by Monyo (talk | contribs) (Added more version info (especially Samba 3.2.X) and NOTES about Samba 3.3.2 - 3.3.4)

Samba versions supporting Windows7 Domain Logon

Support for Windows 7 and Windows 2008 using Samba Domain Controllers has been added to the following versions:

  • Samba 3.4 or later
  • Samba 3.3.5 or later
  • Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES)
  • Samba 3.2.12 or later

We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions.

If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user.

--Monyo 12:42, 6 April 2011 (CDT)

Windows 7 Registry settings

There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:

        HKLM\System\CCS\Services\LanmanWorkstation\Parameters
            DWORD  DomainCompatibilityMode = 1
            DWORD  DNSNameResolutionRequired = 0

Samba also ships with a registry patchfile that users can apply directly. The patchfile can be found in recent Samba sourcecode: $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg or in Samba Bugzilla here: https://bugzilla.samba.org/attachment.cgi?id=4988&action=view

Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.

You will receive one warning about DNS domain name configuration after the join has succeeded:

   "Changing the Primary Domain DNS name of this computer to "" failed.
    The name will remain "MYDOM".  The error was:
    
    The specified domain either does not exist or could not be contacted" 

This warning can be ignored or silenced with setting other registry keys.

Update: There is a hotfix available from Microsoft to address this, see this http://support.microsoft.com/kb/2171571 Knowledge Base article for details

Do not edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.

If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:

       HKLM\System\CCS\Services\Netlogon\Parameters
           DWORD  RequireSignOrSeal = 1
           DWORD  RequireStrongKey = 1


--Gd 15:47, 29 November 2009 (EDT)

NOTES with Samba 3.3.2, 3.3.3 and 3.3.4

Only for these versions, you have to change the NETLOGON parameters.

       HKLM\System\CCS\Services\Netlogon\Parameters
           DWORD  RequireSignOrSeal = 0
           DWORD  RequireStrongKey = 0

For other versions, you must not change them.

--Monyo 12:42, 6 April 2011 (CDT)

Windows 7 Performance and Time Registry settings

I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional:

       echo 'Windows Registry Editor Version 5.00
       
       ; Win7_Samba3DomainMember
       [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
       "DNSNameResolutionRequired"=dword:00000000
       "DomainCompatibilityMode"=dword:00000001
       
       ; Speedup settings
       [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
       "SlowLinkDetectEnabled"=dword:00000000
       "DeleteRoamingCache"=dword:00000001
       "WaitForNetwork"=dword:00000000
       "CompatibleRUPSecurity"=dword:00000001
       
       ; Can drive you nuts
       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
       "EnableLUA"=dword:00000000' | tee Win7_Samba3DomainMember_jelledj.reg
       
       unix2dos Win7_Samba3DomainMember_jelledj.reg
       echo '@echo off
       echo.
       echo WARNING: Do not close this window!!!
       echo.
       c:\"Program Files\Windows Resource Kits\Tools\ntrights.exe" +r SeSystemTimePrivilege -u "Domain Users"
       echo.
       echo WARNING: You may now close this window!!!
       echo.' | tee SeSystemTimePrivilege_jelledj.bat
       
       unix2dos SeSystemTimePrivilege_jelledj.bat
       echo '@echo off
       echo.
       echo WARNING: Do not close this window!!!
       echo.
       "C:\Program Files\Mozilla Firefox\firefox.exe" http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe
       echo.
       echo WARNING: You may now close this window!!!
       echo.' | tee rktools_jelledj.bat
       
       unix2dos rktools_jelledj.bat
       echo '@echo off
       echo.
       echo WARNING: Do not close this window!!!
       echo.
       NET USE Y: /DELETE
       NET USE Y: \\server\documenten /PERSISTENT:YES
       NET TIME \\server /SET /YES
       echo.
       echo WARNING: You may now close this window!!!
       echo.' | tee /srv/storage/samba/netlogon/netlogon.bat
       
       unix2dos /srv/storage/samba/netlogon/netlogon.bat
       
       setfacl --recursive --modify u::rw,g::r,m:---,o:--- /srv/storage/samba/netlogon/netlogon.bat
       chmod g+r /srv/storage/samba/netlogon/netlogon.bat
       
       cat /srv/storage/samba/netlogon/netlogon.bat
       su -c "cat /srv/storage/samba/netlogon/netlogon.bat" jelledj

--Tuxcrafter 15:12, 18 January 2011 (CST)