Required Settings for Samba NT4 Domains: Difference between revisions

From SambaWiki
(Rewrote "Required Settings for Samba NT4 Domains")
m (Added tags and admonitions)
Line 3: Line 3:
Microsoft discontinued the official support for NT4 domains many years ago. However, with some modifications, you can still use later published Windows operating systems with a Samba NT4 domain. Anyway consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes the unsupported NT4 features. For details about migrating, see [[Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)|Migrating a Samba NT4 Domain to Samba AD (classic upgrade)]].
Microsoft discontinued the official support for NT4 domains many years ago. However, with some modifications, you can still use later published Windows operating systems with a Samba NT4 domain. Anyway consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes the unsupported NT4 features. For details about migrating, see [[Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)|Migrating a Samba NT4 Domain to Samba AD (classic upgrade)]].


{{Imbox
'''If your operating system is not mentioned on this page, or you are running a Samba Active Directory (AD), the Samba team highly recommends <u>NOT</u> to set any registry modification!'''
| type = important
| text = If your operating system is not mentioned on this page, or you are running a Samba Active Directory (AD), the Samba team highly recommends <u>NOT</u> to set any registry modification.
}}




Line 18: Line 21:
To enable the client to join the Samba NT4 domain:
To enable the client to join the Samba NT4 domain:


* Save the following content to a plain text file named "samba_7_2008_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
* Save the following content to a plain text file named <code>samba_7_2008_fix.reg</code> using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
Line 27: Line 30:
"DNSNameResolutionRequired"=dword:00000000
"DNSNameResolutionRequired"=dword:00000000


* Log in using the local "Administrator" account.
* Log in using the local <code>Administrator</code> account.


* Double-click the file to import it to the Windows registry.
* Double-click the file to import it to the Windows registry.
Line 61: Line 64:
To fix this problem:
To fix this problem:


* Save the following content to a plain text file named "samba_8_2012_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
* Save the following content to a plain text file named <code>samba_8_2012_fix.reg</code> using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
Line 68: Line 71:
"ProtectionPolicy"=dword:00000001
"ProtectionPolicy"=dword:00000001


* Log in using the local "Administrator" account.
* Log in using the local <code>Administrator</code> account.


* Double-click the file to import it to the Windows registry.
* Double-click the file to import it to the Windows registry.
Line 86: Line 89:
To fix the problem:
To fix the problem:


* Set in your primary domain controllers (PDC) "smb.conf" file:
* Set in your primary domain controllers (PDC) <code>smb.conf</code> file:


server max protocol = NT1
server max protocol = NT1


:{{Imbox
:Note that this setting prevent all your clients to use a newer SMB protocol version than SMB1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with <u>all</u> Samba/Windows hosts.
| type = note
| text = This setting prevent all your clients to use a newer SMB protocol version than SMB1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with <u>all</u> Samba/Windows hosts.
}}


* Restart Samba.
* Restart Samba.
Line 100: Line 106:
= IMPORTANT: Registry Changes That You Should Never Set! =
= IMPORTANT: Registry Changes That You Should Never Set! =


{{Imbox
'''The Samba team recommends not to change the values of "RequireSignOrSeal" and "RequireStrongKey". It will break the interoperability with other Windows and Samba installations!'''
| type = warning
| text = The Samba team recommends not to change the values of "RequireSignOrSeal" and "RequireStrongKey". It breaks the interoperability with other Windows and Samba installations.
}}


If you changed these parameters, reset the values of both keys back to "1":
If you changed these parameters, reset the values of both keys back to <code>1</code>:


* Save the following content to a plain text file named "reset_RequireSignOrSeal_RequireStrongKey.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
* Save the following content to a plain text file named <code>reset_RequireSignOrSeal_RequireStrongKey.reg<code> using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
Line 113: Line 122:
"RequireStrongKey"=dword:00000001
"RequireStrongKey"=dword:00000001


* Log in using the local "Administrator" account.
* Log in using the local "<code>Administrator</code> account.


* Double-click the file to import it to the Windows registry.
* Double-click the file to import it to the Windows registry.

Revision as of 20:55, 9 October 2016

General Information

Microsoft discontinued the official support for NT4 domains many years ago. However, with some modifications, you can still use later published Windows operating systems with a Samba NT4 domain. Anyway consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes the unsupported NT4 features. For details about migrating, see Migrating a Samba NT4 Domain to Samba AD (classic upgrade).



Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain

During the join, you see the following error message:

The following error occurred attempting to join the domain "SA":
The specified domain either does not exist or could not be contacted.

To enable the client to join the Samba NT4 domain:

  • Save the following content to a plain text file named samba_7_2008_fix.reg using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]

"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
  • Log in using the local Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed.

During joining the machine to the NT4 domain you receive the following error:

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
The error was:

The specified domain either does not exist or could not be contacted

You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see KB2171571.




Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager

After installing the November 2014 update rollup (KB3000850) you see the following error:

Error code 0x80090345 launching Windows Credential Manager

To fix this problem:

  • Save the following content to a plain text file named samba_8_2012_fix.reg using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001
  • Log in using the local Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 10: There Are Currently No Logon Servers Available to Service the Logon Request

After you have successfully joined Windows 10 to your Samba NT4 domain, you fail to log on and receive the error:

There are currently no logon servers available to service the logon request.

To fix the problem:

  • Set in your primary domain controllers (PDC) smb.conf file:
server max protocol = NT1
  • Restart Samba.



IMPORTANT: Registry Changes That You Should Never Set!

If you changed these parameters, reset the values of both keys back to 1:

  • Save the following content to a plain text file named reset_RequireSignOrSeal_RequireStrongKey.reg using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]

"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001
  • Log in using the local "Administrator account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.