Required Settings for Samba NT4 Domains
Samba versions supporting Windows7 Domain Logon
Support for Windows 7 and Windows Server 2008 R2 using Samba Domain Controllers has been added to the following versions:
- Samba 3.4 or later
- Samba 3.3.5 or later
- Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES)
- Samba 3.2.12 or later
We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions. Also tested Windows Server 2008 R2 Enterprise with Samba 3.5.6.
If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user.
-- Monyo 16:22, 5 June 2011 (UTC)
Windows 7 Registry settings
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0
Samba also ships with a registry patchfile that users can apply directly. The patchfile can be found in recent Samba sourcecode: $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg or in Samba Bugzilla here: https://bugzilla.samba.org/attachment.cgi?id=4988&action=view
Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.
Do not edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.
If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:
HKLM\System\CCS\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 1 DWORD RequireStrongKey = 1
--Gd 15:47, 29 November 2009 (EDT)
NOTES: with Samba 3.3.2, 3.3.3 and 3.3.4
Only for these versions, you have to change the NETLOGON parameters.
HKLM\System\CCS\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0 DWORD RequireStrongKey = 0
For other versions, you must not change them.
--Monyo 12:42, 6 April 2011 (CDT)
The changes of RequireSignOrSeal and RequireStrongKey are NOT recommended by the Samba Team. They will break interoperability with other Windows and Samba versions!
--bjacke 17 Jul 2011 (CEST)
NOTES: Error message during joining to the Domain
You will receive one warning about DNS domain name configuration after the join has succeeded:
"Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "MYDOM". The error was: The specified domain either does not exist or could not be contacted"
This warning can be ignored or silenced with setting other registry keys.
There is a hotfix available from Microsoft to address this, see KB2171571:You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain for details.
Windows 7 Performance and Time Registry settings
I want to share some of my configuration settings, they add a major improvement in domain login speed and allow to use samba as time server under Windows 7 Professional:
echo 'Windows Registry Editor Version 5.00 ; Win7_Samba3DomainMember [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001 ; Speedup settings [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "SlowLinkDetectEnabled"=dword:00000000 "DeleteRoamingCache"=dword:00000001 "WaitForNetwork"=dword:00000000 "CompatibleRUPSecurity"=dword:00000001 ; Can drive you nuts [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=dword:00000000' | tee Win7_Samba3DomainMember_jelledj.reg unix2dos Win7_Samba3DomainMember_jelledj.reg
echo '@echo off echo. echo WARNING: Do not close this window!!! echo. c:\"Program Files\Windows Resource Kits\Tools\ntrights.exe" +r SeSystemTimePrivilege -u "Domain Users" echo. echo WARNING: You may now close this window!!! echo.' | tee SeSystemTimePrivilege_jelledj.bat unix2dos SeSystemTimePrivilege_jelledj.bat
echo '@echo off echo. echo WARNING: Do not close this window!!! echo. "C:\Program Files\Mozilla Firefox\firefox.exe" http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe echo. echo WARNING: You may now close this window!!! echo.' | tee rktools_jelledj.bat unix2dos rktools_jelledj.bat
echo '@echo off echo. echo WARNING: Do not close this window!!! echo. NET USE Y: /DELETE NET USE Y: \\server\documenten /PERSISTENT:YES NET TIME \\server /SET /YES echo. echo WARNING: You may now close this window!!! echo.' | tee /srv/storage/samba/netlogon/netlogon.bat unix2dos /srv/storage/samba/netlogon/netlogon.bat setfacl --recursive --modify u::rw,g::r,m:---,o:--- /srv/storage/samba/netlogon/netlogon.bat chmod g+r /srv/storage/samba/netlogon/netlogon.bat cat /srv/storage/samba/netlogon/netlogon.bat su -c "cat /srv/storage/samba/netlogon/netlogon.bat" jelledj
--Tuxcrafter 15:12, 18 January 2011 (CST)