Anybody got windows 10 working with our classic DC / need to migrate to samba4?

Scott Lovenberg scott.lovenberg at gmail.com
Thu Jun 4 00:47:43 MDT 2015


On Tue, Jun 2, 2015 at 1:24 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
> Hello Andrew,
>
> Am 02.06.2015 um 09:55 schrieb Andrew Bartlett:
>> Just checking if anybody has Samba's classic DC functioning with Windows
>> 10 domain member clients?  In particular, I'm interested in any tests
>> with git master or 4.2.
>>
>> I'm not talking about samba4 DCs (our AD DC), but with the NT4-like
>> mode.
>>
>> The reason I ask is that I've got reports it doesn't work, and I've
>> checked with Microsoft who basically say 'NT4 support ended years ago'.
>> Certainly the current effort was the result of a special favour, and
>> these things (rightly) do expire.
>
>
> I setup a Samba NT4 PDC it in my test environment with Samba 4.2.1 and
> Win10 TP Build 9926:
>
> First, the two registry keys are required to add/set like done since
> Win7
> (https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains).
>
> Then you join the domain + reboot.
>
> But if you try to login now, it is denied ("...no logon servers..."). To
> workaround this, I needed to set "max protocol = NT1" in smb.conf. This
> allows the Win10 box to login to the Samba NT4 domain.
>
> What was interesting is, that if the Win10 client has once successfully
> logged into the NT4 domain, you can remove the "max protocol" line and
> let this parameter on it's default. All further logins I have tried -
> even after a reboot - worked then.
>
>
> Ping me in IRC if you want to have a deeper look at this and require
> logs, etc.
>
>
> Regards,
> Marc

At risk of stating the obvious (why let it stop me now? ;) ), I seem
to recall that once a Windows client, XP or later, in an NT4 domain
sees an AD DC, it upgrades at least its domain level (if not also
protocol level on later Windows versions) in a non-reversible way.
This kind of sounds like the inverse situation where the default is AD
and it can fall back to NT4.  I'm wagering if you expose that Windows
10 machine to an AD DC domain and then tried to switch back again,
this trick would no longer work.

That test wouldn't actually _prove_ anything other than, "you really
should retire your NT4 domain a year ago", but that's been painfully
obvious for a while now. If I get bored I might snapshot some VMs and
replay the interaction a couple of different ways.

Marc, I'm assuming your test was a clean Samba install with stock
configurations and a clean Windows-10 9926 (with no previous contact
to either AD or NT4 domains)?

-- 
Peace and Blessings,
-Scott.


More information about the samba-technical mailing list