[Samba] XP Logon and Samba PDC - another part of the puzzle

Noel Kelly nkelly at citrusnetworks.net
Wed Sep 18 20:17:00 GMT 2002


It seems a common problem that after successfully joining a domain (Samba
2.2.5/6pre PDC), the XP Pro client has a bizarre time trying to logon.  The
XP clients flatly refuse to even try and talk to the same PDC they just
negotiated the domain membership with!

I have read many postings (the signorseal registry hack is a must) but no
solid answer as to how to get the client and PDC to talk.  Here is something
I have found which might help complete the puzzle:

It seems that one of the 'exciting new features' M$ have given us in XP is
the default IP Security Policies (Control Panel/Admin Tools/Local Security
Policy).  These by default have a filter for all IP traffic which 'Require
Security' ("Accepts unsecured communications, but always requires clients to
establish trust and security methods.")

This, I think, means that all XP clients will only allow traffic if they are
talking to an AD server.  A Samba PDC (and NT PDC?) is not good enough
(Kerberos required) so no traffic will be allowed to pass between the client
and the PDC - hence the flat refusal to even attempt a login.

Edit these policies and set them to Permit.  Now traffic can flow freely and
a sense of normality will return to your network.

Hope this helps get some people up and running.

Whilst I am here, I'll relay the results of a discussion I was having
yesterday about Samba and ADS.  Soon (next year?) M$ will be discontinuing
support of NT4.  Windows 2000 cannot act as a simple NT domain controller -
it can emulate an NT domain controller but you are obliged to use ADS -

Now ADS is way behind NDS as we all know for true enterprise operations.  It
is also complete overkill and unnecessarily complex for small to medium
businesses.  If it corrupts you are in trouble and you had better have more
than one AD server, etc....

So what is a small business to do in 18 months time?  All they need is a
small domain model (which might not be the greatest design but it is
definitely documented and proven).  ADS is way too complex and NT
unsupported/sold.  Surely Samba is their only solution with Windoze clients?


Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.384 / Virus Database: 216 - Release Date: 21/08/2002

More information about the samba mailing list