SUMMARY: [Samba] Samba as PDC with WinXP Clients -> headache!!

Daniel Zeiss dzeiss at
Thu Jun 5 14:07:38 GMT 2003

Hello All,

so lets summarize a bit the trouble which is out there with Samba and 
WinXP Pro using Samba as PDC. (Also something for the howto for John :-)


* very unsatisfactory performace when clients log on

* trouble with "no domain controller" even because WinXP client didnt
   really check
	seems there are similar problems with NT4 servers :

* simple folder redirection activates Windows Offline Files function
  (not always wanted)

* NEW! smbpasswd wont find a machine account in the LDAP database:
	when not putting the machine account in /etc/passwd the command
	smbpasswd -m -a machinename$  will fail, even with the same
	entries in LDAP

* WinXP clients which do just part of the netlogonscript and stop there

* samba log file which doesn tell much on why somethings fail

* many hours of "sort it once and for all" but no solution

Stuff to do on WinXP to use Samba (which I assume we all did):

* network encryption
Group Policy editor (gpedit.msc)
Computer Configuration\Windows Settings\Security Settings\Local 
Policies\Security Options
Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally sign secure channel data (when possible)

* Network security: LAN Manager Authentication Level change to use "LM 
and NTLM"

*for roaming profiles:
  run gpedit.msc
	Select Computer Configuration > Administrative Templates >
	 System > User Profiles
	    * Do not check for user ownership of Roaming Profile Folders
		 - Enabled
in smb.conf   (RECOMMENDED!!)
     profile acls = yes

* delete local copies of roaming profiles
	Select Computer Configuration > Administrative Templates >
	 System > User Profiles
	    * Delete cache copies of roaming profiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Edit or add value DeleteRoamingCache as type REG_DWORD. Set it to 1.

* turn off slow link connection 

* disable fast user switching
   it is done with the group policies. it should help windows to wait for
   the network to get online. sorry. cant find the link anymore.

* tell WinXP to use NTConfig.POL file from NETLOGON share;EN-US;Q274478&
value REG_SZ (UNC) path  eg: \\Servername\Policies\Ntconfig.pol.

Solutions for "no domain controll" which worked somewhere

* rejoining the domain		(didnt work for me)

* reinstalling WinXP		(not really an option)


* GPL  NTConfig.POL file which does the most important stuff (folder 
redirection etc)

* GPL  gpedit.msc which is a proposal for everybody to use (applied 
manually at every workstation)

cool links:

any more ideas?


More information about the samba mailing list