SUMMARY: [Samba] Samba as PDC with WinXP Clients -> headache!!
Daniel Zeiss
dzeiss at gwdg.de
Thu Jun 5 14:07:38 GMT 2003
Hello All,
so lets summarize a bit the trouble which is out there with Samba and
WinXP Pro using Samba as PDC. (Also something for the howto for John :-)
Trouble
-------
* very unsatisfactory performace when clients log on
* trouble with "no domain controller" even because WinXP client didnt
really check
seems there are similar problems with NT4 servers :
http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&oe=UTF-8&threadm=e%23bq23q7BHA.2080%40tkmsftngp05&rnum=9&prev=/groups%3Fq%3Dwin%2Bxp%2B%2Bnt4%26hl%3Dde%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3De%2523bq23q7BHA.2080%2540tkmsftngp05%26rnum%3D9
* simple folder redirection activates Windows Offline Files function
(not always wanted)
* NEW! smbpasswd wont find a machine account in the LDAP database:
when not putting the machine account in /etc/passwd the command
smbpasswd -m -a machinename$ will fail, even with the same
entries in LDAP
* WinXP clients which do just part of the netlogonscript and stop there
* samba log file which doesn tell much on why somethings fail
* many hours of "sort it once and for all" but no solution
Stuff to do on WinXP to use Samba (which I assume we all did):
------
* network encryption
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000
or
Group Policy editor (gpedit.msc)
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options
deactivate:
Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally sign secure channel data (when possible)
* Network security: LAN Manager Authentication Level change to use "LM
and NTLM"
*for roaming profiles:
run gpedit.msc
Select Computer Configuration > Administrative Templates >
System > User Profiles
* Do not check for user ownership of Roaming Profile Folders
- Enabled
or
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:00000001
or
in smb.conf (RECOMMENDED!!)
[profile]
profile acls = yes
* delete local copies of roaming profiles
Select Computer Configuration > Administrative Templates >
System > User Profiles
* Delete cache copies of roaming profiles
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Edit or add value DeleteRoamingCache as type REG_DWORD. Set it to 1.
* turn off slow link connection
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"SlowLinkDetectEnabled"=dword:00000000
* disable fast user switching
it is done with the group policies. it should help windows to wait for
the network to get online. sorry. cant find the link anymore.
* tell WinXP to use NTConfig.POL file from NETLOGON share
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q274478&
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update\NetworkPath
value REG_SZ (UNC) path eg: \\Servername\Policies\Ntconfig.pol.
Solutions for "no domain controll" which worked somewhere
---------
* rejoining the domain (didnt work for me)
* reinstalling WinXP (not really an option)
Suggestions
-----------
* GPL NTConfig.POL file which does the most important stuff (folder
redirection etc)
* GPL gpedit.msc which is a proposal for everybody to use (applied
manually at every workstation)
cool links:
http://hr.uoregon.edu/davidrl/samba/
http://www.diariolinux.com/phorum/list.php?f=17
any more ideas?
bye
Daniel
More information about the samba
mailing list