SUMMARY: [Samba] Samba as PDC with WinXP Clients -> headache!!

Thu Jun 5 14:07:38 GMT 2003

Hello All,

so lets summarize a bit the trouble which is out there with Samba and 
WinXP Pro using Samba as PDC. (Also something for the howto for John :-)

Trouble
-------

* very unsatisfactory performace when clients log on

* trouble with "no domain controller" even because WinXP client didnt
   really check
	seems there are similar problems with NT4 servers :
http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&oe=UTF-8&threadm=e%23bq23q7BHA.2080%40tkmsftngp05&rnum=9&prev=/groups%3Fq%3Dwin%2Bxp%2B%2Bnt4%26hl%3Dde%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3De%2523bq23q7BHA.2080%2540tkmsftngp05%26rnum%3D9

* simple folder redirection activates Windows Offline Files function
  (not always wanted)

* NEW! smbpasswd wont find a machine account in the LDAP database:
	when not putting the machine account in /etc/passwd the command
	smbpasswd -m -a machinename$  will fail, even with the same
	entries in LDAP

* WinXP clients which do just part of the netlogonscript and stop there

* samba log file which doesn tell much on why somethings fail

* many hours of "sort it once and for all" but no solution

Stuff to do on WinXP to use Samba (which I assume we all did):
------

* network encryption

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000
or
Group Policy editor (gpedit.msc)
Computer Configuration\Windows Settings\Security Settings\Local 
Policies\Security Options
deactivate:
Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally sign secure channel data (when possible)

* Network security: LAN Manager Authentication Level change to use "LM 
and NTLM"

*for roaming profiles:
  run gpedit.msc
	Select Computer Configuration > Administrative Templates >
	 System > User Profiles
	    * Do not check for user ownership of Roaming Profile Folders
		 - Enabled
or
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
  "CompatibleRUPSecurity"=dword:00000001
or
in smb.conf   (RECOMMENDED!!)
[profile]
     profile acls = yes

* delete local copies of roaming profiles
	Select Computer Configuration > Administrative Templates >
	 System > User Profiles
	    * Delete cache copies of roaming profiles

or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Edit or add value DeleteRoamingCache as type REG_DWORD. Set it to 1.

* turn off slow link connection 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"SlowLinkDetectEnabled"=dword:00000000

* disable fast user switching
   it is done with the group policies. it should help windows to wait for
   the network to get online. sorry. cant find the link anymore.

* tell WinXP to use NTConfig.POL file from NETLOGON share
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q274478&
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update\NetworkPath
value REG_SZ (UNC) path  eg: \\Servername\Policies\Ntconfig.pol.

Solutions for "no domain controll" which worked somewhere
---------

* rejoining the domain		(didnt work for me)

* reinstalling WinXP		(not really an option)

Suggestions
-----------

* GPL  NTConfig.POL file which does the most important stuff (folder 
redirection etc)

* GPL  gpedit.msc which is a proposal for everybody to use (applied 
manually at every workstation)

cool links:
http://hr.uoregon.edu/davidrl/samba/
http://www.diariolinux.com/phorum/list.php?f=17

any more ideas?

bye
Daniel