[Samba] WinXP support
Mal Beaton
mal at mbeaton.id.au
Wed Jun 11 22:45:37 GMT 2003
This was posted last week in relation to winxp and samba
-------- Original Message --------
Subject: SUMMARY: [Samba] Samba as PDC with WinXP Clients -> headache!!
Date: Thu, 05 Jun 2003 16:07:38 +0200
From: Daniel Zeiss <dzeiss at gwdg.de>
To: samba at lists.samba.org
References: <20030605095058.GC22513 at king.net.nz>
Hello All,
so lets summarize a bit the trouble which is out there with Samba and
WinXP Pro using Samba as PDC. (Also something for the howto for John :-)
Trouble
-------
* very unsatisfactory performace when clients log on
* trouble with "no domain controller" even because WinXP client didnt
really check
seems there are similar problems with NT4 servers :
http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&oe=UTF-8&threadm=e%23bq23q7BHA.2080%40tkmsftngp05&rnum=9&prev=/groups%3Fq%3Dwin%2Bxp%2B%2Bnt4%26hl%3Dde%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3De%2523bq23q7BHA.2080%2540tkmsftngp05%26rnum%3D9
* simple folder redirection activates Windows Offline Files function
(not always wanted)
* NEW! smbpasswd wont find a machine account in the LDAP database:
when not putting the machine account in /etc/passwd the command
smbpasswd -m -a machinename$ will fail, even with the same
entries in LDAP
* WinXP clients which do just part of the netlogonscript and stop there
* samba log file which doesn tell much on why somethings fail
* many hours of "sort it once and for all" but no solution
Stuff to do on WinXP to use Samba (which I assume we all did):
------
* network encryption
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000
or
Group Policy editor (gpedit.msc)
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options
deactivate:
Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally sign secure channel data (when possible)
* Network security: LAN Manager Authentication Level change to use "LM
and NTLM"
*for roaming profiles:
run gpedit.msc
Select Computer Configuration > Administrative Templates >
System > User Profiles
* Do not check for user ownership of Roaming Profile Folders
- Enabled
or
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:00000001
or
in smb.conf (RECOMMENDED!!)
[profile]
profile acls = yes
* delete local copies of roaming profiles
Select Computer Configuration > Administrative Templates >
System > User Profiles
* Delete cache copies of roaming profiles
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Edit or add value DeleteRoamingCache as type REG_DWORD. Set it to 1.
* turn off slow link connection
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"SlowLinkDetectEnabled"=dword:00000000
* disable fast user switching
it is done with the group policies. it should help windows to wait for
the network to get online. sorry. cant find the link anymore.
* tell WinXP to use NTConfig.POL file from NETLOGON share
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q274478&
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update\NetworkPath
value REG_SZ (UNC) path eg: \\Servername\Policies\Ntconfig.pol.
Solutions for "no domain controll" which worked somewhere
---------
* rejoining the domain (didnt work for me)
* reinstalling WinXP (not really an option)
Suggestions
-----------
* GPL NTConfig.POL file which does the most important stuff (folder
redirection etc)
* GPL gpedit.msc which is a proposal for everybody to use (applied
manually at every workstation)
cool links:
http://hr.uoregon.edu/davidrl/samba/
http://www.diariolinux.com/phorum/list.php?f=17
any more ideas?
bye
Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
M.J. Beaton
Miju Systems http://www.miju.com.au/
PO Box 176, Corinda Q 4075, Australia
ABN 48 065 548 496
Email: mal.beaton at miju.com.au
Phone: +61 0414 350 292
Fax: +61 7 3278 2343
Ryan Novosielski wrote:
> Is there anything that one should be aware of when setting them up, other
> than the required sign or seal reg-hack?
>
> ---- _ _ _ _ ___ _ _ _
> |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX Systems Admin
> |$&| |__| | | |__/ | \| _| | novosirj at umdnj.edu - 973/972.0922 (2-0922)
> \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
>
> On Wed, 11 Jun 2003, Ashley Burt wrote:
>
>
>>We have been running XP in a University environment for several months now
>>and we have not had a single problem. We actually prefer XP over 2000.
>>
>>---------------------------------------------------
>>Ashley F. Burt
>>Network Administrator
>>Veterinary Medicine Computer Group
>>---------------------------------------------------
>>
>>
>>-----Original Message-----
>>From: samba-bounces+burtash=auburn.edu at lists.samba.org
>>[mailto:samba-bounces+burtash=auburn.edu at lists.samba.org] On Behalf Of Ryan
>>Novosielski
>>Sent: Wednesday, June 11, 2003 10:39 AM
>>To: Samba Mailing List
>>Subject: [Samba] WinXP support
>>
>>I am ordering new workstations for my university, and my supervisor is
>>requesting that the machines come with XP pre-installed. I am very tempted
>>to recommend against this, as we make heavy use of Samba and I know from
>>experience that trying to be current when using Samba is not a great idea.
>>
>>Will I be at all sorry if I choose XP over 2000, or are they similar
>>enough so that Samba support is very good for both?
>>
>>Thanks for the input.
>>
>>---- _ _ _ _ ___ _ _ _
>>|Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX Systems Admin
>>|$&| |__| | | |__/ | \| _| | novosirj at umdnj.edu - 973/972.0922 (2-0922)
>>\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>
--
Mal
http://mbeaton.id.au:5537/
:wq!
More information about the samba
mailing list