[Samba] Samba PDC problem
John H Terpstra
jht at Samba.Org
Tue Jul 12 14:52:49 GMT 2005
Martin,
None of these changes are necessary if the Samba 3.0.x server is correctly
configured. I have extensively documented Samba PDC configuration in my book
"Samba-3 by Example". This book can be obtained from:
http://www.samba.org/samba/docs/Samba3-ByExample.pdf
PS: This is part of the official Samba documentation. I would like to believe
that it is up to date, given that I spent the past 5 months full-time
updating all the official documentation.
If there are problems with the documentation (and I am not say claiming that
they are error or defect-free) please let me know so it can be fixed.
- John T.
On Tuesday 12 July 2005 08:31, Martin Petersen wrote:
> Hi Nicola (again :),
>
> found what You were looking for:
>
>
> Some information I found in the Unofficial Samba HowTo
> (http://hr.uoregon.edu/davidrl/samba.html) on XP Pro clients.
>
> Extract from there follows:
>
> ############## EXTRACT ##############
>
> Windows XP Clients
>
> To force Windows XP Professional clients to accept Samba as a PDC, use
> the built-in XP Group Policy editor (gpedit.msc) and locate the Computer
> Configuration\Windows Settings\Security Settings\Local Policies\Security
> Options branch. Make sure to disable the following policies:
>
> Domain Member: Digitally encrypt or sign secure channel data (always)
> Domain Member: Digitally sign secure channel data (when possible)
>
> Alternately, you can make the following change to the registry:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
> "requiresignorseal"=dword:00000000
> "signsecurechannel"=dword:00000000
>
> To disable annoying Event Viewer notifications about "Automatic
> ertificate enrollment for local system failed to contact the active
> directory" every eight hours, locate the Computer Configuration\Windows
> Settings\Security Settings\Public Key Policies branch and select "Do not
> enroll certificates automatically" under Autoenrollment Settings. Note
> that this policy won't be available until after the XP machine has
> joined the domain.
>
> If you'd like to use Roaming Profiles with Windows XP clients that have
> Service Pack 1 or later installed, use the built-in XP Group Policy
> editor (gpedit.msc) and locate the Computer Configuration\Administrative
> Templates\System\User Profiles branch. This is described in Microsoft's
> Technet Q327462. Make sure to enable the following policy:
>
> Do not check for user ownership of Roaming Profile Folders
>
> Alternately, you can make the following change to the registry:
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
> "CompatibleRUPSecurity"=dword:00000001
>
> Alternately as well, you can make the following addition to your
> smb.conf file:
>
> [profile]
> profile acls = yes
>
> Windows XP Home Edition does not support logging into a Primary Domain
> Controller, so you'll have to use Windows XP Professional instead.
>
> ############## END EXTRACT ##############
>
> Ciao,
>
> Martin
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list