[Samba] Windows 7 RC

SkyBeam rme at bluemail.ch
Wed Sep 2 01:29:37 MDT 2009 


SkyBeam wrote:
> 
> The work-around I am using now is that I renamed my domain using smb.conf
> from "DOMAIN" to "domain.local" (equal to the DNS suffix). Samba
> automatically created a new sambaDomainName entry in LDAP which uses the
> same domain SID. Surprisingly even my vista machine which was joined to
> the DOMAIN NT-Domain did not even complain about the disappeared "DOMAIN"
> and seems to be able to connect to the "domain.local" NT-Domain without
> any change (while in system properties it still claims to be member of the
> "DOMAIN" NT-Domain).
> 

I found another work-around which does not require changing your Samba
configuration (which might have other side-effects too).
You can use group policy to enforce the DNS suffix. To do so open the group
policy editor (e.g. run "gpedit.msc") and go to Administrative Templates =>
Network => DNS Client. Here you can set the "Primary DNS Suffix" policy to
match your DNS domain.

Alternatively you might set the following registry REG_SZ value:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient\NV
PrimaryDnsSuffix
Set the value to the desired domain sufix (e.g. "domain.local"). Then reboot
the machine and see 'ipconfig /all' printing your custom primary DNS suffix.
However within the system properties you will still see your "DOMAIN" listed
but it's overridden by the policy value.

You can do this change before or after joining the domain. Note that the
error shown by Windows about the failure to change the primary DNS suffix on
domain join is still there. This change only allows you to fix an invalid
primary DNS suffix which you're otherwise unable to change after domain
join.

So here's a reg file which works for me:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
; Enable NT-Domain compatibility mode
; Default:
; [value not present]
; "DomainCompatibilityMode"=-
"DomainCompatibilityMode"=dword:00000001

; Disable required DNS name resolution
; Default:
; [value not present]
; "DNSNameResolutionRequired"=-
"DNSNameResolutionRequired"=dword:00000000


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
; Disable requirement of signed communication
; My Samba works with signed communication enabled, so no need to disable
it.
; Default:
; "RequireSignOrSeal"=dword:00000001
; Disable the usage of strong keys
; Default:
; "RequireStrongKey"=dword:00000001
"RequireStrongKey"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient]
; Enforce DNS suffix
"NV PrimaryDnsSuffix"="domain.local"


With these settings I can join the domain and logon works. However I've
noticed that samba still logs the following message:
[2009/08/15 14:14:41,  0]
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(546)
  _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting
auth request from client WIN7TEST machine account WIN7TEST$
[2009/08/15 14:15:18,  0] smbd/service.c:make_connection_snum(740)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2009/08/15 14:15:30,  0] smbd/nttrans.c:call_nt_transact_ioctl(1989)
  call_nt_transact_ioctl(0x1401c4): Currently not implemented.

Probably it's a bug of Samba 3.3.4 which still permitts logon even if
machine authentication fails. The NT_STATUS_ACCESS_DENNIED is repeated many
times.
-- 
View this message in context: http://www.nabble.com/Windows-7-RC-tp23405949p24984174.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list