[Samba] Windows 10

Thomas Bork tombork at web.de
Thu Mar 31 19:15:56 UTC 2016 

Am 31.03.2016 um 16:24 schrieb Korn, Ute:

> I can bind the clients to the domain without any problem. Afterwards I want to login in the domain, I get the error,
> no logonserver available
> I can change in the smb conf max protocol to NT1  -> now it is possible to login with user xxx in the domain
> We don't want to use our samba server with the NT1 setting, so I will delete this setting

See

https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

#########################################################################
Windows 10: „No logon servers available“

If you have successfully joined Windows 10 to your Samba NT4 domain and 
try to login, you may encounter the error "No logon servers available". 
To workaround, set in your PDCs smb.conf:

max protocol = NT1

After you've restarted Samba, you will be able to login with a domain 
account on Windows 10.

Be aware, that this setting prevent your clients to use newer SMB 
protocol versions than SMB1 with this server! However, this is the way 
the Samba team recommends. There are suggestions out there, to disable 
newer SMB version on Windows 10 client(s) in general. However this will 
prevent them from using newer protocol version with any SMB servers, 
instead of a single one (PDC)!
#########################################################################

If you want to disable newer protocol versions on the Win10 client, you 
can open a command prompt with administrator rights and set:

sc config lanmanworkstation depend=bowser/mrxsmb10/nsi
sc config mrxsmb20 start=disabled

See

https://support.microsoft.com/en-us/kb/2696547


In my experiments I also had to set an additional regpatch for Win10 and 
a Samba 4.3.x NT4-style domain for logon scripts - otherwise the logon 
scripts are not running:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0"

Complete regpatch:

############################################################################
Windows Registry Editor Version 5.00

;
; windows10_join_enable.reg
;
; This registry keys are needed for a Windows 10 Client to join
; and logon to a Samba 4.3.x domain.
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
; Enable NT-Domain compatibility mode
; Default:
; [value not present]
; "DomainCompatibilityMode"=-
"DomainCompatibilityMode"=dword:00000001

; Disable required DNS name resolution
; Default:
; [value not present]
; "DNSNameResolutionRequired"=-
"DNSNameResolutionRequired"=dword:00000000

; Disable Mutual authentication, no Kerberos, can fall back to NTLMv2
; Disable Integrity, SMB signing is not required
; Disable Privacy, no SMBv3 must be used
; Default:
; [value not present]
; "\\\\*\\netlogon"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0"
############################################################################

-- 
der tom

More information about the samba mailing list