[Samba] win 10 client on linux pdc, join domain ok, logon script fails to run

coxsterdillon coxsterdillon at hotmail.com
Tue Oct 4 14:18:15 UTC 2016


Just in case someone looks at this thread, I've fix my samba win10 issue
with PDC.  Here's what I did:

To over come perhaps a DNS issue where complete name of server including top
level domain name could not access box as \\hostname.tld\<share>

I change the hostname to match netbios name.

#cat dev2 > /etc/hostname

edited hosts file to make sure old name was removed.

/etc/hosts contains	localhost	dev2

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/resolvconf/resolv.conf.d/tail contains

domain dev2

/etc/nsswitch.conf contains

group:          compat winbind
shadow:         compat

hosts: files winbind mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/samba/smb.conf contains:

   workgroup = COMPO
   netbios name = DEV2
   server string = %h server (Samba, Ubuntu)
   domain master = yes
   preferred master = yes
   local master = yes
   domain logons = yes
   add machine script = sudo /usr/sbin/useradd -N -g pdcmachines -c Machine
-d /var/lib/samba -s /bin/false %u
   security = user
   encrypt passwords = yes
   wins support = yes
   name resolve order = wins lmhosts hosts bcast
   logon path = \\%N\%U\profile
   logon drive = H:
   logon home = \\%N\%U
   logon script = logon.bat
   panic action = /usr/share/samba/panic-action %d
   unix password sync = yes
   obey pam restrictions = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully*.
   pam password change = yes
   server max protocol = NT1

   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S

   comment = Global shared directory
   browseable = yes
   path = /home/share
   valid users = %U
   directory mask = 0700
   create mask = 0700
   read only = no

   comment = Temporary shared data directory
   browseable = yes
   path = /home/temp
   valid users = %U
   directory mask = 0700
   create mask = 0700
   read only = no

   path = /srv/samba/netlogon
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   guest ok = yes
   comment = Network Logon Service

I found all the samba users had the old tld name associated so I changed
them as for each:

pdbedit -r <username> -I COMPO


Important part for Windows 10.  When I joined each user to the domain COMPO,


If you reboot.  It will prompt to login a user and state the domain under
the user name box, in my case COMPO.

However It kind of left each user part of the domain, able to use shares but
not fully on the domain if you enter the samba password to login.

So for each user I log off.  Click switch user.  Even though it says domain
COMPO under the user name, I manually type "COMPO\<username>".

Then each user is logged into a new account in windows 10, each says
COMPO\<username> and magically their login scripts run!

I also followed the windows 10 group policy for hardened unc:


and the windows 8 delayed boot group policy  (with it set to disabled,
default was unset):


Hope this helps someone


View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4709096.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list