[Samba] Win10 and NT mode: netlogon script seems does not run anymore.
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 27 07:49:24 UTC 2020
Hai,
Thanks for that link, that is very usefull.
Only after reading it i see its missing a very important part.
This opens a security leak. See link ( dated in : Last Updated: Apr 15, 2015 )
https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-executi
The examples shown there.
\\<Server>\<Share> -
Needs to be replaced with
\\<Server>.<internal.dom.tld>\<Share> -
As shown in Advanced configuration examples..
Now only somewhere in 2018 MS is pushing to the need of,
the use of FQDN names in the internal (lan) side and Internet Side.
So, dont use this.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*\\NETLOGON"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
"\\\\*\\SYSVOL"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
"\\\\{MyWindowsDomainName}\\netlogon"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
You "should" use ..
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*.internal.domain.tld\\NETLOGON"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
"\\\\*.internal.domain.tld\\SYSVOL"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
"\\\\internal.domain.tld\\netlogon"="RequireMutualAuthentication=0, RequireIntegrity=0,RequirePrivacy=0"
The example formats in ms link above.
And while searching for info for above problem..
https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias
@Rowland have a good look at this one. This one is hitting the list.. (i have seen this problem also).
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nick
> Howitt via samba
> Verzonden: woensdag 26 augustus 2020 17:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Win10 and NT mode: netlogon script
> seems does not run anymore.
>
> Try this doc:
> https://documentation.clearos.com/content:en_us:kb_adding_work
> station_to_a_domain
>
> On 26/08/2020 16:45, Marco Gaiarin via samba wrote:
> >
> >
> > [ Rowland, i know, i need to upgrade. ;-) ]
> >
> > Some month ago, with a relative big bunch of fix&tweaks, i
> was able to put a
> > Win10 1903 client in join to a 'NT mode' Samba domain.
> >
> >
> > Now i'm trying to do the same with a 1909 version; all
> seems to work as
> > before, BUT netlogon script (defined in smb.conf with:
> >
> > logon script = startup.bat
> >
> > ) simply seems does not run. No log event in windows, no
> logs on samba
> > (or seems nothing relevant to me).
> >
> >
> > I've just enabled this registry key:
> >
> > reg add
> "HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\Hard
> enedPaths" /f /v "\\*\NETLOGON" /t REG_SZ /d
> "RequireMutualAuthentication=0"
> >
> > reboot, but nothing changed. I'm googleing around, but i've
> not found
> > some clue...
> >
> >
> > Thanks.
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list