Getting Samba3 and Windows7 (or Vista) to play nice with each other is a rather tedious process. Even under ideal circumstance there are still inconsistent/intermittent errors that crop up all over the place. This document represents our best efforts to make it work. But really, you should move on to Samba4.
Also, special shouts to carolinahelpdesk.com who we've worked with on a few Samba3/Windows7 issues.
For this environment to work properly it's critical to have a functional DNS and NTP on the network. WINS is mostly dead but still in use, so to make things work properly we need DNS (and WINS may proxy to DNS).
Also, depending on your environment, winbind is not necessary. If you have a large number of users you'll want it. But smaller installations and those that don't have an LDAP back-end can disable/remove it.
The basic 8 step process for this to work right is:
Also, some times even after all these hacks the Windows7 will fall off the domain, trust relationship failure - generally the fix is to un-join/re-join.
One of my least favourite issues is that Windows7 needs a bundle of registry hacks. Ideally these would not be necessary.
nb: these hack are for Samba >=3.4; if you're using a version older than that then upgrade - otherwise you'll just give yourself a headache.
Windows Registry Editor Version 5.00 ; Win7/Samba 3.4.x - Workstation Share [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters] "AutoShareWks"=dword:00000001 ; Win7/Samba 3.4.x - Compat [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\lanmanworkstation\parameters] "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001 ; AllowPlain .... ; RequireSecuritySignature"=dword:00000000 ; Win7/Samba 3.4.x - Compat ; http://us.generation-nt.com/answer/samba-rejecting-auth-request-client-xxx-machine-account-win7-help-206090182.html#206092242 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters] "DisablePasswordChange"=dword:00000001 "RequireSignOrSeal"=dword:00000001 "RequireStrongKey"=dword:00000001 ;Turn off last user logged in stuff. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000001 ;Disable the security center stuff annoyances ; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc] ; "Start"=dword:00000003 ; Speedup settings [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "SlowLinkDetectEnabled"=dword:00000000 "DeleteRoamingCache"=dword:00000001 "WaitForNetwork"=dword:00000000 "CompatibleRUPSecurity"=dword:00000001 ; Can drive you nuts [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=dword:00000000 "LocalAccountTokenFilterPolicy"=dword:00000001 ;Stupid keys that make the windows 7 sysprep crap out. [HKEY_LOCAL_MACHINE\SYSTEM\Setup] "RestartSetup"=dword:00000000 "SetupType"=dword:00000000 "SystemSetupInProgress"=dword:00000000 "SetupPhase"=dword:00000000 "CmdLine"="" "OOBEInProgress"=dword:00000000
Even after all this you'll see loads of spew in the Samba logs, here's some information about that.
Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.
The trust relationship between this workstation and the primary domain failed.
This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain. The fix above, with regards to DisablePasswordChange should resolve this.