Getting Samba3 and Windows7 (or Vista) to play nice with each other is a rather tedious process. Even under ideal circumstance there are still inconsistent/intermittent errors that crop up all over the place. This document represents our best efforts to make it work. But really, you should move on to Samba4.
Also, special shouts to carolinahelpdesk.com who we've worked with on a few Samba3/Windows7 issues.
Requirements
For this environment to work properly it's critical to have a functional DNS and NTP on the network. WINS is mostly dead but still in use, so to make things work properly we need DNS (and WINS may proxy to DNS).
Also, depending on your environment, winbind is not necessary. If you have a large number of users you'll want it. But smaller installations and those that don't have an LDAP back-end can disable/remove it.
Overview
The basic 8 step process for this to work right is:
- Configure DNS, NTP, Samba
- Configure Windows7 system time and DNS/network settings
- Configure Windows7 Registry (as local admin), reboot
- Configure Windows7 Group Policy, reboot
- Join to Domain, reboot
- As Local Admin add Domain Admins and Domain Users group to local Administrators group, reboot
- Login as Domain User
- Sometimes have to un-join/re-join at this point
Also, some times even after all these hacks the Windows7 will fall off the domain, trust relationship failure - generally the fix is to un-join/re-join.
Windows 7 Registry Fix
One of my least favourite issues is that Windows7 needs a bundle of registry hacks. Ideally these would not be necessary.
nb: these hack are for Samba >=3.4; if you're using a version older than that then upgrade - otherwise you'll just give yourself a headache.
Windows Registry Editor Version 5.00 ; Win7/Samba 3.4.x - Workstation Share [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters] "AutoShareWks"=dword:00000001 ; Win7/Samba 3.4.x - Compat [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\lanmanworkstation\parameters] "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001 ; AllowPlain .... ; RequireSecuritySignature"=dword:00000000 ; Win7/Samba 3.4.x - Compat ; http://us.generation-nt.com/answer/samba-rejecting-auth-request-client-xxx-machine-account-win7-help-206090182.html#206092242 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters] "DisablePasswordChange"=dword:00000001 "RequireSignOrSeal"=dword:00000001 "RequireStrongKey"=dword:00000001 ;Turn off last user logged in stuff. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000001 ;Disable the security center stuff annoyances ; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc] ; "Start"=dword:00000003 ; Speedup settings [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "SlowLinkDetectEnabled"=dword:00000000 "DeleteRoamingCache"=dword:00000001 "WaitForNetwork"=dword:00000000 "CompatibleRUPSecurity"=dword:00000001 ; Can drive you nuts [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=dword:00000000 "LocalAccountTokenFilterPolicy"=dword:00000001 ;Stupid keys that make the windows 7 sysprep crap out. [HKEY_LOCAL_MACHINE\SYSTEM\Setup] "RestartSetup"=dword:00000000 "SetupType"=dword:00000000 "SystemSetupInProgress"=dword:00000000 "SetupPhase"=dword:00000000 "CmdLine"="" "OOBEInProgress"=dword:00000000
Windows7 Group Pollicy
- Computer » Admin.Templates » System » User Profiles
- Do not check for user ownership of roaming profile: Enabled
- Delete cache copies of roaming profile: Enable
- Computer » Windows Settings » Security Settings » Local Policies » Security Options
- Network Security: LAN Manager Auth. Level: Send LM&NTLM use NTLMv2 session sec. if negociated
- Network Security: Minimum session...both clients and servr: NO Required 128b encryption
Common Error Messages
Even after all this you'll see loads of spew in the Samba logs, here's some information about that.
The Trust Relationship Failure
Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.
The trust relationship between this workstation and the primary domain failed.
This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain. The fix above, with regards to DisablePasswordChange should resolve this.
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client MACHINE machine account MACHINE$
....
Primary group S-1-5-21-SID for user user$ is a UNKNOWN and not a domain group
...