Getting Samba3 and Windows7 (or Vista) to play nice with each other is a rather tedious process. Even under ideal circumstance there are still inconsistent/intermittent errors that crop up all over the place. This document represents our best efforts to make it work. But really, you should move on to Samba4.

Also, special shouts to carolinahelpdesk.com who we've worked with on a few Samba3/Windows7 issues.

Requirements

For this environment to work properly it's critical to have a functional DNS and NTP on the network. WINS is mostly dead but still in use, so to make things work properly we need DNS (and WINS may proxy to DNS).

Also, depending on your environment, winbind is not necessary. If you have a large number of users you'll want it. But smaller installations and those that don't have an LDAP back-end can disable/remove it.

Overview

The basic 8 step process for this to work right is:

  1. Configure DNS, NTP, Samba
  2. Configure Windows7 system time and DNS/network settings
  3. Configure Windows7 Registry (as local admin), reboot
  4. Configure Windows7 Group Policy, reboot
  5. Join to Domain, reboot
  6. As Local Admin add Domain Admins and Domain Users group to local Administrators group, reboot
  7. Login as Domain User
  8. Sometimes have to un-join/re-join at this point

Also, some times even after all these hacks the Windows7 will fall off the domain, trust relationship failure - generally the fix is to un-join/re-join.

Windows 7 Registry Fix

One of my least favourite issues is that Windows7 needs a bundle of registry hacks. Ideally these would not be necessary.

nb: these hack are for Samba >=3.4; if you're using a version older than that then upgrade - otherwise you'll just give yourself a headache.

Windows Registry Editor Version 5.00

; Win7/Samba 3.4.x - Workstation Share
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters]
"AutoShareWks"=dword:00000001

; Win7/Samba 3.4.x - Compat
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\lanmanworkstation\parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
; AllowPlain ....
; RequireSecuritySignature"=dword:00000000

; Win7/Samba 3.4.x - Compat
; http://us.generation-nt.com/answer/samba-rejecting-auth-request-client-xxx-machine-account-win7-help-206090182.html#206092242
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters]
"DisablePasswordChange"=dword:00000001
"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001

;Turn off last user logged in stuff.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000001

;Disable the security center stuff annoyances
; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
; "Start"=dword:00000003

; Speedup settings
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"SlowLinkDetectEnabled"=dword:00000000
"DeleteRoamingCache"=dword:00000001
"WaitForNetwork"=dword:00000000
"CompatibleRUPSecurity"=dword:00000001

; Can drive you nuts
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000
"LocalAccountTokenFilterPolicy"=dword:00000001

;Stupid keys that make the windows 7 sysprep crap out.
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
"RestartSetup"=dword:00000000
"SetupType"=dword:00000000
"SystemSetupInProgress"=dword:00000000
"SetupPhase"=dword:00000000
"CmdLine"=""
"OOBEInProgress"=dword:00000000

Windows7 Group Pollicy

Common Error Messages

Even after all this you'll see loads of spew in the Samba logs, here's some information about that.

The Trust Relationship Failure

Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.

The trust relationship between this workstation and the primary domain failed.

This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain. The fix above, with regards to DisablePasswordChange should resolve this.

_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client MACHINE machine account MACHINE$

....

Primary group S-1-5-21-SID for user user$ is a UNKNOWN and not a domain group

...

See Also