SkyBeam wrote: > > The work-around I am using now is that I renamed my domain using smb.conf > from "DOMAIN" to "domain.local" (equal to the DNS suffix). Samba > automatically created a new sambaDomainName entry in LDAP which uses the > same domain SID. Surprisingly even my vista machine which was joined to > the DOMAIN NT-Domain did not even complain about the disappeared "DOMAIN" > and seems to be able to connect to the "domain.local" NT-Domain without > any change (while in system properties it still claims to be member of the > "DOMAIN" NT-Domain). >
I found another work-around which does not require changing your Samba configuration (which might have other side-effects too). You can use group policy to enforce the DNS suffix. To do so open the group policy editor (e.g. run "gpedit.msc") and go to Administrative Templates => Network => DNS Client. Here you can set the "Primary DNS Suffix" policy to match your DNS domain. Alternatively you might set the following registry REG_SZ value: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient\NV PrimaryDnsSuffix Set the value to the desired domain sufix (e.g. "domain.local"). Then reboot the machine and see 'ipconfig /all' printing your custom primary DNS suffix. However within the system properties you will still see your "DOMAIN" listed but it's overridden by the policy value. You can do this change before or after joining the domain. Note that the error shown by Windows about the failure to change the primary DNS suffix on domain join is still there. This change only allows you to fix an invalid primary DNS suffix which you're otherwise unable to change after domain join. So here's a reg file which works for me: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] ; Enable NT-Domain compatibility mode ; Default: ; [value not present] ; "DomainCompatibilityMode"=- "DomainCompatibilityMode"=dword:00000001 ; Disable required DNS name resolution ; Default: ; [value not present] ; "DNSNameResolutionRequired"=- "DNSNameResolutionRequired"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters] ; Disable requirement of signed communication ; My Samba works with signed communication enabled, so no need to disable it. ; Default: ; "RequireSignOrSeal"=dword:00000001 ; Disable the usage of strong keys ; Default: ; "RequireStrongKey"=dword:00000001 "RequireStrongKey"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient] ; Enforce DNS suffix "NV PrimaryDnsSuffix"="domain.local" With these settings I can join the domain and logon works. However I've noticed that samba still logs the following message: [2009/08/15 14:14:41, 0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(546) _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client WIN7TEST machine account WIN7TEST$ [2009/08/15 14:15:18, 0] smbd/service.c:make_connection_snum(740) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2009/08/15 14:15:30, 0] smbd/nttrans.c:call_nt_transact_ioctl(1989) call_nt_transact_ioctl(0x1401c4): Currently not implemented. Probably it's a bug of Samba 3.3.4 which still permitts logon even if machine authentication fails. The NT_STATUS_ACCESS_DENNIED is repeated many times. -- View this message in context: http://www.nabble.com/Windows-7-RC-tp23405949p24984174.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
