Hi.... Some days ago I installed windows 8 pro from MSDN on one of my machines. I got a serious problem with it. I cannot logon as domain user. I first tried joining my domain from win8 with an unchanged win8 installation. This did fail. Afterwards I applied the usual windows 7 registry patches to allow a samba domain join and rebooted. Afterwards I could join my domain with no trouble. I rebooted and tried to log in as domain user. No chance. It fails. In the windows eventviewer I can find a message from Netlogon about a missing RPC server and that it cannot create a secure session with the domain controller (translated from german). In the samba log I can find this: [2012/09/20 10:03:56.934783, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client DEVINTEL-2 machine account DEVINTEL-2$ My PDC is running samba 3.6.6 with smb2 enabled. My samba is ldap backed. The trust account looks as it should when I look into the informations. I already had the same problems with the release preview of windows 8 some weeks ago (at that time my pdc was still 3.6.3). All versions of windows 8 before the release preview did work without trouble. Does anyone have the same problems? Has anyone already got a working windows 8 pro in a domain? This is very annoying. Any help is greatly appreciated. Roland
By the way, the only success to join a windows 8 pro to a domain was to set up samba4 ads and join it successfully. I did not succeed in any way else. Greetings Daniel ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Roland Schwingel Gesendet: Donnerstag, 20. September 2012 11:30 An: samba at lists.samba.org Betreff: [Samba] Windows 8 Pro no domain logon possible Hi.... Some days ago I installed windows 8 pro from MSDN on one of my machines. I got a serious problem with it. I cannot logon as domain user. I first tried joining my domain from win8 with an unchanged win8 installation. This did fail. Afterwards I applied the usual windows 7 registry patches to allow a samba domain join and rebooted. Afterwards I could join my domain with no trouble. I rebooted and tried to log in as domain user. No chance. It fails. In the windows eventviewer I can find a message from Netlogon about a missing RPC server and that it cannot create a secure session with the domain controller (translated from german). In the samba log I can find this: [2012/09/20 10:03:56.934783, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client DEVINTEL-2 machine account DEVINTEL-2$ My PDC is running samba 3.6.6 with smb2 enabled. My samba is ldap backed. The trust account looks as it should when I look into the informations. I already had the same problems with the release preview of windows 8 some weeks ago (at that time my pdc was still 3.6.3). All versions of windows 8 before the release preview did work without trouble. Does anyone have the same problems? Has anyone already got a working windows 8 pro in a domain? This is very annoying. Any help is greatly appreciated. Roland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi Daniel, Daniel M?ller <mueller at tropenklinik.de> wrote on 20.09.2012 12:50:30: > By the way, the only success to join a windows 8 pro to a domain was to set > up samba4 ads and join it successfully. > I did not succeed in any way else. It is good to hear that there is at least a chance to join windows 8 to samba. The bad news is that samba 4 is still beta and not ready for production use. I am sitting here in a bigger installation with a big central LDAP for each and everything (not only samba). Migrating from samba3 to samba4 is a several months task. So I hope there will be a samba 3 based solution for using windows 8 in a domain, too. What is the official plan here? Can the required portions for windows 8 be backported to samba 3? BTW: Is it possible to use samba4 with another LDAP server/infrastructure not the samba4 supplied one? Thanks in advance, Roland
On Thu, Sep 20, 2012 at 9:47 AM, TAKAHASHI Motonobu <monyo at monyo.com> wrote:> Daniel M?ller <mueller at tropenklinik.de> wrote on 20.09.2012 12:50:30: >> By the way, the only success to join a windows 8 pro to a domain was to >> set up samba4 ads and join it successfully. >> I did not succeed in any way else. > > In my environment, Windows 8 Pro (32bit), can join to Samba 3.5.6 domain. > I modified registries: > HKLM\System\CCS\Services\LanmanWorkstation\Parameters > DWORD DomainCompatibilityMode = 1 > DWORD DNSNameResolutionRequired = 0 > > You can download Samba environment I examined at > http://wiki.samba.gr.jp/mediawiki/index.php?title=Samba_PDC_VM(squeeze) > > Of course I examined that after rebooting some domain accounts can logon > into Samba domain on Windows 8 box.This is good to know for me since I do not believe samba 4 will ever be an option for me since I am not permitted to connect my linux servers to the company internet. My current domain has the linux servers connected to a second private network and each client has 2 nics. John
Hi Michael... > Disclaimer: I am just a Samba user. Me too ... ;-) > On 20 September 2012 13:11, Roland Schwingel > > It is good to hear that there is at least a chance to join windows 8 to > > samba. The bad news is that samba 4 is still beta and not ready for > > production use. I am sitting here in a bigger installation with a big > > central LDAP for each and everything (not only samba). Migrating from samba3 > > to samba4 is a several months task. > > Well, the first release candidate has been released, and people are > using it in production, but of course whether it's ready for you I > cannot say. A while ago I have studied the samba repos for changes in samba 4 and there was still heavy movement in code. So well... I personally here prefere having an official "stable" version of a software. When looking at my schedule I can't afford loosing time with experiments. And moving from samba 3 to samba 4 is (as far as I understand it right now) a big move which has to planned and cannot be done in an afternoon and has a (for me) too much experimental character in a core area of the infrastructure. So I will/have to wait until there is an official version of samba4 and some (best practice) experiences in moving from 3 to 4. > > So I hope there will be a samba 3 based solution for using windows 8 > > in a domain, too. > > > > What is the official plan here? > > Can the required portions for windows 8 be backported to samba 3? > > I doubt it. As far as I know recent versions of Windows will not work > with an NT-style domain at all, unless the DC is a Samba server. i.e. > you will not be able to join a Windows 8 (or 7 or maybe earlier) > machine to a Windows NT-style domain controller. So I don't think > there's some little bit of Samba 4 that could be backported to Samba 3 > to allow you to join a Windows 8 machine to the domain. More likely > there's something that needs to be fixed in Samba 3 or in Windows 8 to > get this working again. Just 30 minutes ago I maybe found a solution to allow my win8 pro machine to log in with a samba3 domain account. At present I am logged in. But this has some tradeoff. I will outline it in a seperate email after some more testing. Hopefully tomorrow. There might be a lot of people outside using samba 3 right now happily. Microsoft is releasing a new OS version which cannot be joined to their existing domains out of the box. So they are yet stranded (like me) and can't use the "shiny" new OS. The clean solution (samba 4) is IMHO still some month away. In my eyes samba 3 must support windows 8 in some way to avoid some chaos because of too fast rushing to samba4 forcing users to use a samba which still might have too much bugs giving samba4 a bad reputation/start. Windows 8 comes some month to early for the new samba. If samba4 would be out now for eg. 6 months and behave well and windows 8 will reach the market now it would be a different situation. > > BTW: Is it possible to use samba4 with another LDAP server/infrastructure > > not the samba4 supplied one? > > No, it is not possible to use another LDAP server instead of Samba 4's > built-in LDAP implementation. At one point there was support for > this, but as far as I understand it, it is not technically possible to > make it work properly and the support was removed/deprecated. This is bad. Is it really expected to migrate over all data which is most likely present in companies current LDAP solutions to the samba ldap? Can samba ldap fullfill all needs here (eg. rock solid life replication and general purpose usage?). I would very much appreciate the possibility of being able to not use the embedded ldap. This would very much reduce the effort of moving from samba3 to 4 in existing ldap environments. Roland
Hi Takahashi... TAKAHASHI Motonobu <monyo at monyo.com> wrote on 20.09.2012 15:47:42: > In my environment, Windows 8 Pro (32bit), can join to Samba 3.5.6 domain. > I modified registries: > HKLM\System\CCS\Services\LanmanWorkstation\Parameters > DWORD DomainCompatibilityMode = 1 > DWORD DNSNameResolutionRequired = 0 > > You can download Samba environment I examined at > http://wiki.samba.gr.jp/mediawiki/index.php?title=Samba_PDC_VM(squeeze) > > Of course I examined that after rebooting some domain accounts can logon > into Samba domain on Windows 8 box. I also have these registry patches in place. They where already needed for windows 7. You are not using SMB2 which appears to be the key problem here. My current trick is based on disabling smb2 in windows 8. More after I have finished my tests. Roland
Hi Andrew... Andrew Bartlett <abartlet at samba.org> wrote on 20.09.2012 19:56:30: > > > No, it is not possible to use another LDAP server instead of Samba 4's > > > built-in LDAP implementation. At one point there was support for > > > this, but as far as I understand it, it is not technically possible to > > > make it work properly and the support was removed/deprecated. > > This is bad. Is it really expected to migrate over all data which is > > most likely present in companies current LDAP solutions to the samba > > ldap? Can samba ldap fullfill all needs here (eg. rock solid life > > replication and general purpose usage?). I would very much appreciate > > the possibility of being able to not use the embedded ldap. This would > > very much reduce the effort of moving from samba3 to 4 in existing ldap > > environments. > > We spent considerable effort over a period of years in attempting to > make this possible. It is not. Even if it was, it would not involve > 'simply' reading the companies LDAP server, it would be a very intrusive > change no more acceptable than using our own built-in LDAP server. Hmmm... I see... This will very much complicate migration from samba 3 to 4 if you are having an existing infrastructure. We use our LDAP for users,groups,dns,dhcp,networks and a lot of other things. So you say if one wants to use samba 4 (s)he has to move fully over to the ldap of samba4 and abandon the current infrastructure? This is quite a burden and will take many months. So it won't happen here in a forseable time even samba 4 would be released today as a final stable version. I believe I am not the only one having these concerns. Don't get me wrong, I would love to get AD support but the road from an at present well working (beside of windows 8 yet) domain infrastructure for windows hosts and seamless integration of linux and Mac OS hosts to samba 4 based AD appears to become very long and hard. I hope you will maintain samba 3 for a longer time (including windows 8 support). Thanks for your reply, Roland
Hi ... So here are my current findings... samba-bounces at lists.samba.org wrote on 20.09.2012 11:30:23: > From: Roland Schwingel <roland.schwingel at onevision.com> > [...] > I got a serious problem with it. I cannot logon as domain user. > [...] > Does anyone have the same problems? > Has anyone already got a working windows 8 pro in a domain? After some more tests and changes I can give a small report on domain logon using windows 8 together with samba 3: Logon is possible after some changes, but there remains some logout trouble. I am using samba 3.6.6 on my PDCs and my fileservers with enabled smb2. My PDCs are solely responsible for keeping the windows profiles and for managing the domain itself. No printing or file services. To join a samba domain you need the same registry settings as for windows 7. When they are applied and you have rebooted you can join a samba 3 domain with windows 8 but can't login. The problem with win8 seems to be the smb2 implementation. I assume at least since the release preview of win8 it is using smb2.2/3.0 extensions unknown to samba. So I switched off smb2 in windows 8 using regedit. Under "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" one can find a key "DependOnService". Open it. Remove "MRxSmb20" and reboot. Now I can login... Hooray... Instead of disabling smb2 in win8 I tried disabling it on my PDC (smb.conf: "max protocol = nt1"). This also worked. Login is possible. I can even read/write to my fileservers which do have smb2 still enabled and fully saturate my GBit connection. Nice. :-) So the problem lies in the login process. Something has changed here with win8. Once you pass login the implementations appear to be compatible - as long as you don't log out. Logout trouble: As long as I stay logged in everything is fine. I can work as usual. Enumerate users/groups from the domain. Really fine. But there are problems when I logout. Logout takes sometimes ages (even with a user who has a nearly empty profile). Often windows 8 writes on logout that it can't sync all data from the local profile on the disk to the server. There are some messages in windows eventlog listing certain pathes which are not synced. There is nothing in the logs on the PDC (which hosts my profiles). Roland
From: Roland Schwingel <roland.schwingel at onevision.com> Date: Fri, 21 Sep 2012 12:04:46 +0200> samba-bounces at lists.samba.org wrote on 20.09.2012 11:30:23: > > From: Roland Schwingel <roland.schwingel at onevision.com> > > [...] > > I got a serious problem with it. I cannot logon as domain user. > > [...] > > Does anyone have the same problems? > > Has anyone already got a working windows 8 pro in a domain? > > After some more tests and changes I can give a small report on domain > logon using windows 8 together with samba 3: > > Logon is possible after some changes, but there remains some logout trouble.I examined both Samba 3.6.6/3.6.8(latest) about Samba3 domain logon from Windows 8 and both works well. I compiled Samba from source tarball.> I am using samba 3.6.6 on my PDCs and my fileservers with enabled > smb2.My simple smb.conf looks like: ----- [global] workgroup = SAMBA366 (or SAMBA368) domain logons = yes passdb backend = tdbsam add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false %u max protocol = smb2 min protocol = smb2 # log level = 3 [homes] writeable = yes browseable = no ----- What is different from you around SMB2... My Windows 8 box runs Windows 8 Professional 32bit modified registries same as Windows 7. If you could, please test same smb.conf? --- TAKAHASHI Motonobu <monyo at monyo.com>
Hi Takahashi, TAKAHASHI Motonobu <monyo at monyo.com> wrote on 23.09.2012 17:16:12:> I examined both Samba 3.6.6/3.6.8(latest) about Samba3 domain logon > from Windows 8 and both works well.Not here.> I compiled Samba from source tarball.Me, too.> My simple smb.conf looks like: > [...]Mine comes here (from my PDC): [global] display charset = UTF-8 workgroup = ONEVISION password server passdb backend = ldapsam:"ldap://localhost" log file = /usr/local/samba/var/log.%m max log size = 500 smb ports = 139 large readwrite = No name resolve order = host bcast time server = Yes socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536 add machine script = /usr/local/samba/bin/createSambaMachineAccount.php "%u" logon script = logonscripts/%U/logon.bat logon path = \\%N\profiles\%U logon home domain logons = Yes os level = 66 preferred master = Yes domain master = Yes dns proxy = No ldap admin dn = cn=Directory Manager ldap group suffix = ou=groups ldap idmap suffix = ou=idmap,ou=samba ldap machine suffix = ou=computers,ou=samba ldap passwd sync = yes ldap suffix = dc=onevision,dc=com ldap user suffix = ou=people idmap config * : range idmap config * : backend = tdb create mask = 0755 hide dot files = No map hidden = Yes csc policy = disable strict locking = No max protocol = smb2 [netlogon] comment = PDC netlogon path = /PDC/netlogon browseable = No root preexec = /PDC/scripts/sambaCreateHomeAccounts.sh "%u" "%g" "%H" "%I" "%L" [profiles] comment = pdc profiles path = /PDC/profiles read only = No create mask = 0600 directory mask = 0700> My Windows 8 box runs Windows 8 Professional 32bit modified registries > same as Windows 7.I am running Windows 8 pro 64bit but this difference should not be a problem.> If you could, please test same smb.conf?Currently busy. Hopefully tomorrow. Thanks for your help, Roland
From: Roland Schwingel <roland.schwingel at onevision.com> Date: Mon, 24 Sep 2012 11:07:13 +0200> > [...] > > Mine comes here (from my PDC): > > [global] > display charset = UTF-8 > workgroup = ONEVISION > password server > passdb backend = ldapsam:"ldap://localhost" > log file = /usr/local/samba/var/log.%m > max log size = 500 > smb ports = 139 > large readwrite = No > name resolve order = host bcast > time server = Yes > socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536 > add machine script = /usr/local/samba/bin/createSambaMachineAccount.php > "%u"(snip) Perhaps "smb ports = 139" causes your problem. Port 139 is a port for old services. Recent services use port 445 instead. Adding "smb pors = 139" to my simple smb.conf, I see the same problem as you see. --- TAKAHASHI Motonobu <monyo at monyo.com>