samba - Jun 2015 - Anybody got windows 10 working with our classic DC / need to migrate to samba4?

Just checking if anybody has Samba's classic DC functioning with Windows
10 domain member clients?  In particular, I'm interested in any tests
with git master or 4.2. 

I'm not talking about samba4 DCs (our AD DC), but with the NT4-like
mode.

The reason I ask is that I've got reports it doesn't work, and I've
checked with Microsoft who basically say 'NT4 support ended years ago'.
Certainly the current effort was the result of a special favour, and
these things (rightly) do expire.  

Even if this is somehow disproved or resolved in the final release users
of Samba classic (NT4-like) domains should work out their migration
strategy soon, to avoid being caught out.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hello Andrew,

Am 02.06.2015 um 09:55 schrieb Andrew Bartlett:
> Just checking if anybody has Samba's classic DC functioning with
Windows
> 10 domain member clients?  In particular, I'm interested in any tests
> with git master or 4.2. 
> 
> I'm not talking about samba4 DCs (our AD DC), but with the NT4-like
> mode.
> 
> The reason I ask is that I've got reports it doesn't work, and
I've
> checked with Microsoft who basically say 'NT4 support ended years
ago'.
> Certainly the current effort was the result of a special favour, and
> these things (rightly) do expire.  

I setup a Samba NT4 PDC it in my test environment with Samba 4.2.1 and
Win10 TP Build 9926:

First, the two registry keys are required to add/set like done since
Win7
(https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains).

Then you join the domain + reboot.

But if you try to login now, it is denied ("...no logon servers...").
To
workaround this, I needed to set "max protocol = NT1" in smb.conf.
This
allows the Win10 box to login to the Samba NT4 domain.

What was interesting is, that if the Win10 client has once successfully
logged into the NT4 domain, you can remove the "max protocol" line and
let this parameter on it's default. All further logins I have tried -
even after a reboot - worked then.


Ping me in IRC if you want to have a deeper look at this and require
logs, etc.


Regards,
Marc

On Tue, Jun 2, 2015 at 1:24 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hello Andrew,
>
> Am 02.06.2015 um 09:55 schrieb Andrew Bartlett:
>> Just checking if anybody has Samba's classic DC functioning with
Windows
>> 10 domain member clients?  In particular, I'm interested in any
tests
>> with git master or 4.2.
>>
>> I'm not talking about samba4 DCs (our AD DC), but with the NT4-like
>> mode.
>>
>> The reason I ask is that I've got reports it doesn't work, and
I've
>> checked with Microsoft who basically say 'NT4 support ended years
ago'.
>> Certainly the current effort was the result of a special favour, and
>> these things (rightly) do expire.
>
>
> I setup a Samba NT4 PDC it in my test environment with Samba 4.2.1 and
> Win10 TP Build 9926:
>
> First, the two registry keys are required to add/set like done since
> Win7
> (https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains).
>
> Then you join the domain + reboot.
>
> But if you try to login now, it is denied ("...no logon
servers..."). To
> workaround this, I needed to set "max protocol = NT1" in
smb.conf. This
> allows the Win10 box to login to the Samba NT4 domain.
>
> What was interesting is, that if the Win10 client has once successfully
> logged into the NT4 domain, you can remove the "max protocol"
line and
> let this parameter on it's default. All further logins I have tried -
> even after a reboot - worked then.
>
>
> Ping me in IRC if you want to have a deeper look at this and require
> logs, etc.
>
>
> Regards,
> Marc
At risk of stating the obvious (why let it stop me now? ;) ), I seem
to recall that once a Windows client, XP or later, in an NT4 domain
sees an AD DC, it upgrades at least its domain level (if not also
protocol level on later Windows versions) in a non-reversible way.
This kind of sounds like the inverse situation where the default is AD
and it can fall back to NT4.  I'm wagering if you expose that Windows
10 machine to an AD DC domain and then tried to switch back again,
this trick would no longer work.

That test wouldn't actually _prove_ anything other than, "you really
should retire your NT4 domain a year ago", but that's been painfully
obvious for a while now. If I get bored I might snapshot some VMs and
replay the interaction a couple of different ways.

Marc, I'm assuming your test was a clean Samba install with stock
configurations and a clean Windows-10 9926 (with no previous contact
to either AD or NT4 domains)?

-- 
Peace and Blessings,
-Scott.