samba - Dec 2001 - Solution to XP/2000 joining Samba 2.2.x Domain Problem!

I finally found the solution that many people faced about joining a samba
2.2.x domain with XP or 2000
I've recently upgraded a Win98SE to WinXP, and attempt to join this to the
Samba Domain (of ver 2.2.2), which already have 2 Win2000 as member.
However, although the XP accept the Domain Joining, it denied me to log into
the domain  after a reboot, so I tried to view the System Event in the XP
and found this:

------------------------------------------------------------------
Source : Netlogon
Type : Error
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller
\\ORACLE for the domain SIAD failed because \\ORACLE does not support
signing or sealing the Netlogon session.  Either upgrade the Domain
controller or set the RequireSignOrSeal registry entry on this machine to 0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

------------------------------------------------------------------

Here was the problem! so I search the registry, and found the metioned
registry is related to the "Domain member: Digitally encrypt or sign secure
channel data (always)" option.

The solution is to chenged the option to "disable" in Control Panel
->
Administractive Tools -> Local Security Policy -> Local Policies ->
Domain
member: Digitally encrypt or sign secure channel data (always)

Then the XP  allow me to log into samba domain happily~ ^_^

Hope you would find this helpful

Alu Angus wrote:
> 
> I finally found the solution that many people faced about joining a samba
> 2.2.x domain with XP or 2000
> I've recently upgraded a Win98SE to WinXP, and attempt to join this to
the
> Samba Domain (of ver 2.2.2), which already have 2 Win2000 as member.
> However, although the XP accept the Domain Joining, it denied me to log
into
> the domain  after a reboot, so I tried to view the System Event in the XP
> and found this:
> 
> ------------------------------------------------------------------
> Source : Netlogon
> Type : Error
> Description:
> The session setup to the Windows NT or Windows 2000 Domain Controller
> \\ORACLE for the domain SIAD failed because \\ORACLE does not support
> signing or sealing the Netlogon session.  Either upgrade the Domain
> controller or set the RequireSignOrSeal registry entry on this machine to
0.
That's a surprisingly useful error message!  I think (hope) somebody is
looking into getting the sign/seal stuff working (therefore 'upgrading'
samba) but messing about with MS's encryption isn't easy work...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

On Sun, Dec 30, 2001 at 12:42:40AM +0800, Alu Angus wrote:
> I finally found the solution that many people faced about joining a samba
> 2.2.x domain with XP or 2000
> I've recently upgraded a Win98SE to WinXP, and attempt to join this to
the
> Samba Domain (of ver 2.2.2), which already have 2 Win2000 as member.
> However, although the XP accept the Domain Joining, it denied me to log
into
> the domain  after a reboot, so I tried to view the System Event in the XP
> and found this:
> ------------------------------------------------------------------
> Source : Netlogon
> Type : Error
> Description:
> The session setup to the Windows NT or Windows 2000 Domain Controller
> \\ORACLE for the domain SIAD failed because \\ORACLE does not support
> signing or sealing the Netlogon session.  Either upgrade the Domain
> controller or set the RequireSignOrSeal registry entry on this machine to
0.
THANKS !!!!

Re-installed as of CVS tonight (UK time), and tried it. It didn't
seem to work as me (though I have admin rights), but worked fine as
Administrator on the XP box.

Steve

-- 
home steve@gbnet.org       * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU
work steve@thus.net        * tel +44-(0)207 483 1169    FAX +44-(0)207 483 2455
www  http://www.gbnet.net/ * Personal DFAX +44 (0)870 1600 842   (fax to email)
bits steve@gbnet.net       * mob +44-(0)7775755503  Epage steve-pager@gbnet.net

Some may recall that my 2.2.2 Samba domain server doesn't allow users on
Win2k machines to set access permissions to shares using the domain users
list, but returns an error after you pick a user off the list: "Unable to
lookup user names for display".

Oddly enough, it turns out that I can do this on Windows 98 machines
attached to the domain. I changed the settings to allow it to use user-level
access control and was able to set permissions on shares on those machiens
using the user list provided by the Samba domain controller.

Does anyone have an idea as to why one would work but not the other?

Patrick Reid