samba - Nov 2009 - Windows 7 domain issues

I am running Windows 7 Professionaly 64-bit with domain membership to a Samba
domain. I have noticed some weird behaviour.

1) For some reason, dhcp3-server does not add the forward dns entry into bind9.
This works perfectly with Windows 7 if it is not a domain member, or other
operating systems (XP, OS/X and Linux). I know this isn't specifically a
Samba issue, but I thought I should mention it.

2) Strange entries in log files. Authentication for user [AC2161$] ->
[AC2161$] FAILED with error NT_STATUS_PASSWORD_EXPIRED. I did run the Windows 7
64bit RC and after about 1 month, the trust relationship broke down and I would
have to re-join the domain to make it work again. This could be related.

3) Password issues. I use a LDAP backend, and use LAM to manage the directory.
If I set a password in LAM, it generates the UNIX and SMB passwords, and then
stores them in LDAP. This works perfectly for XP but not for Windows 7. Logons
persist to use the old password, and I have a feeling that the password being
used is a cached password.

Has anyone seen similar issues?

aF

> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-
> bounces at lists.samba.org] On Behalf Of Alex Ferrara
> Sent: Tuesday, November 24, 2009 8:33 PM
> To: samba at lists.samba.org
> Subject: [Samba] Windows 7 domain issues
> 
> I am running Windows 7 Professionaly 64-bit with domain membership to a
> Samba domain. I have noticed some weird behaviour.
Personally, I have sworn off Samba as a PDC, and am desperately waiting for
Samba 4 with Active Directory. The PDC architecture is by now more than 10 years
old. Trying to use Windows 7 without Active Directory (and in particular without
Group Policies) really limits the usefulness. AD was quite useful with XP, and
even more so with Vista. Windows 7, I find, really requires Group Policies. I am
using Samba as a domain-member file server; it really shines in that role.
> 1) For some reason, dhcp3-server does not add the forward dns entry
> into bind9. This works perfectly with Windows 7 if it is not a domain
> member, or other operating systems (XP, OS/X and Linux). I know this
> isn't specifically a Samba issue, but I thought I should mention it.
Windows 7 has different network security policies depending on whether you are
on a public, private or domain network. I believe that this is because Windows 7
in a domain will by default insist on secure DNS updates. You can turn that off
(with a group policy. Or probably by editing the registry directly if you find
the right setting).
> 2) Strange entries in log files. Authentication for user [AC2161$] ->
> [AC2161$] FAILED with error NT_STATUS_PASSWORD_EXPIRED. I did run the
> Windows 7 64bit RC and after about 1 month, the trust relationship
> broke down and I would have to re-join the domain to make it work
> again. This could be related.
Windows 7 by default requires 128 bit encryption for SMB traffic; my guess is
that that is the problem. You can turn that off.
> 3) Password issues. I use a LDAP backend, and use LAM to manage the
> directory. If I set a password in LAM, it generates the UNIX and SMB
> passwords, and then stores them in LDAP. This works perfectly for XP
> but not for Windows 7. Logons persist to use the old password, and I
> have a feeling that the password being used is a cached password.
The same as item 2.

The DNS update issue I have resolved by insisting that DHCPD perform the update,
and ignore the client request. I found that Windows 7 tells DHCPD that it will
perform the DNS update, and by default, DHCPD will then let it. The directive in
dhcpd.conf is "deny client-updates".

As for the password related issues, I think you might be right, and the answer
lies in the password strength required.

I too am holding my breath for Samba4. I have been considering implementing
either Franky, or Samba4 alpha in the role of PDC, and using Samba3 to do the
file sharing. I'm just a little concerned that it might eat my cat.

aF