samba - Jun 2015 - Anybody got windows 10 working with our classic DC / need to migrate to samba4?

On Tue, Jun 2, 2015 at 1:24 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hello Andrew,
>
> Am 02.06.2015 um 09:55 schrieb Andrew Bartlett:
>> Just checking if anybody has Samba's classic DC functioning with
Windows
>> 10 domain member clients?  In particular, I'm interested in any
tests
>> with git master or 4.2.
>>
>> I'm not talking about samba4 DCs (our AD DC), but with the NT4-like
>> mode.
>>
>> The reason I ask is that I've got reports it doesn't work, and
I've
>> checked with Microsoft who basically say 'NT4 support ended years
ago'.
>> Certainly the current effort was the result of a special favour, and
>> these things (rightly) do expire.
>
>
> I setup a Samba NT4 PDC it in my test environment with Samba 4.2.1 and
> Win10 TP Build 9926:
>
> First, the two registry keys are required to add/set like done since
> Win7
> (https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains).
>
> Then you join the domain + reboot.
>
> But if you try to login now, it is denied ("...no logon
servers..."). To
> workaround this, I needed to set "max protocol = NT1" in
smb.conf. This
> allows the Win10 box to login to the Samba NT4 domain.
>
> What was interesting is, that if the Win10 client has once successfully
> logged into the NT4 domain, you can remove the "max protocol"
line and
> let this parameter on it's default. All further logins I have tried -
> even after a reboot - worked then.
>
>
> Ping me in IRC if you want to have a deeper look at this and require
> logs, etc.
>
>
> Regards,
> Marc
At risk of stating the obvious (why let it stop me now? ;) ), I seem
to recall that once a Windows client, XP or later, in an NT4 domain
sees an AD DC, it upgrades at least its domain level (if not also
protocol level on later Windows versions) in a non-reversible way.
This kind of sounds like the inverse situation where the default is AD
and it can fall back to NT4.  I'm wagering if you expose that Windows
10 machine to an AD DC domain and then tried to switch back again,
this trick would no longer work.

That test wouldn't actually _prove_ anything other than, "you really
should retire your NT4 domain a year ago", but that's been painfully
obvious for a while now. If I get bored I might snapshot some VMs and
replay the interaction a couple of different ways.

Marc, I'm assuming your test was a clean Samba install with stock
configurations and a clean Windows-10 9926 (with no previous contact
to either AD or NT4 domains)?

-- 
Peace and Blessings,
-Scott.

Hello Scott,

Am 04.06.2015 um 08:47 schrieb Scott Lovenberg:
> Marc, I'm assuming your test was a clean Samba install with stock
> configurations and a clean Windows-10 9926 (with no previous contact
> to either AD or NT4 domains)?
Yes. It was a new installed Windows 10 TP build 9926, with no contact to
any AD or NT4 domain before. Also the Samba 4.2.1 PDC was a fresh
installation with empty databases.

Sadly the latest official Insider Preview build 10074 doesn't install in
KVM (bluescreen after setup start) and Windows Update hangs in an
update-and-restore-endless-loop here in 9926, I can't try it with a
newer version at the moment.


Regards,
Marc

On Thu, Jun 4, 2015 at 5:23 AM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hello Scott,
>
> Am 04.06.2015 um 08:47 schrieb Scott Lovenberg:
>> Marc, I'm assuming your test was a clean Samba install with stock
>> configurations and a clean Windows-10 9926 (with no previous contact
>> to either AD or NT4 domains)?
>
> Yes. It was a new installed Windows 10 TP build 9926, with no contact to
> any AD or NT4 domain before. Also the Samba 4.2.1 PDC was a fresh
> installation with empty databases.
>
> Sadly the latest official Insider Preview build 10074 doesn't install
in
> KVM (bluescreen after setup start) and Windows Update hangs in an
> update-and-restore-endless-loop here in 9926, I can't try it with a
> newer version at the moment.
Hi Marc and List,

For what it's worth, I was able to install and update build 10074 on
the current VirtualBox release.  Granted, it's less than an ideal
virtualization platform for anything outside of desktop use, but it's
a route to consider until the QEMU/KVM driver situation is remedied.
Unfortunately I haven't been able to test my theory yet for all the
fires I'm putting out at work today.


-- 
Peace and Blessings,
-Scott.