On 13/04/16 21:32, Marc Muehlfeld wrote:> Hello, > > Am 13.04.2016 um 13:20 schrieb lejeczek: >> I have a win10 which is (from what I see) a good member of samba domain >> except for one thing - it does not seem to a few simply things from a >> logon.bat, or does not do anything with it. >> would you share your thoughts? > We can't, if you don't share > - the logon script > - your Samba version > - your smb.conf > - details what exactly went wrongjust the logon.bat does not seem win10 runs it, suffice to point to \\server while a user is logged on to win10 and all seems normal, credential pass through and servers shares are visible, even the logon.bat runs fine when manually executed.> with us.3.6.23-24.el6_7 script and config I'd imagine should be fine - as they've been fine for all the domain, win7 (+ XPs in earlier days), it's just this newly introduced win10 which does not seem to even run/execute that logon.bat script. I'm guessing I'm missing some specifics needed for win10 - what are those I wonder. many thanks L> > Regards, > Marc >
Am 14.04.2016 um 11:33 schrieb lejeczek:> I'm guessing I'm missing some specifics needed for win10 - what are > those I wonder.Is your Samba a NT4-style PDC? You are using Samba 3, I'm using Samba 4. Anyway: In my experiments I also had to set an additional regpatch for Win10 and a Samba 4.3.x NT4-style domain for logon scripts - otherwise the logon scripts are not running: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths] "\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" Complete regpatch: ############################################################################ Windows Registry Editor Version 5.00 ; ; windows10_join_enable.reg ; ; This registry keys are needed for a Windows 10 Client to join ; and logon to a Samba 4.3.x domain. ; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] ; Enable NT-Domain compatibility mode ; Default: ; [value not present] ; "DomainCompatibilityMode"=- "DomainCompatibilityMode"=dword:00000001 ; Disable required DNS name resolution ; Default: ; [value not present] ; "DNSNameResolutionRequired"=- "DNSNameResolutionRequired"=dword:00000000 ; Disable Mutual authentication, no Kerberos, can fall back to NTLMv2 ; Disable Integrity, SMB signing is not required ; Disable Privacy, no SMBv3 must be used ; Default: ; [value not present] ; "\\\\*\\netlogon"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths] "\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" ############################################################################ -- der tom
that is it; [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider \HardenedPaths] "\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,Req uirePrivacy=0" does the trick many thanks! L. On Mon, 2016-04-18 at 17:17 +0200, Thomas Bork wrote:> Am 14.04.2016 um 11:33 schrieb lejeczek: > > > I'm guessing I'm missing some specifics needed for win10 - what are > > those I wonder. > > Is your Samba a NT4-style PDC? You are using Samba 3, I'm using Samba > 4. > Anyway: > > In my experiments I also had to set an additional regpatch for Win10 > and > a Samba 4.3.x NT4-style domain for logon scripts - otherwise the > logon > scripts are not running: > > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvid > er\HardenedPaths] > "\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,R > equirePrivacy=0" > > Complete regpatch: > > ##################################################################### > ####### > Windows Registry Editor Version 5.00 > > ; > ; windows10_join_enable.reg > ; > ; This registry keys are needed for a Windows 10 Client to join > ; and logon to a Samba 4.3.x domain. > ; > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstati > on\Parameters] > ; Enable NT-Domain compatibility mode > ; Default: > ; [value not present] > ; "DomainCompatibilityMode"=- > "DomainCompatibilityMode"=dword:00000001 > > ; Disable required DNS name resolution > ; Default: > ; [value not present] > ; "DNSNameResolutionRequired"=- > "DNSNameResolutionRequired"=dword:00000000 > > ; Disable Mutual authentication, no Kerberos, can fall back to NTLMv2 > ; Disable Integrity, SMB signing is not required > ; Disable Privacy, no SMBv3 must be used > ; Default: > ; [value not present] > ; "\\\\*\\netlogon"=- > > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvid > er\HardenedPaths] > "\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,R > equirePrivacy=0" > ##################################################################### > ####### > > -- > der tom >