samba - Oct 2016 - win 10 client on linux pdc, join domain ok, logon script fails to run

Thanks for your response.  OK I get the AD DC part about sysvol and the fact
I'm running a pdc.

Can I confirm what you mean as domain?

so if i get:

#hostname
dev2.test

should my smb.conf have workgroup = test

it does not match at present.

regards



--
View this message in context:
http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4708957.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Fri, 30 Sep 2016 09:04:04 -0700 (PDT)
coxsterdillon via samba <samba at lists.samba.org> wrote:
> Thanks for your response.  OK I get the AD DC part about sysvol and
> the fact I'm running a pdc.
> 
> Can I confirm what you mean as domain?
> 
> so if i get:
> 
> #hostname
> dev2.test
> 
> should my smb.conf have workgroup = test
> 
> it does not match at present.
> 
It doesn't have to match.
When you connect to a Samba server you would use //SERVER/SHARE , where
'SERVER' is the computers NETBios name (which is usually the computers
hostname) and 'SHARE' is the share to connect to.

I do not think you can connect via the NETBios domain name (aka
workgroup)

Rowland

Hi,

Just in case someone looks at this thread, I've fix my samba win10 issue
with PDC.  Here's what I did:

To over come perhaps a DNS issue where complete name of server including top
level domain name could not access box as \\hostname.tld\<share>

I change the hostname to match netbios name.

#cat dev2 > /etc/hostname
#reboot

edited hosts file to make sure old name was removed.

/etc/hosts contains

127.0.0.1	localhost
192.168.1.200	dev2

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


/etc/resolvconf/resolv.conf.d/tail contains

domain dev2
nameserver 192.168.1.200

/etc/nsswitch.conf contains

group:          compat winbind
shadow:         compat

hosts: files winbind mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


/etc/samba/smb.conf contains:

[global]
   workgroup = COMPO
   netbios name = DEV2
   server string = %h server (Samba, Ubuntu)
   domain master = yes
   preferred master = yes
   local master = yes
   domain logons = yes
   add machine script = sudo /usr/sbin/useradd -N -g pdcmachines -c Machine
-d /var/lib/samba -s /bin/false %u
   security = user
   encrypt passwords = yes
   wins support = yes
   name resolve order = wins lmhosts hosts bcast
   logon path = \\%N\%U\profile
   logon drive = H:
   logon home = \\%N\%U
   logon script = logon.bat
   panic action = /usr/share/samba/panic-action %d
   unix password sync = yes
   obey pam restrictions = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully*.
   pam password change = yes
   server max protocol = NT1

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S

[share]
   comment = Global shared directory
   browseable = yes
   path = /home/share
   valid users = %U
   directory mask = 0700
   create mask = 0700
   read only = no

[temp]
   comment = Temporary shared data directory
   browseable = yes
   path = /home/temp
   valid users = %U
   directory mask = 0700
   create mask = 0700
   read only = no

[netlogon]
   path = /srv/samba/netlogon
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   guest ok = yes
   comment = Network Logon Service

I found all the samba users had the old tld name associated so I changed
them as for each:

pdbedit -r <username> -I COMPO

-----------------------------------

Important part for Windows 10.  When I joined each user to the domain COMPO,
like:

https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain

If you reboot.  It will prompt to login a user and state the domain under
the user name box, in my case COMPO.

However It kind of left each user part of the domain, able to use shares but
not fully on the domain if you enter the samba password to login.

So for each user I log off.  Click switch user.  Even though it says domain
COMPO under the user name, I manually type "COMPO\<username>".

Then each user is logged into a new account in windows 10, each says
COMPO\<username> and magically their login scripts run!

I also followed the windows 10 group policy for hardened unc:

https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/

and the windows 8 delayed boot group policy  (with it set to disabled,
default was unset):

http://www.thewindowsclub.com/configure-logon-script-delay-windows

Hope this helps someone

Regards




--
View this message in context:
http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4709096.html
Sent from the Samba - General mailing list archive at Nabble.com.