Marco Gaiarin
2020-Aug-26 15:45 UTC
[Samba] Win10 and NT mode: netlogon script seems does not run anymore.
[ Rowland, i know, i need to upgrade. ;-) ]
Some month ago, with a relative big bunch of fix&tweaks, i was able to put a
Win10 1903 client in join to a 'NT mode' Samba domain.
Now i'm trying to do the same with a 1909 version; all seems to work as
before, BUT netlogon script (defined in smb.conf with:
logon script = startup.bat
) simply seems does not run. No log event in windows, no logs on samba
(or seems nothing relevant to me).
I've just enabled this registry key:
reg add
"HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths"
/f /v "\\*\NETLOGON" /t REG_SZ /d
"RequireMutualAuthentication=0"
reboot, but nothing changed. I'm googleing around, but i've not found
some clue...
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Nick Howitt
2020-Aug-26 15:54 UTC
[Samba] Win10 and NT mode: netlogon script seems does not run anymore.
Try this doc: https://documentation.clearos.com/content:en_us:kb_adding_workstation_to_a_domain On 26/08/2020 16:45, Marco Gaiarin via samba wrote:> > > [ Rowland, i know, i need to upgrade. ;-) ] > > Some month ago, with a relative big bunch of fix&tweaks, i was able to put a > Win10 1903 client in join to a 'NT mode' Samba domain. > > > Now i'm trying to do the same with a 1909 version; all seems to work as > before, BUT netlogon script (defined in smb.conf with: > > logon script = startup.bat > > ) simply seems does not run. No log event in windows, no logs on samba > (or seems nothing relevant to me). > > > I've just enabled this registry key: > > reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" /f /v "\\*\NETLOGON" /t REG_SZ /d "RequireMutualAuthentication=0" > > reboot, but nothing changed. I'm googleing around, but i've not found > some clue... > > > Thanks. >
L.P.H. van Belle
2020-Aug-27 07:49 UTC
[Samba] Win10 and NT mode: netlogon script seems does not run anymore.
Hai,
Thanks for that link, that is very usefull.
Only after reading it i see its missing a very important part.
This opens a security leak. See link ( dated in : Last Updated: Apr 15, 2015 )
https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-executi
The examples shown there.
\\<Server>\<Share> -
Needs to be replaced with
\\<Server>.<internal.dom.tld>\<Share> -
As shown in Advanced configuration examples..
Now only somewhere in 2018 MS is pushing to the need of,
the use of FQDN names in the internal (lan) side and Internet Side.
So, dont use this.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*\\NETLOGON"="RequireMutualAuthentication=0,
RequireIntegrity=0,RequirePrivacy=0"
"\\\\*\\SYSVOL"="RequireMutualAuthentication=0,
RequireIntegrity=0,RequirePrivacy=0"
"\\\\{MyWindowsDomainName}\\netlogon"="RequireMutualAuthentication=0,
RequireIntegrity=0,RequirePrivacy=0"
You "should" use ..
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*.internal.domain.tld\\NETLOGON"="RequireMutualAuthentication=0,
RequireIntegrity=0,RequirePrivacy=0"
"\\\\*.internal.domain.tld\\SYSVOL"="RequireMutualAuthentication=0,
RequireIntegrity=0,RequirePrivacy=0"
"\\\\internal.domain.tld\\netlogon"="RequireMutualAuthentication=0,
RequireIntegrity=0,RequirePrivacy=0"
The example formats in ms link above.
And while searching for info for above problem..
https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias
@Rowland have a good look at this one. This one is hitting the list.. (i have
seen this problem also).
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nick
> Howitt via samba
> Verzonden: woensdag 26 augustus 2020 17:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Win10 and NT mode: netlogon script
> seems does not run anymore.
>
> Try this doc:
> https://documentation.clearos.com/content:en_us:kb_adding_work
> station_to_a_domain
>
> On 26/08/2020 16:45, Marco Gaiarin via samba wrote:
> >
> >
> > [ Rowland, i know, i need to upgrade. ;-) ]
> >
> > Some month ago, with a relative big bunch of fix&tweaks, i
> was able to put a
> > Win10 1903 client in join to a 'NT mode' Samba domain.
> >
> >
> > Now i'm trying to do the same with a 1909 version; all
> seems to work as
> > before, BUT netlogon script (defined in smb.conf with:
> >
> > logon script = startup.bat
> >
> > ) simply seems does not run. No log event in windows, no
> logs on samba
> > (or seems nothing relevant to me).
> >
> >
> > I've just enabled this registry key:
> >
> > reg add
> "HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\Hard
> enedPaths" /f /v "\\*\NETLOGON" /t REG_SZ /d
> "RequireMutualAuthentication=0"
> >
> > reboot, but nothing changed. I'm googleing around, but i've
> not found
> > some clue...
> >
> >
> > Thanks.
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Rowland penny
2020-Aug-27 09:59 UTC
[Samba] Win10 and NT mode: netlogon script seems does not run anymore.
On 27/08/2020 08:49, L.P.H. van Belle via samba wrote:> https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias > @Rowland have a good look at this one. This one is hitting the list.. (i have seen this problem also).I think everyone knows my views on NT4-style domains, they were a good idea at the time, but that time is most definitely not now ;-) The link Louis provided is interesting, it seems to backup what I have always thought, you cannot use a CNAME for an NT4-style domain, but for a reason I never thought of, kerberos. The link says 'Important Do not use DNS CNAMEs in the future for file servers.', but then goes on to tell you how to use them. If you want to still give "alternate names" to servers, you can do so with the following command: NETDOM COMPUTERNAME /ADD Which is wrong/incomplete, it should be: netdom computername <computers short hostname> /add:<fully qualified CNAME> Though I cannot get it to work from a Win10 computer What amused me was the section headed 'Not recommended', where they then went on to tell you to not set SPN's on non Windows fileservers and how to do it :D From reading the link it looks like 'samba-tool dns add <server> <zone> <name> <CNAME> fqdn_string' should be updated to allow adding SPN's Another thought I had was, perhaps 'smb ports = 139' should be set in an NT4-style PDC smb.conf Rowland
Marco Gaiarin
2020-Aug-27 12:00 UTC
[Samba] Win10 and NT mode: netlogon script seems does not run anymore.
Mandi! Nick Howitt via samba In chel di` si favelave...> Try this doc: https://documentation.clearos.com/content:en_us:kb_adding_workstation_to_a_domainI can confirm that with: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" /f /v "\\*\NETLOGON" /t REG_SZ /d "RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" works as expected, thanks. Now, i need to read all the warning about this registry key... ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)