Web lists-archives.com

Re: [Samba] Can't join Windows 10 to classic domain




You can try the following, but i try to spend time anymore on NT setups.
Not that i dont want to help but because its to risky imo and every win10 update is becomming a risk. 

The tips i have for you, what you can try/check. 

Install without internet access.  <<< MOST IMPORTANT ! 

- Disable ipv6 on the nic. 
- Enable ping responce in the windows firewall, for the Domain if not enabled. ( in W10 1803 its in Windows Defender. ) 
- Check the DNS suffix, does it match the primary domain?
Test ping host
Test ping host.fqdn 
Are both responses exact the same, if not, your resolving needs fixing. 
Ping host should return with a host.fqdn responce of the ping. 

- You could the to join with powershell : Add-Computer –DomainName NTDOM –Credential (Get-Credential)

And i really hope you have Win10 Enterprise because if not, how are you stopping win updates. 
You wil be pushed to a new version, do remember the following. 

Delaying the updates, quality and feature updates will not download on your computer for up to 35 days since you turned on the option.
So if you install windows 10 1703 you get pushed to 1709. 
Just after you installed a new win10, goto settings, update & security, choose when updates are installed, set Semi-Annual Channal (targeted)
That might help to delay longer.

And make sure to turn off the Metered connection toggle switch.  ( settings - network en Internet - (wifi) or ethernet. 

Good luck, but the time you now are spending is a wait of time imo, and yes i do understand you problem. 
But you'd better use that time to upgrade to ad, before you know you wil have problems again. 

If you want to make sure it keeps working, install Win7 and not win10. 
That will give you a major time window to prepair and read into samba AD. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> samba1--- via samba
> Verzonden: woensdag 30 mei 2018 21:26
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Can't join Windows 10 to classic domain
> 
> Thanks very much for all the helpful info.
> It does look like a setting has been changed to force Windows 10 to
> only look for AD domains.
> As a matter of interest, I rolled Windows 10 back to 1709, and have
> encountered a different problem.  This time, it seems to let me join
> the domain (I got the login box, and the welcome message saying that
> the PC had joined the domain).  However, after that, certain actions
> (such as opening the "add users" screen) seemed to slow down.  When I
> tried to add a new domain user in Windows it came up with a message
> saying it couldn't contact the domain.  It looks like 1709 is closer
> to working, but I'm not sure what might be causing the problem with
> adding users etc.  Is there a known fix for this?
> If not, I'll need to look at going back to 1703.  From what you say,
> that will work, but it's a question of when an update might come down
> to the PC, and stop it working.  However, when you say that
> "authentication thru netbios resolution seems to get grandfathered in
> provided the domain is joined prior to the latest upgrade" do you mean
> that if I connect a 1703 PC to the Samba NT4 domain, everything will
> continue to work through the 1709 and 1803 updates?  I thought I'd
> read something which indicated that this might not be the case.
> I have a bunch of new Windows 10 PCs to install, so, as ever, I'm
> under a bit of pressure to get things working!  I've not carried out a
> Classic Upgrade of Samba before, nor seen a Samba AD, and it is a live
> environment which requires minimal downtime or disruption.  A previous
> Samba upgrade between major versions and to a different server and
> operating system required me to carry out thorough planning and
> testing to ensure things like trust relationships etc. didn't get
> broken.  I suspect the Classic Upgrade might present a few problems,
> especially as the documentation says it's not possible to rollback if
> things don't work!  Perhaps the way forward is to look at setting up
> the new machines with 1703, and then plan for a big upgrade of Samba.
> 
> On ???30???/???05???/???2018 at 3:04 PM, "Marco Shmerykowsky PE via
> samba"  wrote:The issue does not seem to be connected to SMB1.
> 
> It can be installed and it still won't authenticate.
> Something has been changed to force authentication to
> AD/DNS either solely or as a first step.  The translation
> of the netbios name never happens even if the computer
> can resolve the name.
> 
> Given that the authentication thru netbios resolution
> seems to get grandfathered in provided the domain is
> joined prior to the latest upgrade, it would seem there
> is a tweak that can applied, but who knows.
> 
> On 5/30/2018 2:18 AM, L.P.H. van Belle via samba wrote:
> > Yes, you correct, you wasted time on this..
> > 
> > Read also, this will give more insight.
> >
> https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-
> installed-by-default-in-windows
> > 
> > Greetz,
> > 
> > Louis
> > 
> >   
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> >> Marco Shmerykowsky PE via samba
> >> Verzonden: dinsdag 29 mei 2018 19:12
> >> Aan: samba@xxxxxxxxxxxxxxx
> >> Onderwerp: Re: [Samba] Can't join Windows 10 to classic domain
> >>
> >> I wasted a bunch of time on this.
> >>
> >> Downlevel Windows 10 to version 1703.  It should work and
> >> it seems to hold the connection once the next update takes
> >> hold.
> >>
> >> Plan for updating the domain to AD as who knows what MS
> >> will do next.  The 1703 connection could get broken in
> >> the future.
> >>
> >>
> >> On 5/29/2018 12:16 PM, samba1--- via samba wrote:
> >>>
> >>>
> >>>  I've been running Samba 4 in NT4 Domain mode for a few
> >> years, and
> >>> it's been working fine with Windows 7 PCs.
> >>>
> >>>  I now need to join a new Windows 10 PC to the domain,
> >> but I'm not
> >>> having any success!
> >>>
> >>>  When I try to join the domain, the Windows 10 PC says "An Active
> >>> Directory Domain Controller could not be contacted...."
> >>>
> >>>  I've tried a few things, including:-
> >>>
> >>>  Setting registry entries for:-
> >>> DomainCompatibilityMode = 1
> >>> DNSNameResolutionRequired = 0
> >>>
> >>>  Then:-
> >>>
> >> [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProv
> >> iderHardenedPaths]
> >>>
> >> "\*netlogon"="RequireMutualAuthentication=0,RequireIntegrity
> >> =0,RequirePrivacy=0"
> >>>
> >> [HKEY_LOCAL_MACHINESOFTWAREWow6432NodePoliciesMicrosoftWindows
> >> NetworkProviderHardenedPaths]
> >>>
> >> "\*netlogon"="RequireMutualAuthentication=0,RequireIntegrity
> >> =0,RequirePrivacy=0"
> >>>
> >>>  I've tried adding entries for the domain controller in hosts and
> >>> lmhosts, and have also tried enabling NetBIOS over TCP/IP.
> >>>
> >>>  I've then tried forcing the Windows Client to use SMB1:-
> >>>
> >>>  sc config lanmanworkstation depend= bowser/mrxsmb10/nsi
> >>> sc config mrxsmb20 start= disabledI also used the following
> >> Powershell
> >>> commands:-
> >>> Get-WindowsOptionalFeature -Online -FeatureName
> >>> SMB1ProtocolSet-SmbServer-Configuration -EnableSMB2Protocol $false
> >>>
> >>>  Running the status commands shows SMB1 to be enabled,
> >> and SMB2 to be
> >>> disabled.
> >>>
> >>>  Should it be possible to join a Windows 10 PC to a
> >> Samba NT4 domain,
> >>> and if so, what am I missing?
> >>>
> >>>  One thing I haven't tried is forcing Samba to "server
> >> max protocol =
> >>> NT1" - mainly because I'm worried it might cause problems
> >> with all the
> >>> existing Windows 7 clients, and also because of potential security
> >>> risks.  I thought it might be 'safer' to force the Windows 10 PC
> to
> >>> use SMB1 rather change anything on the server.
> >>>
> >>>  Any help would be much appreciated!
> >>>
> >>
> >> ---
> >> This email has been checked for viruses by AVG.
> >> https://www.avg.com
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> > 
> > 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba