[Samba] Win10 to Samba as NT- PDC needs 3 settings

Discussion:

Klaus Hartnegg

2016-07-21 16:11:01 UTC

Upgrading Win7-32 (connected to Samba as NT-PDC) to Win10 requires
- disable HardenedUncPaths (MutualAuth & Integrity)
- install NTVDM
- enable LegacyConsole
otherwise the logon-script in Netlogon does not run,
even if samba.cnf contains "server max level = NT1"

Is Samba as NT-PDC supposed to handle HardenedUncPaths?
Did I miss that I should have enabled that somehow in smb.conf?

Would Samba as AD-DC automatically work with HardenedUncPaths?

The web pages currently mention only NT1, none of the other three
requirements.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Alex Winzer

2016-07-27 11:18:12 UTC

Permalink

Hello Claus,

I have an openSUSE with Samba 4.4.4-3.1-3676 as PDC. There is no AD
running. We use roaming profiles.
I upgraded 11 Machines to Windows 10 having lot's of trouble with the
Startmenu and the Win10-Apps. I can confirm the logon-script isn't executed
since the Windows-Upgrade. Nobody - even Microsoft - could ever answer my
questions to have a working startmenu with Windows 10.

So I would like to try "your" way with the netlogon. Could you please so
kind to give me more specific instructions, how to disable UNC Paths
(Registry?) and enable LegacyConsole? And are you sure you need NTVDM?
Could be needed for logon-script, since these are mostly bat-files.

Thanks, Alex

Post by Klaus Hartnegg
Upgrading Win7-32 (connected to Samba as NT-PDC) to Win10 requires
- disable HardenedUncPaths (MutualAuth & Integrity)
- install NTVDM
- enable LegacyConsole
otherwise the logon-script in Netlogon does not run,
even if samba.cnf contains "server max level = NT1"
Is Samba as NT-PDC supposed to handle HardenedUncPaths?
Did I miss that I should have enabled that somehow in smb.conf?
Would Samba as AD-DC automatically work with HardenedUncPaths?
The web pages currently mention only NT1, none of the other three
requirements.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Klaus Hartnegg

2016-08-02 07:47:26 UTC

Permalink

Post by Alex Winzer
I can confirm the logon-script isn't executed
since the Windows-Upgrade. Nobody - even Microsoft - could ever answer my
questions to have a working startmenu with Windows 10.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\server\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0"

Replace server with the name of your DC.
If you have more than one DC, enter one value for each server.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-08-02 08:07:29 UTC

Permalink

Then you talked to a stupid ms guy.

Here you go, source. :
https://support.microsoft.com/en-us/kb/3000483

Gr.

Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 2 augustus 2016 9:47
Onderwerp: Re: [Samba] Win10 to Samba as NT- PDC needs 3 settings

Post by Alex Winzer
I can confirm the logon-script isn't executed
since the Windows-Upgrade. Nobody - even Microsoft - could ever answer

Post by Alex Winzer
questions to have a working startmenu with Windows 10.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\Ha
rdenedPaths]
"\\\\server\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0"
Replace server with the name of your DC.
If you have more than one DC, enter one value for each server.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba