Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: lloydh on August 06, 2015, 09:13:31 AM
-
My SME server is a home server running as a domain controller, there are 4 Windows PC's in the house all domain members and I have spent a lot of time on in the past 12 months upgrading all of these PC's to Windows 8.1 Pro ready to take advantage of the free upgrade to Windows 10.
In April I joined the Windows Insider program running Windows 10 Pro in a VM on my Centos desktop. I had many problems, some builds would join the domain while others would not but any that did join would not run the logon script and that problem was still there when in the final release last week. I spent a lot of time searching on Google but unfortunately there was not a lot of information out there and some of the information I read lead to confusion on my part as Windows is not one of my strong points.
Finally this morning I found a solution and I thought I would share my findings.
Before joining the domain I added the two documented registry entries and joining was never a problem.
To get the logon script to run on the Windows 10 workstation I ran GPEDIT.MSC as Administrator, went to Local Computer Policy -> Administrative templates -> Network -> Networkprovider -> Hardened UNC Paths, enable Hardened UNC Paths and then added the following path.
\\myservername\netlogon
I then added the following values to that path.
RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0
This may not be the definitive solution but it works for me, does anybody have any thoughts on this.
-
Thanks for sharing ;)
I have not too much experiences with window but sme has to work with it. We must find a regedit way to have a workable solution.....maybe like we dit for w7 and w8
http://wiki.contribs.org/Windows_8_Support
-
Lloyd
Would you please provide the source link or website for those registry tweaks.
-
Hi, :-o
thank you for your answer,
a last Question please: now I have well configured the new SME Server 9 with a Public IP direct (my server is now in a dedicated host in the cloud).
All my client (Thunderbird imap) are now in a different public network (my old server was in the office before), I have so added the public ip network of the office in the Security/Remote network to manage Sme.
Question
from thunderbird : I can download/receive (from TLS/SSL port 993, not 143 :-?) email but could not send email (Relayed Denied)
On my old configuration client, I was receiving my emails in port 143 StartSSL
I can see also that I cannot telnet port 143 from my public office network but only 993. I can telnet port 25.
As I read from some post, they say to put 'config setprop qpsmtpd RelayRequiresAuth disabled' is it right?
should I put my Public Office Network somewhere in my configuration?
from Iphone (smartphone: I can receive and send email with no problems.
thank you a lot! :-P
-
Lloyd
Would you please provide the source link or website for those registry tweaks.
Sorry, for some reason I thought they were on contribs.org but they are actually on the Samba Wiki pages here https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains, this is a copy from that page.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
You just need to add those two keys, I have been using them since Windows 7, then on Windows 8 and 8.1 and now on Windows 10 and I have never had any domain problems.
I noticed there is a new "Windows 10" addition to the Wiki article but I haven't seen that problem myself.
-
lloydh
Thanks
I was moreso asking about where you got this login script registry tip from:
To get the logon script to run on the Windows 10 workstation I ran GPEDIT.MSC as Administrator, went to Local Computer Policy -> Administrative templates -> Network -> Networkprovider -> Hardened UNC Paths, enable Hardened UNC Paths and then added the following path.
\\myservername\netlogon
I then added the following values to that path.
RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0
This may not be the definitive solution but it works for me, does anybody have any thoughts on this.
-
In all the searching I did I copied the data into a document but I didn't keep the url's and it's taken a bit to find that url again but this is where I got my information from http://www.spinics.net/lists/samba/msg127152.html.
Janet, just to clarify, you referred to this as a registry change, it not in the registry but in Group Policies.
As I have said, all my testing so far has been on Windows 10 Pro in a VM. I have now upgraded one of my PC's from Windows 8.1 Pro to Windows 10 Pro, because I was doing a clean install I removed the PC from the domain before I started. When the installation was complete I added the two registry keys and the path in group policies, the PC joined the domain without a problem and the logon script runs when I log in with a domain account so I am satisfied all is working as it should.
-
Please can you write a dedicated page on the wiki to windows 10. You can use the other windows page as templates for your work and ask some help for the wiki editing if needed.
I don't have W10 therefore it is up to you to start the work ;)
Once done we should add in the server ressource something to give easier all regedit and group modifications.
-
Steph, I'm sorry but I have to decline your request, I am 70 with severe mental problems following a breakdown 10 years ago, I struggle with technical things now and only do enough to keep our home network running, I make a lot of mistakes and I often have to walk away from things sometimes for weeks at a time which happened a number of times while I was testing Windows 10.
-
it's ok Mate, take care of you :)
-
The registry key is :
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0"
-
Thanks for reporting. Is it something that you add alone or with the other register keys that we propose in the server-ressources for w7/8 and xp
-
I add it to have logon script working with an existing pc who has update from win7 to win10.
Further test with a full clean win10 laptop work with both :
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0"
-
It worth a big thank you flep and also for lloydh who initiated the thread :)
please follow up the bug http://bugs.contribs.org/show_bug.cgi?id=9028 I have no W10 to test with sme
-
I migrated to windows 10.
And I saw the need to create user profiles of the following ways:
username.V5
This is for the roaming profils work well.
Would it be possible to take you directly into account when creating users from the server-manager.
Thank a lot.
FHS
-
Hello! :-P 8) Just registered to post my expirience. I'm using Zentyal servers in my server environments.
One case is Zentyal 3.0 server using samba 4.0.14.
By default W10 domain joining works, but GPOs work only for Domain Administrator accounts, for other domain accounts fails with 1058 error code 5 (Access denied)
To get that working, I had to change max protocol to NT1 and things started working....
...until I found out that randomly on bootup and before login GPO failed with 1058 error code 65 (Network access denied)
Have to say it was not that easy to google about that specific error anymore. :-o
Accessing \\mydomain.lan\sysvol from explorer gave Network access denied error when executed from a non-domain computer.
Sooo I set RequireMutualAuthentication=0,RequireIntegrity=0 to \\mydomain.lan\sysvol and \\mydomain.lan\netlogon with that GPO hardening setting using RSAT for W10
Now I'm able to access sysvol with entering domain credentials. Havent tested it yet on the pc's that had issues, but feeling that this gonna fix the issue.
-
I migrated to windows 10.
And I saw the need to create user profiles of the following ways:
username.V5
This is for the roaming profils work well.
Would it be possible to take you directly into account when creating users from the server-manager.
Thank a lot.
FHS
Thanks for your feedback, can you describe precisely all files that you modified and/or actions you did to get roaming profile.
All documentation pointers are welcome.
-
Are you using Zentyal in conjuction with sme server? If so I'm kind of curious as to your setup.
Hello! :-P 8) Just registered to post my expirience. I'm using Zentyal servers in my server environments.
One case is Zentyal 3.0 server using samba 4.0.14.
By default W10 domain joining works, but GPOs work only for Domain Administrator accounts, for other domain accounts fails with 1058 error code 5 (Access denied)
To get that working, I had to change max protocol to NT1 and things started working....
...until I found out that randomly on bootup and before login GPO failed with 1058 error code 65 (Network access denied)
Have to say it was not that easy to google about that specific error anymore. :-o
Accessing \\mydomain.lan\sysvol from explorer gave Network access denied error when executed from a non-domain computer.
Sooo I set RequireMutualAuthentication=0,RequireIntegrity=0 to \\mydomain.lan\sysvol and \\mydomain.lan\netlogon with that GPO hardening setting using RSAT for W10
Now I'm able to access sysvol with entering domain credentials. Havent tested it yet on the pc's that had issues, but feeling that this gonna fix the issue.
-
Are you using Zentyal in conjuction with sme server? If so I'm kind of curious as to your setup.
No, I'm not using sme, I just went on googling about this specific problem (error 1058, code 65) which is quite rare and even occurs with windows server systems. And this topic seems to explain things the right way now.
I'm using Zentyal 3.0 running as my
- radius server
- gateway
- transparent squid proxy with cache
- file server, printserver, NTP server and PDC
- webserver
I'm also running Zentyal 4.1 PDC in one other server system and gonna test this fix which probably will be needed.
-
Thanks for dropping by. Nice!
-
Thanks for your feedback, can you describe precisely all files that you modified and/or actions you did to get roaming profile.
All documentation pointers are welcome.
Some info: samba wiki on roaming profiles (https://wiki.samba.org/index.php/Implementing_roaming_profiles)
According to the wiki page Samba should create the profile automatically (not tested!) if the user has write access to that dir... which i don't think is the case:# ll /home/e-smith/files/samba/
total 20K
drwxr-xr-x 5 root root 4.0K Mar 16 2006 .
drwxr-xr-x 11 root root 4.0K Nov 11 2013 ..
drwxrwsr-x 2 admin admin 4.0K Nov 9 2013 netlogon
drwxrwsr-x 7 admin admin 4.0K Mar 16 2006 printers
drwxr-s--- 136 admin shared 4.0K Sep 1 13:13 profiles
So u guess in /etc/e-smith/events/user-create/S20user-create-profiledir
this line should probably be changed:my @dirs = ("/home/e-smith/files/samba/profiles/$user","/home/e-smith/files/samba/profiles/${user}.V2");
maybe to something like:my @dirs = ("/home/e-smith/files/samba/profiles/$user","/home/e-smith/files/samba/profiles/${user}.V2","/home/e-smith/files/samba/profiles/${user}.V4","/home/e-smith/files/samba/profiles/${user}.V5");