Windows 7 Clients on Samba Domain
Today, I had to face the undocumented mess that is: adding a windows machine to our UNIX infrastructure.
Why? #
Where I work, we’re mostly UNIX and Linux, with UNIX on the backend for everything (solaris) and Linux for the e-commerce platform, along with the Customer Service computers. This is a stark contrast with people who are only accustomed to using Windows. Combine these factors (undocumented unix/windows + requirement to run windows) and the approaching April end of support deadline, and you have my heart racing and cold sweats.
I noticed that I can get some HP Prodesks (with windows 7 Pro) for less than the price of a Windows 7 license, so I bought one.
it was a modest machine with an AMD processor running 1.5Ghz and quad-core, but the improvements in CPU and harddisk design put it far above the other machines in the office for performance, which, shocked me somewhat.
As for adding this to the domain, many of you may be aware, if you google “Windows 7 Samba authentication” you get a lot of results for samba shares or configuring samba to backend on active directory. There are no windows servers here, and authentication has to be done against LDAP for consistency, also, I dislike windows and their terrible practices (WINS, anyone?) so I don’t really want to start adding things like that if I can get around it.
Tech Bits #
Samba is err.. ugly, for file sharing it’s practically the gold standard (this is because the samba development team was invited to microsoft to help them fix problems) and microsoft has even pushed code back to the samba devs, resulting in open source implementations to be very, very clean, however, authentication has not has so much love.
Samba 3.x does not support NTLMv2, which is unfortunate because LM is atrocious, and NTLM is not enabled in windows 7. Thus, you must downgrade your security model to include LM, at least as a fallback.
which, as I recall; is located in:
- Programs and Settings
- Administrative Tools -> Security
I’m still unsure if this was a change that was entirely necessary, since it wasn’t until later I was able to even join the domain.
Open up redgedit.exe and add the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001
Then check the following settings:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters "RequireSignOrSeal"=dword:00000001 "RequireStrongKey"=dword:00000001
Then configure your IP so that you can set a WINS server (in our case you’re setting it to be the samba authentication server itself) using steps here
This is enough to get you authenticated against Samba, and, if you’re using roaming profiles, you can stop here.
However, I use local profiles, sine people rarely swap computers, network overhead and storage is not required, for that, you have to basically remove window’s ability to even do roaming profiles, which, is kind of annoying.
Failing to do this results in users constantly falling into a TEMP profile and that gets wiped on logout, which is awful for settings.
Two registry settings are required to disable roaming profiles:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System "LocalProfile"=dword:00000001 "ReadOnlyProfile"=dword:00000001
This should be enough, now remove your static settings from the network stack and add it to the domain (the way you did on XP, or other) and things will “Just Work”™
Now what? #
These issues have probably been addressed with samba4, however, I’m disinclined to “upset the apple-cart” and upgrade something that is currently depended on by the majority of my company.
If anybody has any questions or comments, or suggestions on how to do this cleaner, or, really, what I could be doing better, then I’d love to hear them.