Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] win 10 client on linux pdc, join domain ok, logon script fails to run

915 views
Skip to first unread message

coxster dillon via samba

unread,
Sep 29, 2016, 12:40:05 PM9/29/16
to
hi,


I have samba 4.3.9-Ubuntu setup. followed a guide to get a windows 10 client to join my pdc OK but cannot get netlogon scripts to run. I can see them in the share \\<server>\netlogon and I can manually run them from windows shell or by double clicking them. They just won't run by themselves.


I have done the registry pokes + policy changes as:


https://community.spiceworks.com/topic/1389891-windows-10-and-sysvol-netlogon
https://support.microsoft.com/en-us/kb/2895815


https://s18.postimg.org/643ketg49/regedit_samba.png


https://s22.postimg.org/6awshoi8h/network_samba.png


https://s16.postimg.org/aul5oxh91/grouppolicy_samba.png


everything appears to work just no execution of script automatically. I have made sure they are windows line ending format (via unix2dos).


testparm output:


Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[share]"
Processing section "[temp]"
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = COMPO
server string = %h server (Samba, Ubuntu)
security = USER
log file = /var/log/samba/all_log
server max protocol = NT1
max protocol = NT1
protocol = NT1
name resolve order = wins lmhosts hosts bcast
add machine script = sudo /usr/sbin/useradd -N -g pdcmachines -c Machine -d /var/lib/samba -s /bin/false %u
logon script = logon.bat
logon drive = H:
domain logons = Yes
preferred master = Yes
domain master = Yes
wins support = Yes
idmap config * : backend = tdb


[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
directory mode = 0700
browseable = No


[share]
comment = Global shared directory
path = /home/share
valid users = %U
read only = No
create mask = 0700
directory mask = 0700
directory mode = 0700


[temp]
comment = Temporary shared data directory
path = /home/temp
valid users = %U
read only = No
create mask = 0700
directory mask = 0700
directory mode = 0700


[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
create mask = 0700
directory mask = 0700
directory mode = 0700
browseable = No


any suggestions going forward?


regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

coxsterdillon via samba

unread,
Sep 30, 2016, 4:40:03 AM9/30/16
to
update:


using virtual box and windows 7 IE 10 test ovp, I can join same pdc and the
netlogon scripts run so it's something to do with samba and windows 10.


regards

--
View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4708911.html
Sent from the Samba - General mailing list archive at Nabble.com.

Rowland Penny via samba

unread,
Sep 30, 2016, 4:50:02 AM9/30/16
to
On Fri, 30 Sep 2016 01:10:14 -0700 (PDT)
coxsterdillon via samba <sa...@lists.samba.org> wrote:

> update:
>
>
> using virtual box and windows 7 IE 10 test ovp, I can join same pdc
> and the netlogon scripts run so it's something to do with samba and
> windows 10.
>

If it works with win7 and Samba, then Samba must be working, ergo the
problem must be with win10.

Microsoft seem to be making it harder and harder to use win10 with an
NT4-style domain, there have been some updates recently that have been
causing problems, I suggest you investigate them.

Can I also suggest that you consider upgrading to an AD domain.

Rowland

L.P.H. van Belle via samba

unread,
Sep 30, 2016, 5:00:08 AM9/30/16
to
> using virtual box and windows 7 IE 10 test ovp, I can join same pdc and
> the
> netlogon scripts run so it's something to do with samba and windows 10.
Your totaly correct. ( and that can happen also with win7 )


Call you script like \\host.domain.tld\netlogon\...
Dont use
\\IP\... Or \\Hostname

Best is you read :
http://www.windowstricks.in/2016/07/group-policy-setting-not-applying-windows-10-computers.html
and this is what your looking for.
Check UNC hardening for netlogon and sysvol Shares policies.


And most of these problems are due to one or more of these.

Incorrect Primary DNS-Suffix
Incorrect Incorrect DNS Search order.
Incorrect Connection DNS suffix

The use of \\hostname\ or \\IP_Number\

Incorrect samba TLS settings.

Outdated GPO policies.
good info here :
https://technet.microsoft.com/en-us/itpro/windows/manage/new-policies-for-windows-10

https://www.microsoft.com/en-us/download/details.aspx?id=25250
excel with all policies, and in my options a MUST HAVE !


Im running samba 4.4.5 win7 and win10 64bit without any problem.
ok the printer driver thing is last, but for that there is a good workaround.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens coxsterdillon via
> samba
> Verzonden: vrijdag 30 september 2016 10:10
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] win 10 client on linux pdc, join domain ok, logon
> script fails to run

coxsterdillon via samba

unread,
Sep 30, 2016, 10:50:02 AM9/30/16
to
Hi,

On windoze 10, I can only access "//hostname", i.e. "//DEV2" (net bios
name)

How do I tell it to access samba as "//DEV2.COMPO" (latter is domain?)

I have looked at entries in lmhosts.sam - is this correct?

DNS is not on linux box, google 8.8.8.8 through my router.

Also, \\dev2\netlogon is accessible but \\dev2\sysvol is not. should I copy
the smb.conf from [netlogon] for [sysvol]?

regards

--
View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4708951.html

Rowland Penny via samba

unread,
Sep 30, 2016, 11:30:03 AM9/30/16
to
On Fri, 30 Sep 2016 07:36:05 -0700 (PDT)

coxsterdillon via samba <sa...@lists.samba.org> wrote:

> Hi,
>
> On windoze 10, I can only access "//hostname", i.e. "//DEV2" (net
> bios name)
>
> How do I tell it to access samba as "//DEV2.COMPO" (latter is
> domain?)

I don't think you can, I think you should be able to access
via //hostname.domain.tld

>
> I have looked at entries in lmhosts.sam - is this correct?
>
> DNS is not on linux box, google 8.8.8.8 through my router.
>
> Also, \\dev2\netlogon is accessible but \\dev2\sysvol is not. should
> I copy the smb.conf from [netlogon] for [sysvol]?
>

From the smb.conf you posted earlier, you are running a PDC, a PDC does
not have 'sysvol', it is an AD DC thing.

Rowland

coxsterdillon via samba

unread,
Sep 30, 2016, 12:20:03 PM9/30/16
to
Thanks for your response. OK I get the AD DC part about sysvol and the fact
I'm running a pdc.

Can I confirm what you mean as domain?

so if i get:

#hostname
dev2.test

should my smb.conf have workgroup = test

it does not match at present.

regards

--
View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4708957.html


Sent from the Samba - General mailing list archive at Nabble.com.

--

Rowland Penny via samba

unread,
Sep 30, 2016, 12:50:03 PM9/30/16
to
On Fri, 30 Sep 2016 09:04:04 -0700 (PDT)

coxsterdillon via samba <sa...@lists.samba.org> wrote:

> Thanks for your response. OK I get the AD DC part about sysvol and
> the fact I'm running a pdc.
>
> Can I confirm what you mean as domain?
>
> so if i get:
>
> #hostname
> dev2.test
>
> should my smb.conf have workgroup = test
>
> it does not match at present.
>

It doesn't have to match.
When you connect to a Samba server you would use //SERVER/SHARE , where
'SERVER' is the computers NETBios name (which is usually the computers
hostname) and 'SHARE' is the share to connect to.

I do not think you can connect via the NETBios domain name (aka
workgroup)

Rowland

coxsterdillon via samba

unread,
Oct 4, 2016, 10:30:03 AM10/4/16
to
Hi,

Just in case someone looks at this thread, I've fix my samba win10 issue
with PDC. Here's what I did:

To over come perhaps a DNS issue where complete name of server including top
level domain name could not access box as \\hostname.tld\<share>

I change the hostname to match netbios name.

#cat dev2 > /etc/hostname
#reboot

edited hosts file to make sure old name was removed.

/etc/hosts contains

127.0.0.1 localhost
192.168.1.200 dev2

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


/etc/resolvconf/resolv.conf.d/tail contains

domain dev2
nameserver 192.168.1.200

/etc/nsswitch.conf contains

group: compat winbind
shadow: compat

hosts: files winbind mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis


/etc/samba/smb.conf contains:

[global]
workgroup = COMPO
netbios name = DEV2


server string = %h server (Samba, Ubuntu)

domain master = yes
preferred master = yes
local master = yes
domain logons = yes


add machine script = sudo /usr/sbin/useradd -N -g pdcmachines -c Machine
-d /var/lib/samba -s /bin/false %u

security = user
encrypt passwords = yes
wins support = yes


name resolve order = wins lmhosts hosts bcast

logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.bat
panic action = /usr/share/samba/panic-action %d
unix password sync = yes
obey pam restrictions = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully*.
pam password change = yes


server max protocol = NT1

[homes]
comment = Home Directories
browseable = no
read only = no


create mask = 0700
directory mask = 0700

valid users = %S

[share]
comment = Global shared directory

browseable = yes


path = /home/share
valid users = %U

directory mask = 0700
create mask = 0700
read only = no

[temp]
comment = Temporary shared data directory

browseable = yes


path = /home/temp
valid users = %U

directory mask = 0700
create mask = 0700
read only = no

[netlogon]
path = /srv/samba/netlogon
browseable = no
read only = yes


create mask = 0700
directory mask = 0700

guest ok = yes


comment = Network Logon Service

I found all the samba users had the old tld name associated so I changed
them as for each:

pdbedit -r <username> -I COMPO

-----------------------------------

Important part for Windows 10. When I joined each user to the domain COMPO,
like:

https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain

If you reboot. It will prompt to login a user and state the domain under
the user name box, in my case COMPO.

However It kind of left each user part of the domain, able to use shares but
not fully on the domain if you enter the samba password to login.

So for each user I log off. Click switch user. Even though it says domain
COMPO under the user name, I manually type "COMPO\<username>".

Then each user is logged into a new account in windows 10, each says
COMPO\<username> and magically their login scripts run!

I also followed the windows 10 group policy for hardened unc:

https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/

and the windows 8 delayed boot group policy (with it set to disabled,
default was unset):

http://www.thewindowsclub.com/configure-logon-script-delay-windows

Hope this helps someone

Regards


--
View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4709096.html


Sent from the Samba - General mailing list archive at Nabble.com.

--

Rowland Penny via samba

unread,
Oct 4, 2016, 11:40:03 AM10/4/16
to

See inline comments:

On Tue, 4 Oct 2016 07:18:15 -0700 (PDT)


coxsterdillon via samba <sa...@lists.samba.org> wrote:

> Hi,
>
> Just in case someone looks at this thread, I've fix my samba win10
> issue with PDC. Here's what I did:
>
> To over come perhaps a DNS issue where complete name of server
> including top level domain name could not access box as
> \\hostname.tld\<share>
>
> I change the hostname to match netbios name.
>
> #cat dev2 > /etc/hostname
> #reboot

You should only have the short hostname in /etc/hostname

>
> edited hosts file to make sure old name was removed.
>
> /etc/hosts contains
>
> 127.0.0.1 localhost
> 192.168.1.200 dev2

You could also have (and should have):

192.168.1.200 dev2.domain.tld dev2

>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> /etc/resolvconf/resolv.conf.d/tail contains
>
> domain dev2
> nameserver 192.168.1.200

Ah, you are either using Network Manger or resolvconf, can I suggest
you stop doing this.
Also, it should be 'search dev2'

>
> /etc/nsswitch.conf contains
>
> group: compat winbind
> shadow: compat
>
> hosts: files winbind mdns4_minimal [NOTFOUND=return] dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>

I take it you missed off 'passwd compat winbind'

Rowland

Adam Tauno Williams via samba

unread,
Oct 5, 2016, 1:40:03 PM10/5/16
to
On Thu, 2016-09-29 at 16:17 +0000, coxster dillon via samba wrote:
> I have samba 4.3.9-Ubuntu setup. followed a guide to get a windows
> 10 client to join my pdc OK but cannot get netlogon scripts to run.
> I can see them in the share \\<server>\netlogon and I can manually
> run them from windows shell or by double clicking them. They just
> won't run by themselves.

What are your logon scripts?

If they are BAT (Batch) files they won't work. You need to use
something more current; VBS scripts will work.

--
Meetings Coordinator, Michigan Association of Railroad Passengers
537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010
E-mail: awil...@whitemice.org GPG#D95ED383 Web: http://www.marp.org

0 new messages