I have samba 4.3.9-Ubuntu setup. followed a guide to get a windows 10 client to join my pdc OK but cannot get netlogon scripts to run. I can see them in the share \\<server>\netlogon and I can manually run them from windows shell or by double clicking them. They just won't run by themselves.
I have done the registry pokes + policy changes as:
https://community.spiceworks.com/topic/1389891-windows-10-and-sysvol-netlogon
https://support.microsoft.com/en-us/kb/2895815
https://s18.postimg.org/643ketg49/regedit_samba.png
https://s22.postimg.org/6awshoi8h/network_samba.png
https://s16.postimg.org/aul5oxh91/grouppolicy_samba.png
everything appears to work just no execution of script automatically. I have made sure they are windows line ending format (via unix2dos).
testparm output:
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[share]"
Processing section "[temp]"
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = COMPO
server string = %h server (Samba, Ubuntu)
security = USER
log file = /var/log/samba/all_log
server max protocol = NT1
max protocol = NT1
protocol = NT1
name resolve order = wins lmhosts hosts bcast
add machine script = sudo /usr/sbin/useradd -N -g pdcmachines -c Machine -d /var/lib/samba -s /bin/false %u
logon script = logon.bat
logon drive = H:
domain logons = Yes
preferred master = Yes
domain master = Yes
wins support = Yes
idmap config * : backend = tdb
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
directory mode = 0700
browseable = No
[share]
comment = Global shared directory
path = /home/share
valid users = %U
read only = No
create mask = 0700
directory mask = 0700
directory mode = 0700
[temp]
comment = Temporary shared data directory
path = /home/temp
valid users = %U
read only = No
create mask = 0700
directory mask = 0700
directory mode = 0700
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
create mask = 0700
directory mask = 0700
directory mode = 0700
browseable = No
any suggestions going forward?
regards
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
using virtual box and windows 7 IE 10 test ovp, I can join same pdc and the
netlogon scripts run so it's something to do with samba and windows 10.
regards
--
View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4708911.html
Sent from the Samba - General mailing list archive at Nabble.com.
> update:
>
>
> using virtual box and windows 7 IE 10 test ovp, I can join same pdc
> and the netlogon scripts run so it's something to do with samba and
> windows 10.
>
If it works with win7 and Samba, then Samba must be working, ergo the
problem must be with win10.
Microsoft seem to be making it harder and harder to use win10 with an
NT4-style domain, there have been some updates recently that have been
causing problems, I suggest you investigate them.
Can I also suggest that you consider upgrading to an AD domain.
Rowland
Call you script like \\host.domain.tld\netlogon\...
Dont use
\\IP\... Or \\Hostname
Best is you read :
http://www.windowstricks.in/2016/07/group-policy-setting-not-applying-windows-10-computers.html
and this is what your looking for.
Check UNC hardening for netlogon and sysvol Shares policies.
And most of these problems are due to one or more of these.
Incorrect Primary DNS-Suffix
Incorrect Incorrect DNS Search order.
Incorrect Connection DNS suffix
The use of \\hostname\ or \\IP_Number\
Incorrect samba TLS settings.
Outdated GPO policies.
good info here :
https://technet.microsoft.com/en-us/itpro/windows/manage/new-policies-for-windows-10
https://www.microsoft.com/en-us/download/details.aspx?id=25250
excel with all policies, and in my options a MUST HAVE !
Im running samba 4.4.5 win7 and win10 64bit without any problem.
ok the printer driver thing is last, but for that there is a good workaround.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens coxsterdillon via
> samba
> Verzonden: vrijdag 30 september 2016 10:10
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] win 10 client on linux pdc, join domain ok, logon
> script fails to run
On windoze 10, I can only access "//hostname", i.e. "//DEV2" (net bios
name)
How do I tell it to access samba as "//DEV2.COMPO" (latter is domain?)
I have looked at entries in lmhosts.sam - is this correct?
DNS is not on linux box, google 8.8.8.8 through my router.
Also, \\dev2\netlogon is accessible but \\dev2\sysvol is not. should I copy
the smb.conf from [netlogon] for [sysvol]?
regards
--
View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4708951.html
> Hi,
>
> On windoze 10, I can only access "//hostname", i.e. "//DEV2" (net
> bios name)
>
> How do I tell it to access samba as "//DEV2.COMPO" (latter is
> domain?)
I don't think you can, I think you should be able to access
via //hostname.domain.tld
>
> I have looked at entries in lmhosts.sam - is this correct?
>
> DNS is not on linux box, google 8.8.8.8 through my router.
>
> Also, \\dev2\netlogon is accessible but \\dev2\sysvol is not. should
> I copy the smb.conf from [netlogon] for [sysvol]?
>
From the smb.conf you posted earlier, you are running a PDC, a PDC does
not have 'sysvol', it is an AD DC thing.
Rowland
Can I confirm what you mean as domain?
so if i get:
#hostname
dev2.test
should my smb.conf have workgroup = test
it does not match at present.
regards
--
View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4708957.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
> Thanks for your response. OK I get the AD DC part about sysvol and
> the fact I'm running a pdc.
>
> Can I confirm what you mean as domain?
>
> so if i get:
>
> #hostname
> dev2.test
>
> should my smb.conf have workgroup = test
>
> it does not match at present.
>
It doesn't have to match.
When you connect to a Samba server you would use //SERVER/SHARE , where
'SERVER' is the computers NETBios name (which is usually the computers
hostname) and 'SHARE' is the share to connect to.
I do not think you can connect via the NETBios domain name (aka
workgroup)
Rowland
Just in case someone looks at this thread, I've fix my samba win10 issue
with PDC. Here's what I did:
To over come perhaps a DNS issue where complete name of server including top
level domain name could not access box as \\hostname.tld\<share>
I change the hostname to match netbios name.
#cat dev2 > /etc/hostname
#reboot
edited hosts file to make sure old name was removed.
/etc/hosts contains
127.0.0.1 localhost
192.168.1.200 dev2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/etc/resolvconf/resolv.conf.d/tail contains
domain dev2
nameserver 192.168.1.200
/etc/nsswitch.conf contains
group: compat winbind
shadow: compat
hosts: files winbind mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/samba/smb.conf contains:
[global]
workgroup = COMPO
netbios name = DEV2
server string = %h server (Samba, Ubuntu)
domain master = yes
preferred master = yes
local master = yes
domain logons = yes
add machine script = sudo /usr/sbin/useradd -N -g pdcmachines -c Machine
-d /var/lib/samba -s /bin/false %u
security = user
encrypt passwords = yes
wins support = yes
name resolve order = wins lmhosts hosts bcast
logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.bat
panic action = /usr/share/samba/panic-action %d
unix password sync = yes
obey pam restrictions = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully*.
pam password change = yes
server max protocol = NT1
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
[share]
comment = Global shared directory
browseable = yes
path = /home/share
valid users = %U
directory mask = 0700
create mask = 0700
read only = no
[temp]
comment = Temporary shared data directory
browseable = yes
path = /home/temp
valid users = %U
directory mask = 0700
create mask = 0700
read only = no
[netlogon]
path = /srv/samba/netlogon
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
guest ok = yes
comment = Network Logon Service
I found all the samba users had the old tld name associated so I changed
them as for each:
pdbedit -r <username> -I COMPO
-----------------------------------
Important part for Windows 10. When I joined each user to the domain COMPO,
like:
https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain
If you reboot. It will prompt to login a user and state the domain under
the user name box, in my case COMPO.
However It kind of left each user part of the domain, able to use shares but
not fully on the domain if you enter the samba password to login.
So for each user I log off. Click switch user. Even though it says domain
COMPO under the user name, I manually type "COMPO\<username>".
Then each user is logged into a new account in windows 10, each says
COMPO\<username> and magically their login scripts run!
I also followed the windows 10 group policy for hardened unc:
and the windows 8 delayed boot group policy (with it set to disabled,
default was unset):
http://www.thewindowsclub.com/configure-logon-script-delay-windows
Hope this helps someone
Regards
--
View this message in context: http://samba.2283325.n4.nabble.com/win-10-client-on-linux-pdc-join-domain-ok-logon-script-fails-to-run-tp4708871p4709096.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
On Tue, 4 Oct 2016 07:18:15 -0700 (PDT)
coxsterdillon via samba <sa...@lists.samba.org> wrote:
> Hi,
>
> Just in case someone looks at this thread, I've fix my samba win10
> issue with PDC. Here's what I did:
>
> To over come perhaps a DNS issue where complete name of server
> including top level domain name could not access box as
> \\hostname.tld\<share>
>
> I change the hostname to match netbios name.
>
> #cat dev2 > /etc/hostname
> #reboot
You should only have the short hostname in /etc/hostname
>
> edited hosts file to make sure old name was removed.
>
> /etc/hosts contains
>
> 127.0.0.1 localhost
> 192.168.1.200 dev2
You could also have (and should have):
192.168.1.200 dev2.domain.tld dev2
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
>
> /etc/resolvconf/resolv.conf.d/tail contains
>
> domain dev2
> nameserver 192.168.1.200
Ah, you are either using Network Manger or resolvconf, can I suggest
you stop doing this.
Also, it should be 'search dev2'
>
> /etc/nsswitch.conf contains
>
> group: compat winbind
> shadow: compat
>
> hosts: files winbind mdns4_minimal [NOTFOUND=return] dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
I take it you missed off 'passwd compat winbind'
Rowland
What are your logon scripts?
If they are BAT (Batch) files they won't work. You need to use
something more current; VBS scripts will work.
--
Meetings Coordinator, Michigan Association of Railroad Passengers
537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010
E-mail: awil...@whitemice.org GPG#D95ED383 Web: http://www.marp.org