Sunday, August 9, 2009

Getting Windows 7 to join Ubuntu Domain

[see updates at end for Ubuntu 9.10 info]
I finally managed to get the release of Windows 7 to join my Ubuntu domain controller at home. First I had to upgrade Ubuntu from 8.04 to 9.04 (Jaunty Jackalope). This was pretty easy, since Ubuntu has a single button for upgrade, although I had to upgrade in two steps with 8.10 on the way.
The next step is to install Samba 3.3.4. The required version of Samba running is very specific since Windows 7 will only join a Samba domain of this exact version. Previous versions of Windows don't care. So the default 3.3.2 of Ubuntu 9.04, nor later versions of 3.3.7 etc will work at all.
I found a posting here that helped my do the manual Samba upgrade. Quite a long and tedious process, but I got it to work in the end.
Finally, I had to tweak some Windows 7 registry settings to let it use some lower security options for dealing with the old style NT domains. All the details are found here. You'll notice I posted a question here when I was having problems, and the poster Greg was really helpful with getting me on track. Thanks Greg!
My problem was the upgrade of Samba/Ubuntu left my smb.conf with an invalid -n option in the "add machine script" line, which caused an error when attempting to add a machine to the domain.
All sorted now, which means I'm one step closer to upgrading my main workstation OS from Vista x64 to Windows 7 x64. I just need to verify VMWare Workstation and a couple of other critical apps are going to work. Joy.

[Update 28/8/09]
Upgrading a Vista machine that is already connected to a Samba 3.3.4 domain to Windows 7 RTM also works fine. I notice the only reg entry it changed of the four above was the "RequireStrongKey" one.

[Update 16/11/09]
It seems Ubuntu 9.10, Karmic Koala, does support Windows 7 clients in a samba domain (fix released), however I'm waiting to upgrade my server for a while.

[Update 6/2/10]
Upgraded. Seems fine.

[Update 26/5/10]
Now I've noticed that one of my accounts couldn't log into the domain. I had to change these reg settings:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
“RequireSignOnSeal”=dword:00000000
“RequireStrongKey”=dword:00000001

In smb.conf, I also added to
[netlogon]

write list = root


Not sure which is important, but the account now logs in.

1 comment:

Quincy said...

Hi

There is a simple domain join utility for Windows 7 which will make the registry edits conveniently and also avoid the pesky error message that you usually get, when joining Windows 7 to a Samba domain.

It is downloadable here: http://www.phyrix.com/samba/.

Ciao