Scribd
Upload
81 views7 pages

Edit SMB - Conf File Vi /etc/samba/smb - Conf: Server Max Protocol NT1

The document summarizes the configuration of a Samba PDC server on CentOS 7 including installing Samba packages, editing the smb.conf file to configure shares and security settings, creating users and machine accounts, starting Samba services, configuring the firewall and SELinux, and joining Windows clients to the Samba domain. Key steps include configuring the smb.conf file, creating users and machine accounts using smbpasswd, starting Samba services, opening required ports in the firewall, setting SELinux booleans, and fixing issues that may occur when joining Windows 7 and Windows 10 clients to the domain.

Uploaded by

vineeth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
81 views7 pages

Edit SMB - Conf File Vi /etc/samba/smb - Conf: Server Max Protocol NT1

The document summarizes the configuration of a Samba PDC server on CentOS 7 including installing Samba packages, editing the smb.conf file to configure shares and security settings, creating users and machine accounts, starting Samba services, configuring the firewall and SELinux, and joining Windows clients to the Samba domain. Key steps include configuring the smb.conf file, creating users and machine accounts using smbpasswd, starting Samba services, opening required ports in the firewall, setting SELinux booleans, and fixing issues that may occur when joining Windows 7 and Windows 10 clients to the domain.

Uploaded by

vineeth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

I will be using two systems as mentioned below for the purpose of this article.

Samba PDC:

OS: CentOS 7 Minimal server

Hostname: server.vinsoft.local

IP Address: 192.168.43.50/24

Samba Domain: VINSOFT

 Run the following command to install samba packages.

yum install samba* -

 To verify the version of Samba, enter the following commands:

smbd –V

smbclient –V

Edit smb.conf file

Vi /etc/samba/smb.conf

[global]

Server max protocol = NT1

workgroup = VINSOFT

security = user

domain master = yes

domain logons = yes

local master = yes

preferred master = yes

passdb backend = tdbsam

logon path = \\%L\Profiles\%U

logon script = logon.bat

add machine script = /usr/sbin/useradd -d /dev/null -g 200 -s /sbin/nologin -M %u


[homes]

comment = Home Directories

browseable = yes

writable = yes

[printers]

comment = All Printers

path = /var/spool/samba

printable = Yes

print ok = yes

browseable = No

[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

browseable = No

writable = No

[Profiles]

path = /var/lib/samba/profiles

create mask = 0755

directory mask = 0755

writable = Yes

 Create the shares with proper permissions which we have mentioned in the smb.conf file

mkdir -m 1777 /var/lib/samba/netlogon

mkdir -m 1777 /var/lib/samba/profiles

 Now, create the users whom you want to login to the domain.

useradd user1

useradd user2
Create Machine accounts:

“You need to create machine account for every machine in order to allow domain login from
Windows machines. The machine account are special accounts with $ at the end, i.e. machine$. The
system accounts for machines do not need login shell neither home directory.”

 Add a new group named “machine” with group id “200”.

groupadd -g 200 machine

 To add a Samba machine account, run the following command:

smbpasswd -m -a machine1$

Here, smbpasswd -m …. – tells that account will be used as NT primary domain controller (Machine
account)”

 Create Samba user accounts:

smbpasswd -a root
smbpasswd -a user1
smbpasswd -a user2

“Here, ‘root’ user is the administrator that can be used to join the Windows NT/2000/XP/7 systems
to be part of the domain. In this case, do not provide smbpasswd with the same password as the
actual root account on the server. Create a different password to be used solely for creating
computer accounts. This will reduce the possibility of compromising the root password.”

Start Samba services:

Finally start samba services and enable them to start automatically on every boot.
systemctl start smb
systemctl start nmb
systemctl enable smb
systemctl enable nmb

Firewall Configuration:

Samba uses the following Ports when runs as an Active Directory Domain
Controller:
Service Port protocol

DNS 53 tcp/udp

Kerberos 88 tcp/udp

End Point Mapper (DCE/RPC Locator Service) 135 tcp

NetBIOS Name Service 137 udp

NetBIOS Datagram 138 udp

NetBIOS Session 139 tcp

LDAP 389 tcp/udp

SMB over TCP 445 tcp

Kerberos kpasswd 464 tcp/udp

LDAPS (only if “tls enabled = yes”) 636 tcp

Dynamic RPC Ports* 1024-5000 tcp

Global Cataloge 3268 tcp

Global Cataloge SSL (only if “tls enabled =


3269 tcp
yes”)

Multicast DNS 5353 tcp/udp

firewall-cmd --permanent --add-port=53/tcp

firewall-cmd --permanent --add-port=53/udp

firewall-cmd --permanent --add-port=88/tcp

firewall-cmd --permanent --add-port=88/udp

firewall-cmd --permanent --add-port=135/tcp


firewall-cmd --permanent --add-port=137/tcp

firewall-cmd --permanent --add-port=137/udp

firewall-cmd --permanent --add-port=138/udp

firewall-cmd --permanent --add-port=139/tcp

firewall-cmd --permanent --add-port=389/tcp

firewall-cmd --permanent --add-port=389/udp

firewall-cmd --permanent --add-port=445/tcp

firewall-cmd --permanent --add-port=464/tcp

firewall-cmd --permanent --add-port=464/udp

firewall-cmd --permanent --add-port=636/tcp

firewall-cmd --permanent --add-port=1024-5000/tcp

firewall-cmd --permanent --add-port=1024-5000/udp

firewall-cmd --permanent --add-port=3268/tcp

firewall-cmd --permanent --add-port=3269/tcp

firewall-cmd --permanent --add-port=5353/tcp

firewall-cmd --permanent --add-port=5353/udp

Finally restart firewall service.

firewall-cmd –reload

SELinux Configuration:

Apply the proper SELinux policies to Samba domain controller.

setsebool -P samba_domain_controller on

setsebool -P samba_enable_home_dirs on

Also to the Samab shares which we have defined in the smb.conf file.
chcon -t samba_share_t /var/lib/samba/netlogon

chcon -t samba_share_t /var/lib/samba/profiles

If you don’t want to mess up with Firewall and SELinux, simply disable them. Restart your server
once you completed all above steps.

Joining Windows Clients To Samba PDC

WINDOWS 7

Don’t worry. We can easily fix this error by doing the following tricks.

To get rid of this error, open the windows registry. Go to HKEY_LOCAL_MACHINE -> SYSTEM ->
CurrentControlSet -> Services -> LanmanWorkstation -> Parameters.

Create new two DWORD values called “DomainCompatibilityMode” and


“DNSNameResolutionRequired”. And set values for “DomainCompatibilityMode” as 1(one) and
“DNSNameResolutionRequired” as 0(zero). Refer the below screenshot.

WINDOWS 10

Windows 10: There Are Currently No Logon Servers Available to Service the Logon Request

After you successfully joined Windows 10 to your Samba NT4 domain, logging in failed and the
following error is displayed:

There are currently no logon servers available to service the logon request.

To fix the problem:

Set in your primary domain controllers (PDC) smb.conf file:

server max protocol = NT1

“This setting prevent all your clients to use a newer SMB protocol version than SMB1 when
communicating with the PDC. Anyway, the Samba team recommends to use this workaround.
Disabling newer SMB versions on the Windows 10 client instead prevent this machine
communicating using newer SMB version with all Samba/Windows hosts.”

Restart Samba
IMPORTANT: Registry Changes That You Should Never Set!

You must not to change the values of the RequireSignOrSeal or RequireStrongKey. Changing
the settings breaks the interoperability with Windows and Samba installations.

If you changed these parameters, reset the values of both keys back to 1:

Save the following content to a plain text file named reset_RequireSignOrSeal_RequireStrongKey.reg


using a text editor such as "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]

"RequireSignOrSeal"=dword:00000001

"RequireStrongKey"=dword:00000001

You might also like