Difference between revisions of "Windows 7 Support"

From SME Server
Jump to navigationJump to search
(add source code links)
 
(44 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Level|medium}}
 
{{Level|medium}}
{{Warning box| This howto is based upon limited testing and may cause SME Server to experience issues when updating and/or upgrading to version 8 upon release. You should only use these instructions if Windows 7 support is critical for your environment.}}
 
  
 
==Author==
 
==Author==
Line 6: Line 5:
  
 
==Background==
 
==Background==
Windows 7 was released in October 2009. Due to changes in the way that trust relationships are established with domain controllers, older versions of Samba do not allow Windows 7 clients to log in once joined to a domain.
+
Support for Windows 7 ended on January 14, 2020. If you are still using Windows 7, your PC may become more vulnerable to security risks. The only Microsoft-supported Windows version now is Windows 10. We strongly recommend you do not use versions of Windows unsupported by Microsoft.
  
Although an upstream fix was made available for SME 8 beta (based on CentOS 5, see [[bugzilla:5425|bug 5425]]), there is no comparable fix available from the upstream vendor for SME 7.x (based on CentOS 4).
+
Windows 7 was released in October 2009. Due to changes in the way that trust relationships are established with domain controllers, some modifications to the windows registry needs to take place.
  
==Adding Windows 7 Support==
+
==Join a Window 7 client to SME Server 8 or 9==
Thanks to [http://www.sernet.de/ SerNet], SME 7 users can now install an updated version of Samba which fixes the domain trust issues.
+
Previously you needed to edit your Win7 registry to facilitate the joining of a SME Server Domain, however this can more easily be achieved by importing win7samba.reg fix by using either a usb key or by the network with http.
  
===Installation===
+
*Save the Win7 registry patch (win7samba.reg) from https://your-server-ip/server-resources/regedit/ with your favourite web browser
*Add the SerNet repository for CentOS 4.x
+
*On your windows desktop, start "regedit" from the  start menu and import the win7samba.reg
 +
*Set your domain instead of your workgroup. Add the client machine to the domain as normal.
 +
*When asked on your Windows PC use the 'admin' username and your SME Server admins password.
 +
*You have to reboot your computer to reach the domain
  
db yum_repositories set SerNet repository \
+
{{Tip box|To connect a windows Seven client to your domain, Go to the "start menu", right click on computer, select "Properties", select the link "change Settings", then click on "Change" Tab.. Enter your servers "Domain" value in the domain field and 'Connect'. Enter the username of admin(*) with the servers admin password when asked, and you should get back the response 'Connected to Domain'.}}
  BaseURL http://ftp.sernet.de/pub/samba/3.5/centos/4 \
 
  EnableGroups yes \
 
  GPGCheck no \
 
  Name 'SerNet Samba Team packages (CentOS 4)' \
 
  Visible yes \
 
  status enabled
 
signal-event yum-modify
 
  
*Update SME Server - the new Samba packages will install automatically.
+
(*) Admin or any user in the 'Domain Admins' group can join the domain.
 +
<gallery>
 +
Image:W7-4.png
 +
 +
Image:W7-5.png
  
  yum update
+
Image:W7-6.png
  signal-event post-upgrade ; signal-event reboot
+
 
 +
Image:W7-8.png
 +
</gallery>
 +
{{Note box|You will receive one warning about DNS domain name configuration after the join has succeeded:
 +
 
 +
  "Changing the Primary Domain DNS name of this computer to "" failed.
 +
    The name will remain "MYDOM".  The error was:
 +
   
 +
    The specified domain either does not exist or could not be contacted"
 +
 
 +
But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by [http://support.microsoft.com/kb/2171571 Microsoft: KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain].}}
 +
 
 +
===Setting up network drives===
 +
In  order to have logon script working you must add the following Keys in registry
 +
 
 +
Windows Registry Editor Version 5.00
 +
 +
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
 +
"\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0"
 +
 
 +
 
 +
If you are using SME Server as a domain controller and the workstations have joined the domain
 +
you can automate drive mapping and syncronise the PC time with the netlogon.bat file
 +
 
 +
Note: [[:SME_Server:Documentation:Administration_Manual:Chapter13#Workgroup |Chapter 13]] has a method for admin to edit the netlogon.bat file without using the command line. You can consider also the [[SME_Server:Documentation:Administration_Manual:Chapter7|chapter 7]] on Configuring the Computers on Your Network
 +
 
 +
nano -w /home/e-smith/files/samba/netlogon/netlogon.bat
 +
 
 +
REM To set the time when clients logon to the domain:
 +
net time \\servername /set /yes
 +
REM To map a home directory to drive h:
 +
net use h: /home /persistent:no
 +
net use j: \\servername\ibay1 /persistent:no
 +
net use p: \\servername\ibay2 /persistent:no
 +
if exist Z: net use Z: /del /yes
 +
 
 +
and reset file to dos format
 +
unix2dos /home/e-smith/files/samba/netlogon/netlogon.bat
 +
 
 +
===Slow login with win7 to sme8 domain===
 +
 
 +
With certain networks you may have an issue with a slow login to the SME Server domain due to a timeout issue on the network. In this case you should install a second patch (in first you have to install the win7samba.reg). The history of this patch can be found at [[bugzilla:7332]]
 +
 
 +
This is what you need to find in your server-ressources
 +
 
 +
cat /home/e-smith/files/server-resources/regedit/windows_samba_performance.reg
 +
 
 +
Windows Registry Editor Version 5.00
 +
 +
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
 +
  "SlowLinkDetectEnabled"=dword:00000000
 +
  "DeleteRoamingCache"=dword:00000001
 +
"WaitForNetwork"=dword:00000000
 +
"CompatibleRUPSecurity"=dword:00000001
 +
 
 +
 
 +
After this you follow the usual way to add the patch to your windows registery
 +
 
 +
*Save the registry patch ('''windows_samba_performance.reg''') from https://your-server-ip/server-resources/regedit/ with your favourite web browser
 +
*On your windows desktop, start "regedit" from the  start menu and import the windows_samba_performance.reg
 +
 
 +
==Adding Windows 7 Support to SME Server 7==
  
 
===Configuring Clients===
 
===Configuring Clients===
Line 39: Line 99:
  
 
{{Note box|You may see an error message when logging in for the first time. This appears to be a once off timeout issue which does not recur.}}
 
{{Note box|You may see an error message when logging in for the first time. This appears to be a once off timeout issue which does not recur.}}
 +
 +
Refer to [[bugzilla:5897]] and [[bugzilla:7002]] for details of following error
 +
{{Note box| You may see an error message "The specified domain either does not exist or could not be contacted." when logging in for the first time. This is a harmless message.  Windows 7 after it joins the domain tries to resolve its dns name (and assumes that the domain controller will setup a dns entry for its hostname.  See following for a MS hotfix [http://wiki.samba.org/index.php/Windows7]}}
  
 
===Roaming Profiles===
 
===Roaming Profiles===
Windows 7 clients require that a version 2 profile folder exist in the profiles$ share, which on SME Server is located in /home/e-smith/files/samba/profiles
+
Windows 7 clients require that a version 2 profile folder exist in the profiles$ share, which on SME Server is located in /home/e-smith/files/samba/profiles.
 
 
{{Note box|If you attempt to log in to a Windows 7 client with an account which does not yet have a corresponding .V2 profile folder, a temporary profile will be created. No settings will be saved to the server until the .V2 folder is created.}}
 
 
 
Any new users you add will automatically be given this additional folder, see [[bugzilla:5423|bug 5423]].
 
 
 
For existing users, you will need to add the folder manually:
 
 
 
cd /home/e-smith/files/samba/profiles
 
mkdir <myuser>.v2
 
chown -R <myuser>.<myuser> <myuser>.v2
 
chmod -R 700 <myuser>.v2
 
 
 
Replace <myuser> with each user account name in turn.
 
 
 
For the admin user only, the v2 profile folder is created automatically when logging in to a client machine. In this case, you should secure the folder to prevent unauthorised access by other users:
 
  
cd /home/e-smith/files/samba/profiles
+
This additional profile folder is automatically provisioned for existing users when the installing latest version of e-smith-samba (see [[bugzilla:5423|bug 5423]]). After this point, all new user accounts have the folder created as soon as they are added.
chown -R admin.admin admin.v2
 
chmod -R 700 admin.v2
 
  
==Source Code==
+
{{Note box|If version 2 profile folders are not available, Windows 7 will create a temporary profile when you log in. Should you experience this problem, make sure that your SME Server installation is fully up to date.}}
SerNet publishes the source code for their latest Samba build at http://ftp.sernet.de/pub/samba/3.5/src/rpm/
 
  
Code for older builds is also available at http://ftp.sernet.de/pub/samba/old/src/rpm/
+
Version 2 profiles are not compatible with Windows XP and earlier. If you have mixed environments you will be required to maintain two separate profiles for each user.
  
----
 
 
[[Category:Howto]]
 
[[Category:Howto]]
 
[[Category:Administration]]
 
[[Category:Administration]]

Latest revision as of 11:46, 2 December 2020

PythonIcon.png Skill level: medium
The instructions on this page require a basic knowledge of linux.


Author

David Harper

Background

Support for Windows 7 ended on January 14, 2020. If you are still using Windows 7, your PC may become more vulnerable to security risks. The only Microsoft-supported Windows version now is Windows 10. We strongly recommend you do not use versions of Windows unsupported by Microsoft.

Windows 7 was released in October 2009. Due to changes in the way that trust relationships are established with domain controllers, some modifications to the windows registry needs to take place.

Join a Window 7 client to SME Server 8 or 9

Previously you needed to edit your Win7 registry to facilitate the joining of a SME Server Domain, however this can more easily be achieved by importing win7samba.reg fix by using either a usb key or by the network with http.

  • Save the Win7 registry patch (win7samba.reg) from https://your-server-ip/server-resources/regedit/ with your favourite web browser
  • On your windows desktop, start "regedit" from the start menu and import the win7samba.reg
  • Set your domain instead of your workgroup. Add the client machine to the domain as normal.
  • When asked on your Windows PC use the 'admin' username and your SME Server admins password.
  • You have to reboot your computer to reach the domain


Information.png Tip:
To connect a windows Seven client to your domain, Go to the "start menu", right click on computer, select "Properties", select the link "change Settings", then click on "Change" Tab.. Enter your servers "Domain" value in the domain field and 'Connect'. Enter the username of admin(*) with the servers admin password when asked, and you should get back the response 'Connected to Domain'.


(*) Admin or any user in the 'Domain Admins' group can join the domain.

Important.png Note:
You will receive one warning about DNS domain name configuration after the join has succeeded:
  "Changing the Primary Domain DNS name of this computer to "" failed.
   The name will remain "MYDOM".  The error was:
   
   The specified domain either does not exist or could not be contacted" 

But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain.


Setting up network drives

In order to have logon script working you must add the following Keys in registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\\\*\\netlogon"="RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0"


If you are using SME Server as a domain controller and the workstations have joined the domain you can automate drive mapping and syncronise the PC time with the netlogon.bat file

Note: Chapter 13 has a method for admin to edit the netlogon.bat file without using the command line. You can consider also the chapter 7 on Configuring the Computers on Your Network

nano -w /home/e-smith/files/samba/netlogon/netlogon.bat
REM To set the time when clients logon to the domain:
net time \\servername /set /yes
REM To map a home directory to drive h:
net use h: /home /persistent:no
net use j: \\servername\ibay1 /persistent:no
net use p: \\servername\ibay2 /persistent:no
if exist Z: net use Z: /del /yes

and reset file to dos format

unix2dos /home/e-smith/files/samba/netlogon/netlogon.bat

Slow login with win7 to sme8 domain

With certain networks you may have an issue with a slow login to the SME Server domain due to a timeout issue on the network. In this case you should install a second patch (in first you have to install the win7samba.reg). The history of this patch can be found at bugzilla:7332

This is what you need to find in your server-ressources

cat /home/e-smith/files/server-resources/regedit/windows_samba_performance.reg 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"SlowLinkDetectEnabled"=dword:00000000
"DeleteRoamingCache"=dword:00000001
"WaitForNetwork"=dword:00000000
"CompatibleRUPSecurity"=dword:00000001


After this you follow the usual way to add the patch to your windows registery

  • Save the registry patch (windows_samba_performance.reg) from https://your-server-ip/server-resources/regedit/ with your favourite web browser
  • On your windows desktop, start "regedit" from the start menu and import the windows_samba_performance.reg

Adding Windows 7 Support to SME Server 7

Configuring Clients


Important.png Note:
You may see an error message on join regarding primary DNS suffix. This doesn't seem to affect any actual functionality


  • Log in as the 'admin' user for the first time.


Important.png Note:
You may see an error message when logging in for the first time. This appears to be a once off timeout issue which does not recur.


Refer to bugzilla:5897 and bugzilla:7002 for details of following error

Important.png Note:
You may see an error message "The specified domain either does not exist or could not be contacted." when logging in for the first time. This is a harmless message. Windows 7 after it joins the domain tries to resolve its dns name (and assumes that the domain controller will setup a dns entry for its hostname. See following for a MS hotfix [1]


Roaming Profiles

Windows 7 clients require that a version 2 profile folder exist in the profiles$ share, which on SME Server is located in /home/e-smith/files/samba/profiles.

This additional profile folder is automatically provisioned for existing users when the installing latest version of e-smith-samba (see bug 5423). After this point, all new user accounts have the folder created as soon as they are added.


Important.png Note:
If version 2 profile folders are not available, Windows 7 will create a temporary profile when you log in. Should you experience this problem, make sure that your SME Server installation is fully up to date.


Version 2 profiles are not compatible with Windows XP and earlier. If you have mixed environments you will be required to maintain two separate profiles for each user.