[KLUG Members] Samba and XP
Adam Tauno Williams
members@kalamazoolinux.org
Tue, 25 Feb 2003 13:41:06 -0500
>>>>>>My issue is I can't get it to logon to the domain. My 2000 workstation
>>>>>>NT4 workstations work fine. I'm able to add the workstation to the
>>>>>>when I reboot and try to logon. It says the domain in unavailable. I'm
>>>>>>loss.Would a newer version of Samba help or does it currently only
>>>>>>2000 and below?
>>>> Did you deal with the sign-n-seal thing?
>>Not sure what you're talking about here. I did activate it with MS.
>No, that's different. Sign and Seal is an encryption thing that XP
>requires by default, but current versions of Samba don't support
>properly. You need to make a registry change on the XP box. I just did
>the same thing on mine. I don't remember the exact key, but it's not
>hard to find in the Samba.org site.
And now featured in the KLUG list archives! (see below)
>From http://www.wlug.org.nz/RequireSignOrSeal -
Windows XP tries to sign or seal the secure channel between the workstation and
the domain controller. This causes the following error:
Windows cannot connect to the domain either because the domain controller is
down or otherwise unavailable or because your computer account was not found.
The domain controller may record:
Event ID: 5723
The session setup from the computer <Computername> failed to authenticate. The
name of the account referenced in the security database is <Computername>. The
following error occurred: Access is denied.
The client may record:
Event Source: NETLOGON Event ID: 3227 Description: The session setup to the
Windows NT or Windows 2000 domain controller \\<ServerName> for the domain
<DomainName> failed because \\<ServerName> does not support signing or sealing
the Netlogon session. Either upgrade the domain controller or set the
RequireSignOrSeal registry entry on this machine to 0.
Option 1: Manual registry editing
Start Regedit, navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\Parameters
and change
"RequireSignOrSeal"=dword:00000001
to
"RequireSignOrSeal"=dword:00000000
Option 2: The only way Microsoft advocate changing this setting
1. Use Control Panel to open Local Security Policy in the Administrative Tools.
2. Navigate to Local Policies / Security Options.
3. Double-click Domain Member:Digitally encrypt or sign secure channel data
(always).
4. Press Disabled.
5. Press Apply and OK.
Option #3: registry file
Save the followig text to requiresignorseal.reg and then right click->Merge
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
This file can be found in the docs/Registry directory of the Samba 2.2.2 source
distribution as WinXP_SignOrSeal.reg.