[KLUG Members] Samba and XP

Adam Tauno Williams members@kalamazoolinux.org
Tue, 25 Feb 2003 13:41:06 -0500

Previous message: [KLUG Members] Samba and XP
Next message: [KLUG Members] Samba and XP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>>>My issue is I can't get it to logon to the domain. My 2000 workstation
>>>>>>NT4 workstations work fine. I'm able to add the workstation to the
>>>>>>when I reboot and try to logon. It says the domain in unavailable. I'm
>>>>>>loss.Would a newer version of Samba help or does it currently only
>>>>>>2000  and below?
>>>> Did you deal with the sign-n-seal thing?
>>Not sure what you're talking about here. I did activate it with MS.
>No, that's different.  Sign and Seal is an encryption thing that XP
>requires by default, but current versions of Samba don't support
>properly.  You need to make a registry change on the XP box.  I just did
>the same thing on mine.  I don't remember the exact key, but it's not
>hard to find in the Samba.org site.

And now featured in the KLUG list archives! (see below)

>From http://www.wlug.org.nz/RequireSignOrSeal -

Windows XP tries to sign or seal the secure channel between the workstation and
the domain controller. This causes the following error:

Windows cannot connect to the domain either because the domain controller is
down or otherwise unavailable or because your computer account was not found.

The domain controller may record:

Event ID: 5723

The session setup from the computer <Computername> failed to authenticate. The
name of the account referenced in the security database is <Computername>. The
following error occurred: Access is denied.

The client may record:

Event Source: NETLOGON Event ID: 3227 Description: The session setup to the
Windows NT or Windows 2000 domain controller \\<ServerName> for the domain
<DomainName> failed because \\<ServerName> does not support signing or sealing
the Netlogon session. Either upgrade the domain controller or set the
RequireSignOrSeal registry entry on this machine to 0.
Option 1: Manual registry editing

Start Regedit, navigate to:

 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogon\Parameters

and change

 "RequireSignOrSeal"=dword:00000001

to

 "RequireSignOrSeal"=dword:00000000

Option 2: The only way Microsoft advocate changing this setting

   1. Use Control Panel to open Local Security Policy in the Administrative Tools.
   2. Navigate to Local Policies / Security Options.
   3. Double-click Domain Member:Digitally encrypt or sign secure channel data
(always).
   4. Press Disabled.
   5. Press Apply and OK.

Option #3: registry file

Save the followig text to requiresignorseal.reg and then right click->Merge

 REGEDIT4

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000

This file can be found in the docs/Registry directory of the Samba 2.2.2 source
distribution as WinXP_SignOrSeal.reg.

Previous message: [KLUG Members] Samba and XP
Next message: [KLUG Members] Samba and XP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]