Bug 9866 - Windows Vista is not able to join to the domain if "samba4" is not provided as "auth method"
Summary: Windows Vista is not able to join to the domain if "samba4" is not provided a...
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.5
Hardware: All Windows Vista
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2013-05-07 11:31 UTC by José A. Calvo
Modified: 2013-05-07 19:10 UTC (History)
0 users

See Also:

Contents of /etc/samba/smb.conf (1.56 KB, application/octet-stream)
2013-05-07 11:31 UTC, José A. Calvo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description José A. Calvo 2013-05-07 11:31:46 UTC
Created attachment 8862 [details]
Contents of /etc/samba/smb.conf

When using Samba 4.0.5 with s3fs, if I set for example "auth methods = guest sam_ignoredomain", Vista is not able to join the domain (it gives a "the parameter is not correct" error). With Windows 7 this works without problem.

The reason why I need to define the auth methods is because otherwise anonymous access to guest shares does not work, but that's probably a different issue and I will file a separate bug for that.

We have conducted additional investigations but we are unsure how
relevant they are and to which extent they would be helpful here.

For example, we have checked that Vista is trying to use SMB2_02
protocol version while Windows 7 is using a higher version. Forcing the
protocol version to SMB2_02 with max protocol parametric option in
smb.conf resulted in Windows 7 still able to join but still not Vista.

You can find attached my smb.conf file (it was autogenerated by Zentyal but don't think that's relevant for this issue). I would be glad to help providing any other info that you may need.
Comment 1 Andrew Bartlett 2013-05-07 19:10:00 UTC
The manpage indicates:

This should be considered a developer option and used only
           in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate.

Do not set this option.

You should also not set 'server role check inhibit = yes', and refer to Zentyl for support if they insist on setting this option (yes, nmbd is not supported for use with the AD DC, no matter how much it might seem to work).