Windows Networking (Samba)
Your ClearOS system provides network and file serving capabilities for a Windows network. Among other tasks, you can use the software for domain control, file storage and sharing printers.
If you did not select this module to be included during the installation process, you must first install the module.
You can find this feature in the menu system at the following location:
Server|Windows Networking|Windows Settings
This is a one-word descriptive name of the system, for example: clearserver
This is a short description of the server. When connecting to this system, this short description might be shown to guide end users on the purpose of the system. An example: File and Print Server for Toronto
This option only appears if you have installed the Advanced Print Server.
If you have a printer attached to your ClearOS system, you can share it via Windows networking. There are two supported modes:
Select if you want to enable user's Home directories. This is their own private file space kept on the the server.
Force SMB1 Protocol (was Windows 10 Domain Logons)
This limits Samba to using the SMB1/NT1 protocol. It used to be required to allow Windows 10 machines to log on to the domain but is no longer required since samba was upgraded to version 4.7.1. If you have the parameter set, then, since the Windows 10 1709 update, you will have to enable SMB1 in Windows. Once you disable this parameter, it will disappear from the Webconfig.
Using SMB1 is now considered a security vulnerability and was leveraged by the WannaCry ransomeware (and its variants)
You can now stop samba from using SMB1 by adding a line to /etc/samba/smb.conf:
server min protocol = SMB2
Only Windows XP or earlier requires you to use SMB1.
Since the Fall Creators Update (1709), Windows 10 is no longer shipping with the SMB1.0 protocol enabled. Without SMB1.0 support in Windows and with “Force SMB1 Protocol” enabled you will not be able to join a ClearOS Domain or share files in Simple File Sharing mode with Windows 10. Please disable this setting or see the Tips and Tricks
section below for the fix
If you really want to force SMB1 after it has disappeared from the Webconfig, you can add the following line to the [Global] section of /etc/samba/smb.conf:
server max protocol = NT1
WINS Support / WINS Server
Even for small networks, we recommend using WINS for your Windows networks. Among other things, this helps Windows systems find each other using system names (for example, browsing through the old Network Neighborhood). You can either enable the WINS server on your ClearOS system, or you can specify an IP address of an existing WINS server on the network. Don't try and set both. It is one or the other or neither.
ClearOS supports two modes for your network. Simple Mode and Primary Domain Controller / PDC mode.
This mode should be used for creating a basic file and print server. Features such as network logons, logon scripts, and roaming profiles are disabled. In order to access file shares, a client system can connect to the ClearOS system using standard file manager tools.
Windows Domain - the Workgroup name used in Windows
Primary Domain Controller / PDC
When configured as a primary domain controller, the following parameters must be specified:
Windows Domain - the domain name, for example: Toronto, when in PDC mode.
Roaming Profiles - the state of roaming profile support for all users.
Logon Drive - the drive letter used for the user's network drive on the ClearOS system. This drive maps to the /home/username directory on the ClearOS file system.
Logon Script - the script to execute when a user logs into the domain. You can upload this script to the netlogon directory by logging into your Windows workstation as the Windows administrator (winadmin) and connecting to your ClearOS netlogon share (Start » Run » \\servername\netlogon). Alternatively you can find it in /var/samba/netlogon.
The winadmin account is used for the Windows domain administrator. Among other things, this account is used to add computers to the ClearOS domain. Follow the link to change the password for this account.
Shows all the members of the domain. In Simple Server mode it just shows the server; in PDC mode it shows all domain members. Domain member computers can be removed from here.
Do not delete the ClearOS server from this section
If you do delete the server from the domain, it can be re-added by changing its password!
Tips and Tricks
Windows 7 and later Registry Changes
Just after you have joined the Windows 7 system to the domain, you will see the following warning message:
Changing the Primary Domain DNS name of this computer to "" failed.
The name will remain "MYDOM". The error was:
The specified domain either does not exist or could not be contacted
You can ignore this message. Also note: there is a hotfix available from Microsoft to address this issue, see Knowledge Base article for details.
Windows 10 - Enabling the SMB1 protocol
Windows 10, since the Fall Creators Update (1709), is no longer shipping with SMB 1.0 support enabled. This means that if you have enabled “Force SMB1 Protocol”, Windows 10 machines can no longer access Windows Networking (Samba) Domains or Flexshares. If you try to join a ClearOS Domain you may get the following popup:
Please do not enable SMB1.0 in Windows 10 if you can avoid it. By preference, please disable “Force SMB1 Protocol” in Windows Networking.
If you still want to enable SMB1.0 in Windows 10, the link takes you to this Microsoft document. To enable SMB1.0 support see this Microsoft document or just go Control Panel > Programs and Features > “Turn Windows Features on and off” then scroll down to SMB 1.0/CIFS File Sharing Support and enable it. You will need to reboot afterwards. There is also a PowerShell method in the document.
Apple MAC - connecting network drives
Open Finder then hit command+k to access the 'Connect to Server' dialog box. In the field, type something like
replacing the IP address used with the one of your LAN interface IP of your ClearOS server if using Gateway Mode or your External interface IP if using 'Standalone' mode. It will give you a dialog for username and password, supply that and it will give you a list of shares, you can select multiple shares.
In order to initialise, if ClearOS is in Gateway mode, at least one LAN interface has to be connected (even if only to a switch) or it will get stuck in a loop. This can be avoided either by connecting something active (not just a cable) to the LAN interface or putting ClearOS temporarily into Standalone mode, initialising then putting it back into Gateway mode.
Due to a feature in Microsoft networking, you may not see the ClearOS system in Network Neighborhood right away; sometimes it takes several minutes to appear.
Make sure the PC's workgroup and ClearOS workgroup match and the ClearOS DHCP server is configured to hand out its LAN IP as the WINS Server.
You can directly access the share by typing in the UNC path for the server in the Run section of your workstation.
Another good tool for troubleshooting problems in Windows is nbtstat. This tool will allow you to look and validate the name of your server and the domain as it appears to the network. If your server's address is 192.168.1.1 you could do the following:
nbtstat -A 192.168.1.1
If you are using Windows 10 version 1803 or later, check out the Browsing the Network Neighbourhood section of this forum post
Logon Script not working
If your logon script does not work, please check that it is owned by winadmin:domain_users and has 755 permissions:
chown winadmin:domain_users /var/samba/netlogon/logon.cmd
chmod 755 /var/samba/netlogon/logon.cmd
Was the logon.cmd file created with a Windows editor so it contains the correct line termination characters ()?
Did you do the required registry changes before joining the domain? If not, leave the domain, do the registry changes and rejoin the domain. Just doing them as the winadmin user while joined to the domain will not work.