Forums

Resolved
0 votes
Details:
ClearOS 7 Community
Windows 10 1903
Server -> Directory -> Directory Server

Mode: Standalone
Base domain: example.com (not actual domain)
Publish Policy: Local Network - Non-secure
Accounts Access: Anonymous

Server -> File -> Windows Networking

Server Name: adserver
Home Directories: Enabled
WINS Support: Enabled
Mode: Primary Domain Controller
Windows Domain: AD
Roaming Profiles: Enabled

Network -> Infrastructure -> DNS Server:

192.168.1.109 - example.com (same as base domain)
Also added an alias to "ad" as well.


When trying to add the domain, of all the names/server names/domain names/etc listed here, only "ad" brings up a login prompt. After typing in the credentials for the winadmin user, I get the error "That domain couldn't be found. Check the domain name and try again."

I did notice that winadmin wasn't part of the "domain_admins" group, so I tried adding it with no avail.

I also can't seem to access flexshares (permission issue) by manually mapping network drives, but I can access the user's home directory by manual mapping. I assumed it is because the machine isn't domain joined. I do get read access to the flexshares if I enable "third party access" (read only).

Any advice for this?
Wednesday, August 21 2019, 03:48 PM
Share this post:
Responses (9)
  • Accepted Answer

    Thursday, August 22 2019, 01:14 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I'm glad you got it working. I'll have to have another play and see what I can figure out with Win10 1903. I think all my machines are 1809.

    I do have AD working in ClearOS7 but is was an development set up . I wrote a howto here.

    I did see that later. Fortunately, the reason for the domain is pretty basic, and a lot of what full AD gives us would be wasted at the moment. It's more for me to manage user data and backups, and restricting access to some company files on a per-user basis. I'm working on having standard Windows images that I can reinstall in under an hour, so all data is going to be on my server. At the moment ClearOS is running as a VM in Proxmox, and it's quite stable.

    I do remember reading about Microsoft attempting to phasing out NT4-style domain joining with future versions of Windows 10, so this maybe be that in action.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, August 22 2019, 01:03 PM - #Permalink
    Resolved
    0 votes
    I'm glad you got it working. I'll have to have another play and see what I can figure out with Win10 1903. I think all my machines are 1809.

    I do have AD working in ClearOS7 but is was an development set up . I wrote a howto here.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, August 22 2019, 12:56 PM - #Permalink
    Resolved
    0 votes
    Some progress! I installed 1809 on my test VM, and I did not get the logon error. It appears as if the error "We can't sign into your account" is exclusive to 1903. That being said, with an EOL of May 12, 2020, I can work with this. I don't know when ClearOS 8 is slated to be released, but I'm hoping it is before then so we can move to Active Directory.

    In other words: Do not use Windows 10 1903 with ClearOS 7.


    Thank you Nick for the help. I consider this a phenomenal first impression of ClearOS, and will absolutely push for paid subscription at our office. Thanks!
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 21 2019, 08:42 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    You can keep going with this thread if you want.

    I am not hugely experienced with Domains but I did play around with them a while back. As far as I am aware, when you do a domain login on the PC you should not have to enter credentials again when mapping a drive. A couple of things come to mind. Are your users doing a domain logon to the PC or are they doing a local logon? You can force the domain logon initially by using domain/username for the username rather than just username at the login prompt. For the first logon it normally takes a little while to build a profile. The other thing which comes to mind is do you have any stored credentials in the credentials manger as I think these take precedence over a username/password. I don't use a domain and use the Credentials manager to store the passwords which get used for mapping drives.

    The machine error when joining a domain is quite common. I've no idea why it happens, but a second join then works, as you've found out.

    I exclusively have an account I named "Local Admin" to be just that, the local admin account. This is a fresh Windows 10 virtual machine I'm using to test the domain before I image all existing computers and join them to the domain. It practically has nothing changed on it. I currently don't have any issues with having to map the drives "again". I'll eventually have a proper logon script that will map the network drives accordingly.

    My issue at the moment is the "We can't sign into your account" pop up box that appears immediately at logon of a domain user. I'll play around with a bit and see if I can find a solution.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 21 2019, 08:12 PM - #Permalink
    Resolved
    1 votes
    You can keep going with this thread if you want.

    I am not hugely experienced with Domains but I did play around with them a while back. As far as I am aware, when you do a domain login on the PC you should not have to enter credentials again when mapping a drive. A couple of things come to mind. Are your users doing a domain logon to the PC or are they doing a local logon? You can force the domain logon initially by using domain/username for the username rather than just username at the login prompt. For the first logon it normally takes a little while to build a profile. The other thing which comes to mind is do you have any stored credentials in the credentials manger as I think these take precedence over a username/password. I don't use a domain and use the Credentials manager to store the passwords which get used for mapping drives.

    The machine error when joining a domain is quite common. I've no idea why it happens, but a second join then works, as you've found out.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 21 2019, 07:47 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Alex Botelho wrote:
    [quote]With ClearOS7 up to date, including samba-4.7.1, there is no need to enable what was formerly named “Windows 10 Domain Logons” and is now named “Force SMB1 Protocol” if enabled. If disabled, the parameter won't show. Then you won't need to enable SMB1.0 in your Windows 10 clients.

    Can you clarify what this means in the documentation? I do not see a "Windows 10 Domain Logons" option in Windows Networking (SAMBA) section. Do I even need to bother with that?

    I'll have to try and clarify that in the documentation. There used to be a parameter "Windows 10 Domain Logons" which was renamed to “Force SMB1 Protocol”. Prior to samba 4.7.1 you had to enable this to allow Win10 machines to join a samba domain, so many people had it enabled. It was no longer necessary from samba 4.7.1 and enabling it forced the SMB1 protocol which gave other issues with Win10 >= 1709 so it is preffed off by default on a new installation. It, therefore, does not appear in the webconfig. You do not want it or need it. Clear as mud?[/quote]
    Makes perfect sense.

    I have the registry modifications in place, and I was able to join the domain correctly using a test Windows 10 machine. It initially claimed there was no "computer account" in the directory, but it did appear server-side, and when I re-joined the machine it joined without error.

    But now I get the error "We can't sign into your account" when login in with any of the domain users. I will try a few things, but should I created a separate post for that?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 21 2019, 06:32 PM - #Permalink
    Resolved
    1 votes
    Alex Botelho wrote:
    With ClearOS7 up to date, including samba-4.7.1, there is no need to enable what was formerly named “Windows 10 Domain Logons” and is now named “Force SMB1 Protocol” if enabled. If disabled, the parameter won't show. Then you won't need to enable SMB1.0 in your Windows 10 clients.

    Can you clarify what this means in the documentation? I do not see a "Windows 10 Domain Logons" option in Windows Networking (SAMBA) section. Do I even need to bother with that?

    I'll have to try and clarify that in the documentation. There used to be a parameter "Windows 10 Domain Logons" which was renamed to “Force SMB1 Protocol”. Prior to samba 4.7.1 you had to enable this to allow Win10 machines to join a samba domain, so many people had it enabled. It was no longer necessary from samba 4.7.1 and enabling it forced the SMB1 protocol which gave other issues with Win10 >= 1709 so it is preffed off by default on a new installation. It, therefore, does not appear in the webconfig. You do not want it or need it. Clear as mud?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 21 2019, 06:14 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    There should be no need to publish and Directory Server policies, so I suggest you remove that.

    In the "Windows Networking (Samba)" app, please click on the documentation icon (the slanted book at the top right) and note some of the links, particularly the one at the bottom about adding a Windows machine to a Domain. There are a couple of registry changes needed before you can join a Windows PC to an NT4-style domain.

    In this example your Domain will be AD but you can use anything upto 16 characters. This is not an Active Directory domain do you don't use an FQDN.

    Ah! I think I had misread that sub-heading and thought it referred to Windows 7 only. Makes perfect sense now.

    With ClearOS7 up to date, including samba-4.7.1, there is no need to enable what was formerly named “Windows 10 Domain Logons” and is now named “Force SMB1 Protocol” if enabled. If disabled, the parameter won't show. Then you won't need to enable SMB1.0 in your Windows 10 clients.

    Can you clarify what this means in the documentation? I do not see a "Windows 10 Domain Logons" option in Windows Networking (SAMBA) section. Do I even need to bother with that?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 21 2019, 04:41 PM - #Permalink
    Resolved
    1 votes
    There should be no need to publish and Directory Server policies, so I suggest you remove that.

    In the "Windows Networking (Samba)" app, please click on the documentation icon (the slanted book at the top right) and note some of the links, particularly the one at the bottom about adding a Windows machine to a Domain. There are a couple of registry changes needed before you can join a Windows PC to an NT4-style domain.

    In this example your Domain will be AD but you can use anything upto 16 characters. This is not an Active Directory domain do you don't use an FQDN.
    The reply is currently minimized Show
Your Reply