M$ have done a lot of changes to WIn10 over the last year and a half which have caused problems. It may be that there are other registry settings you need to get things going. As an example now, login scripts don't work any more in Win10 unless you make some more registry changes; old style workgroup sharing has now been stopped, but can be re-enabled etc.

Thanks for having a look. Without the software there is little more I can do to investigate.

Thank you for your continued help Nick.
I did some further testing using your suggestions, and although the problem persists, I think I narrowed it down.

First, I built a new ClearOS 7.6.0 server to test along with two virtual machines that have clean installs of Windows 7 SP1 and Windows 10 version 1809. Next, I installed Google Chrome on both of the VMs because of all the issues we've encountered this seems to be the easiest to observe. Then, I created a domain using the Windows Networking (Samba) app version 3.5.2 and joined both VMs by adding the two registry keys 'DomainCompatibilityMode' and 'DNSNameResolutionRequired'. Finally, I logged into both VMs once using a local account, and once using a domain account. On the Windows 7 PC there were no problems, but on the Windows 10 PC Google Chrome failed to synchronize only when logged into the domain account; on the local account it works fine.

I repeated the above procedure:
Without the PDC online, logging in by using cached credentials: same result. And forcing SMB 1 to be used on the server and on the Windows 10 machine (before and after joining the domain): same result. Each time I reset the VMs to a clean state using Hyper-V checkpoints

I also created a Windows NT 4.0 Enterprise Server VM to see if the problem was specific to ClearOS/Samba, but I was unable to join my two test VMs to the NT4 domain. I may revisit that later, but I don't think its a good use of time right now.

From these tests I think it's safe to say that the combination of the non-active directory domain and Windows 10 somehow taints domain user accounts when they are created on the client machine by logging in for the first time. The SMB protocol version is not a factor, nor is the version of ClearOS.

Is that a ClearOS6 config? Either that or it is on a VM of sorts if it is ClearOS7. I can't remember the reason why it is there, but can you try commenting out:

smb ports = 139

When connecting a Win10 machine to ClearOS6, have you enabled SMB1 in Win10? I guess you must have or you would not be able to join the ClearOS6 domain.

In ClearOS7, if it is an older installation, have you disabled the "Force SMB1 protocol"? It used to be called "Windows 10 Domain Logons" and it used to restrict Samba to SMB1 but is no longer required and allows WIn10 to use SMB3. Once disabled, it will disappear from the webconfig.

It would surprise me if it helps but you can try to restrict ClearOS7 to SMB1 by adding

server max protocol = NT1

to the ClearOS smb.conf. You could always try it.

Nick Howitt wrote:

A couple of thoughts:
1 - Spin up a ClearOS 7 server because of its enhanced SMB support and try replacing a 6.9 server with it. Have a look at this which allows you to carry your users over from 6 to 7.
2 - You could try enabling SMB1 in Windows 10. Links on how to are in the first post of this thread. Ultimately this is not a viable long term solution as M$ have been wanting to remove SMB1 support for years for good reasons and it **may** get fully removed in a future update. They really messed up SMB1 filesharing for a few months last year in their updates and were not interested in fixing it speedily. Vulnerabilities in the protocol were leveraged by the WannaCry ransomware.

So we had a ClearOS 7 server handy (Samba Version 4.8.3). We removed a existing Windows 10 machine from the ClearOS 6.9 domain and added it to the ClearOS 7 domain, and the same issues still occur:
1) AMS360 - a insurance management website, that requires a local web-client installation does not see the web-client configured. The website gives suggestions to the issue including: a) The AMS360 setup information (registry information and/or registry and file permissions) may have been modified externally, b) Local or Domain level security policies are restricting access to registry or file locations that are necessary for validation, and c) There may be problems with the AMS360 servers that are preventing a successful validation.
2) Adobe Acrobat DC: The program is still virtually unusable. Slowness, freezing, and crashing. I was having trouble installing the software, and I had to login as a local profile to install the software.
3) Google Chrome sync: On a domain account, Google Chrome will not stay signed-in with a Google account (requires the user to sign back in once every 10-15 minutes). On a local account, the account stays signed in.

Because this machine was already joined to a ClearOS 6.9 domain, we will continue testing by joining a fresh Windows 10 computer to the ClearOS 7 domain and testing these issues again.

Nick Howitt wrote:

First, let me say I don't know the products AMS360 or Adobe Acrobat DC Pro or their requirements, or even the relationship with ClearOS.

One of the big change in Win10 is dropping SMB1 support and a big change from ClearOS6.x/Samba to ClearOS7.x/Samba is the inclusion of SMB2 and SMB3 support (without dropping SMB1 unless you specifically turn it off and there is no webconfig option for that; it is command line only).

Are you using ClearOS as a PDC or is it joined to a domain using the AD Connector?

What are the two programs doing with ClearOS? Is there some sort of shared file space or database?

Do you remember if you made any tweaks on ClearOS6 to get these programs to work? Perhaps give the output to "testparm -s" for both systems.

Thanks for the input Nick, Here is the output for testparm -s:

[root@<hostname> ~]# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[files]"
Processing section "[qbdata]"
Processing section "[financial]"
Processing section "[homes]"
Processing section "[printers]"
NOTE: Service printers is flagged unavailable.
Processing section "[print$]"
NOTE: Service print$ is flagged unavailable.
Processing section "[netlogon]"
Processing section "[profiles]"
NOTE: Service profiles is flagged unavailable.
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_PDC
[global]
workgroup = NETRAFFIC
server string = NETC File Server
interfaces = lo, eth1
passdb backend = ldapsam:ldap://127.0.0.1
guest account = guest
passwd program = /usr/sbin/userpasswd %u
passwd chat = *password:* %n\n *password:* %n\n *successfully.*
passwd chat timeout = 10
username map = /etc/samba/smbusers
unix password sync = Yes
syslog = 0
log file = /var/log/samba/%L-%m
max log size = 0
smb ports = 139
client signing = required
printcap name = /etc/printcap
add machine script = /usr/sbin/samba-add-machine "%u"
logon script = logon.cmd
logon path =
logon drive = U:
logon home = \\%L\%U
domain logons = Yes
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=manager,ou=Internal,dc=netraffic,dc=net
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap suffix = dc=netraffic,dc=net
ldap ssl = no
ldap connection timeout = 8
ldap user suffix = ou=Users,ou=Accounts
utmp = Yes
template homedir = /home/%U
template shell = /sbin/nologin
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : ldap_user_dn = cn=manager,ou=Internal,dc=netraffic,dc=net
idmap config * : ldap_base_dn = ou=Idmap,dc=netraffic,dc=net
idmap config * : ldap_url = ldap://127.0.0.1
idmap config * : range = 20000000-29999999
idmap config * : backend = ldap

[files]
comment = Shared Files
path = /var/flexshare/shares/files
valid users = @%D\allusers, @allusers
read only = No
create mask = 0664
directory mask = 0775
veto files = /.flexshare*/

[qbdata]
comment = QuickBooks Data
path = /var/flexshare/shares/qbdata
valid users = @%D\accounting, @accounting
read only = No
create mask = 0664
directory mask = 0775
veto files = /.flexshare*/

[financial]
comment = Financial
path = /var/flexshare/shares/financial
valid users = @%D\accounting, @accounting
read only = No
create mask = 0664
directory mask = 0775
veto files = /.flexshare*/

[homes]
comment = Home Directories
path = /home/%U
valid users = %D\%S, %D+%S, %S
read only = No
browseable = No

[printers]
comment = Print Spool
path = /var/spool/samba
read only = No
printable = Yes
print ok = Yes
cups options = raw
use client driver = Yes
browseable = No
available = No

[print$]
comment = Printer Drivers
path = /var/samba/drivers
read only = No
browseable = No
available = No

[netlogon]
comment = Network Logon Service
path = /var/samba/netlogon
read only = No
browseable = No
locking = No

[profiles]
comment = Profile Share
path = /var/samba/profiles
force group = domain_users
read only = No
force directory mode = 02775
force directory security mode = 02775
profile acls = Yes
browseable = No
available = No

This post caught my eye..... we have had similar experiences on several COS6 sites when installing the latest version of Sage Accounting and Payroll applications. They'll install fine on Windows 7 clients, however on Windows 10, at the end of the install they're unable to communicate with Sage's licensing/activation server and run in trial mode. Like Jeff, the workaround we discovered was to login with a local admin non domain account to activate the product, after which the application worked fine with any domain user account. I should add that the domain user accounts all had full local admin rights.

Installing the same Sage products on a COS7 site with Windows 10 clients, we did not have this problem. At all our sites COS is the PDC.

Sorry not to be able to add any real technical input to this, other than like Nick said, COS7 may well resolve this for you, as indicated by our experiences with Sage.


Cheers....... Andy

A couple of thoughts:
1 - Spin up a ClearOS 7 server because of its enhanced SMB support and try replacing a 6.9 server with it. Have a look at this which allows you to carry your users over from 6 to 7.
2 - You could try enabling SMB1 in Windows 10. Links on how to are in the first post of this thread. Ultimately this is not a viable long term solution as M$ have been wanting to remove SMB1 support for years for good reasons and it **may** get fully removed in a future update. They really messed up SMB1 filesharing for a few months last year in their updates and were not interested in fixing it speedily. Vulnerabilities in the protocol were leveraged by the WannaCry ransomware.

First, let me say I don't know the products AMS360 or Adobe Acrobat DC Pro or their requirements, or even the relationship with ClearOS.

One of the big change in Win10 is dropping SMB1 support and a big change from ClearOS6.x/Samba to ClearOS7.x/Samba is the inclusion of SMB2 and SMB3 support (without dropping SMB1 unless you specifically turn it off and there is no webconfig option for that; it is command line only).

Are you using ClearOS as a PDC or is it joined to a domain using the AD Connector?

What are the two programs doing with ClearOS? Is there some sort of shared file space or database?

Do you remember if you made any tweaks on ClearOS6 to get these programs to work? Perhaps give the output to "testparm -s" for both systems.