Bind Windows 7 to Snow Leopard Server

Well, we ended up deciding to not add the machines to the domain. Not like we could anyway. :P We've just mapped all the network drives where files are shared and will leave it at that until there's a fix.

But seriously, I tried everything in that Map Mode and could not get it to work. Frustrating morning. I make no excuses, however, for not being aware of this issue before upgrading.

I believe I made the Windows 7 registry changes described on the Samba Wiki ( http://wiki.samba.org/index.php/Windows7) before installing pGina, but I'm not certain if they are actually required.

You'll need to enter an IP address for your LDAP server. I didn't have to enter an admin user name or password for my Open Directory configuration, but you may have to depending on how you have the software configured.

There should not be a user name after the "uid=" in the PrePend field. When you try to log on to the PC with your username (e.g. bpeacock22, charman), pGina will prepend "uid=" to your username and then append the contents of the Append field. The user string passed to the LDAP server will look something like "uid=bpeacock2,cn=users,dc=mydomain,dc=com".

To verify that you are using the correct values for Prepend and Append, you could try downloading LDAPManager ( http://ldapmanager.sourceforge.net/), enter the information for your LDAP server in the "Server Name or IP Address" field, and then click the "Fetch Search Base" button. Pressing this button should cause the "Search Base:" text box to be filled with a string of "cn=X,cn=Y" values. Your Append string should be "cn=users,(STRING FROM_SEARCHBASE)". Once the search base has been fetched, click the Connect button to browse the LDAP directory. Check to see if you can browse to the LDAP entry for 'cn=users'/'uid=bpeacock2'. If the 'cn=users' isn't at the root of your LDAP tree, you'll need to modify the contents of your Append field appropriately.

I've only used pGina to connect a single PC running the 32-bit version of Windows 7 to my Leopard server. I have not tested my instructions in any other environments. My understanding from another user is that there is currently no 64-bit version of pGina's LDAP plugin.

Thank you for the reply. I did download the LDAPmanager that day to verify all my settings. It just would not seem to work. I have since upgraded to 64-bit Win7 after realizing all my RAM was going to waste on the 32-bit. So I guess the point is moot though. I appreciated the help anyway! 😀

Windows 7 professional bind to OSX server (Tiger)
A few registry adjustments worked for me
(saved the following code in a text file with '.reg' extension and just double click the file):
Line: -----

Windows Registry Editor Version 5.00

[HKEY LOCALMACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

[HKEY LOCALMACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
"RequireSignOrSeal"=dword:00000000
"RequireStrongKey"=dword:00000000

Authenticating via LDAP works nicely. Has anyone been able to allow users to change their passwords? For instance, I would usually setup a windows account on the Leopard Server with the password set to be changed on next login. However, with this LDAP method of logging in, the user would get an error when trying to change their password.

After alot of try and error. I started to get the feeling from back in the early '90 where we had to do alot of tricks just to open a windows file. But.... I finaly got my windows 7 Pro clients to work and behave nicely with the Mac OSX 10.5.8 server.
This is how i did it.

*I changed the registry with the info from here:*
http://wiki.samba.org/index.php/Windows7

*then i changed the 2 things in Security Policy:*
1 Network security: LAN Manager authentication level - Send LM & NTLM - use NTLMv2 session security if negotiated
2 Network Security: Minimum session security for NTLM SSP Based (including secure RPC Clients) to no minimum (disabled 128 bit).
(you find those under Local Policies - Security Options)

*then install pgina with the info from charman:*
http://discussions.apple.com/thread.jspa?threadID=2200942&start=15&tstart=0
with a few changes!
download pgina
download plugin
install pgina (and now you find a change)
you can't configure it anymore from start menu without changing owner rights ect. So don't config
it. Just copy/paste the plugin in the plugin folder and do rest of config from regedit menu
(btw if you wanna try things out 1st in VMware then the plugin gives an error didn't wanna waste tomuch time on figuring out a solution so did it al on a try client. Just watch out for the diffault setting in pgina that delete you current local profiel)

And now ONLY NOW put your windows 7 client into you domain.

denmoff wrote:
Authenticating via LDAP works nicely. Has anyone been able to allow users to change their passwords? For instance, I would usually setup a windows account on the Leopard Server with the password set to be changed on next login. However, with this LDAP method of logging in, the user would get an error when trying to change their password.

Anyone have any luck with allowing for changing a password using this method? Also, anyone figure out how to get admin users recognized as such?

Thanks to everyone on the thread for posting about this method - I can at least allow my Windows 7 clients to login to the server now.

+"And now ONLY NOW put your windows 7 client into you domain."+

I'm a little confused here. Are implying that you are able to join your OS X 10.5.8 Server PDC? I was under the impression that this is not possible given the incompatibility with Samba versions.

Will try the pGina method when I get a chance.
Sounds like a lot of hassle though.

Do you actually join the domain once it's setup (i.e. from the Windows System Properties dialog) or is it just that the machines will authenticate with the LDAP server when logging in (in addition to having a local user)?

Final question is, do Apple ever read these support threads, comment, or give a ****? Quite a huge issue this for me, and I imagine it is for a lot of people.

Suppose they've shown what they think about their server market by canning XServe, so maybe we shouldn't hold our breath...
Guess I should have put linux on the Mac Mini and be done with it - can't do that now since my Drobo is using the OSX filesystem (and too large to backup).

Thanks for any responses,
Westy

Since the knowledge might be available in this thread I would like to put in a question. My SO has a work computer which is a member of a domain from her office. Is there some way to give it easy access to SMBs shares (printers and files) on my local network. I don't think that a computer can be a member of two domains at the same time (but I really don't know all that much about domains, last time I managed them was back in WINNT days). All of my other windows boxes are XP and just use workgroup (at least for now).

I had the same issues getting the pgina configuration to launch, simply turn off UAC and reboot and you should be able to get it to work properly. Also, if you get an error when logging in about the plugin being unable to load then download the Visual C++ Redistributable 2008 from Microsoft. Another note, I had to move the LDAPAuth plug DLL files located in VC90 into the root of the plugins folder for them to load properly.

HTH,
Will

I'm dropping support for Windows. Let someone else deal with it. I'll just map a drive letter to the server and let the users login without the domain membership. This is 2011 and you can't connect to a domain controller. Come on!!!

Seriously?

You blame the client for not being able to connect via a deprecated methodology?

{boggle}

Let's not overlook that the problem actually sits with Microsoft and Windows 7 which doesn't support connecting to any domain other than a Server 2008 environment: "Windows NT 4.0 domain join is not supported with Windows 7 and Windows Server 2008 R2" for which there is no workaround.

See: http://technet.microsoft.com/en-us/library/ee681706%28WS.10%29.aspx
or: http://support.apple.com/kb/TS3235

It's not only Apple/Samba that has an issue. Anyone who's running Server 2003 or earlier has the same issue. With the number of non-server 2008 installs out there, is this not another issue of Microsoft trying to get people to pay for upgrades?

So, if the only answer seems to be updating a few things and spending some time in readjusting the schema, the Windows registry, and adding a piece of software, so be it. You'll now have something in your network that thousands of others don't - Win7 boxes connected to a Win2003 or earlier AD.

But the real question is, what does supporting AD get you if the SLS box is the only server in your environment? Are you looking toward it for printer support? Do you have a need to do company-wide policy pushes? Or are you only concerned because you did it under Windows and you feel that you need to do it in SLS?

Um, where are you getting that from? Correct, Win7 won't join a Windows NT 4.0 domain, but it will join Active Directory domains from Windows 2000 Server on. AD wasn't introduced in Windows Server 2008, it was introduced with Windows 2000 Server and I have quite a few Win 7 Enterprise clients logging in to a Windows Server 2003 domain that's not even in Win 2003 Native mode. The fault is not Microsoft's because NT 4.0 is well over 10 years old. Technology moves on and Apple (as well as the SAMBA developers) have not moved on with it. Now that's not to say that I don't like MacOS, I do, but unless you're running an all-Apple shop, Open Directory is not the answer for you until it can function as an Active Directory controller and integrate better into Active Directory.