I tried binding a Windows 7 (beta) to our Snow leopard PDC/BDC domain after making two changes to the security policy the apple suggested (
http://support.apple.com/kb/HT3742) and the local policy: Network Security: Minimum session security for NTLM SSP Based (including secure RPC) Clients (and servers) to no minimum (disabled 128 bit).
Still I get no logon servers, yet xp and vista machines (last I checked) bind just fine.
any ideas? any hints on the troubleshooting tools from the windows 7 machine that might indicate the disconnect would be great.
With the above tweaks, I was able to join the domain, however when I attempt to login I get a trust relationship failure. That doesn't appear to be too uncommon, and others have fixed it by upgrading/downgrading to SAMBA 3.3.4 (linux environments).
Not sure if that's even an option in MacOS.
I'm still looking for the elusive last piece to allow authentication.
Cam
I am exactly where you (and may others) are on this.
Please kindly post here (anyone) once a solution to this trust relationship issue has been found.
And why, exactly, are you trying to take a modern operating system made in 2009, designed to work with Active Directory, and force it to work with a directory system that's more than 20 years old and designed for Windows for Workgroups 3.11 and Windows NT 3?
If you have Windows clients and they need directory services, use AD. If you don't want to pay for AD CAL's and server licenses, get rid of the Windows boxen.
I'm continually amazed that people want to use (and trust the security of) a directory service technology that was invented BEFORE DNS was a standard... that uses NetBIOS naming conventions and was fastest when run on bridged networks using NetBEUI. Shame on you all...
The only purpose for AD in my
home was to enable SSO and roaming profiles for 6 computers and 3 users, all of whom use a Mac 95% of the time. This isn't a business scenario; I don't want to lock down the Windows clients, run Exchange, SQL Server, IIS + ASP.NET, ADFS, or any of the other Server Roles. I definitely don't want to find an add-on backup solution when Time Machine on the server will suffice. I'm also tired of running Linux on a hyper-v VM just so I can have a simple SMTP/IMAP solution; two servers to maintain when one will do. I don't need to have an AD server hanging around sucking power while doing nothing but authenticating users. I could have bought a Home Server box from HP but it doesn't meet my needs.
SL Server on a Mac Mini fits my needs including, even especially, my tinkering. The one "issue", if you can call it that in my case, is that the rarely turned on Windows boxes that are used for a few games can't join the domain.
Your requirements are not my requirements; please troll elsewhere.
Why would you come here to shame someone for having a unique problem that needs a solution? There's absolutely nothing wrong with using Windows. It IS a world with quite a few Windows computers in it, is it not?
Why did you feel the need to shame someone? *** is wrong with your.... oh... I get it. User name explains it all.
Anyways I'd sure appreciate someone coming up with a solution for this.
That's annoying. I was about to buy a Mac Mini Server to replace a failing Windows 2000 Server box on a network that does include some Windows 7 clients.
Guess I either need to go with another Windows Server box or possibly consider going with one of the F/OSS alternatives. Good thing I read this discussion thread before buying.
Same problem here. XP and Vista log on fine, 7 (after all the Registry hacking) joins the domain (with ignorable error message) but domain user can't log on, already known error:
"trust relationship between this workstation and the primary domain failed"
Apple, do us all a favor and take care of this problem. solution, as mentioned in this and many other discussions: update the smb server!
I'm really starting to think about writing some Mac OS X viruses...don't be evil steve...
Apple, MS, say Win 7 client can't join OS X Server PDC Domain
Saturday, March 13, 2010
This week, Apple announced that Windows 7 clients and Windows Server 2008 R2 cannot join a directory domain mastered by a Mac OS X Server primary domain controller (PDC).
In a tech support article entitled Mac OS X Server: Cannot join Windows 7 to a Mac OS X PDC Domain, Apple says there are no workarounds to the problem. It links to a Microsoft support article that says that Windows 7 and Server 2008 R2 no longer support to Windows NT 4.0 SP6A domains, which is what Mac OS X Server provides to Windows clients.
The issue is a serious one for administrators of Mac OS X Server supporting Windows clients. When Apple's server is used as an Open Directory Master, acting as a PDC on creates a Windows directory domain that can provide the PDC server can provide Windows file and print services, authentication for Windows clients, and home folders for Windows users.
Windows 7 clients cannot log on to a Mac OS X Server master domain and take advantage of these services. If a Windows 7 client or Windows Server 2008 R2 attempts to do so, it will receive on of two error messages:
Logon failure: unknown user name or bad password.
The specified domain either does not exist or could not be contacted.
This incompatibility applies to all versions of Mac OS X Server.
If you know of a third-party product that gets around this issue please let us know.