This week, Apple announced that Windows 7 clients and Windows Server 2008 R2 cannot join a directory domain mastered by a Mac OS X Server primary domain controller (PDC).

In a tech support article entitled Mac OS X Server: Cannot join Windows 7 to a Mac OS X PDC Domain, Apple says there are no workarounds to the problem. It links to a Microsoft support article that says that Windows 7 and Server 2008 R2 no longer support to Windows NT 4.0 SP6A domains, which is what Mac OS X Server provides to Windows clients.

The issue is a serious one for administrators of Mac OS X Server supporting Windows clients. When Apple's server is used as an Open Directory Master, acting as a PDC on creates a Windows directory domain that can provide the PDC server can provide Windows file and print services, authentication for Windows clients, and home folders for Windows users.

Windows 7 clients cannot log on to a Mac OS X Server master domain and take advantage of these services. If a Windows 7 client or Windows Server 2008 R2 attempts to do so, it will receive on of two error messages:

Logon failure: unknown user name or bad password.

• The specified domain either does not exist or could not be contacted.
• This incompatibility applies to all versions of Mac OS X Server.

If you know of a third-party product that gets around this issue

(Thanks to Paul D'Arcy for alerting us to this issue.)

Jens Lodholm responded to our article about Apple's announcement that Windows 7 clients and Windows Server 2008 R2 cannot join a directory domain mastered by a Mac OS X Server primary domain controller (PDC). Lodholm found a possible workaround in the Apple forums:

According to a thread on Apple's Discussion boards, I quote:

I have a possible solution for some. It doesn't exactly BIND the Windows 7 machine, but at least you can have users authenticate against your OD servers instead of having OD bound to an AD server.

Step one: Download and install pGina 2.x (http://sourceforge.net/projects/pgina/files/)

Step two: Download the LDAPAuth plugin from same location

Step three: configure pgina with the appropriate ldap settings for your environment. ()

Users can now log in.

I'd be interested to know if this works for anyone. I'm not currently in a position to experiment with this option, but will when I have the chance.

We'd also be interested to know if this works for you. If you've tried it

Shawn Truesdell reported the problem of Windows 7 clients not being able to join a Mac OS X Server PDC Domain. Truesdell tried the workaround we have posted, but notes that the Windows 7 client still can't bind, and wonders if SMB could be manually updated on the server:

I was setting up a Mac OSX 10.6 server and could not get the Windows machines to join, the Mac computers join with no problems at all. I would just like to let you know that the pGina suggestion works. After configuration it allows the Windows 7 client to authenticate and log on to the domain, however without binding it is pretty much useless. You can manually mount and redirect folders to the server, but you can do that without being authenticated on the network.

Using pGina allows the user to be authenticated on the PDC and log in, however it does not bind, therefore login scripts and automatically mounted shares do not function. You can do these manually and have them set to re-connect on log in, but this effectively rules out the ability to use roaming profiles. If you look in the SMB system it doesn't even show them as connected. Hopefully as pGina and the LDAP Auth plug in for it progress in development these features may become available, but who knows. The entire ecosystem seems split between rabid support for Microsoft new authentication methods and Active Directory and those who demand more open source solutions which are functional and affordable.

I have been thinking that the best way around all this would be to just install and configure the latest version of Samba directly over the top of of the Apple version but I have not figured out a good way to do this and I have found no resources on the subject that are anywhere near up to date. Using MacPorts or DarwinPorts one can easily install the latest version of Samba but it seems that the Apple version still runs and is the primary one detected.

Do you know if any of your readers have tried and been successful manually updating Samba?

If you know the answer