Domain trust between a Samba PDC domain and W2K AD domain
in [Samba]
|
Prev: [Samba] Domain trust between a Samba PDC domain and W2K AD domain
Next: [Samba] Throughput problem with Samba 3.3.4 over VPN
From: Gaiseric Vandal on 5 Aug 2010 09:10 It may depend somewhat on the domain or forest mode of the AD domain. I had partial success with Samba 3.0.x and a Windows 2003 domain in mixed mode. However the winbind idmap entries would expire from cache and not refresh. I couldn't get Samba 3.0.x to trust an AD domain in Windows 2003 native mode. Upgrading to Samba 3.4.8 seems to have resolved the Win 2003 compatibility issue. However, I had to manually create winbind idmap entries in samba (LDAP backend) for each Windows 2003 user- there weren't that many and it changes rarely. On 08/05/2010 08:50 AM, Marc Rechté wrote: > Hello, > > I would like to know which version of Samba is requied, if possible at > all, to perform the following: > > I have a Samba domain (server is configured as a PDC) that requires to > trust an AD domain (two-way) in order to share network ressources on > both domains ? > > Many thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Marc Rechté on 5 Aug 2010 09:40 Hello Gaiseric, Thank you for your answer. My last experience in Windows server was on NT, therefore my knowledge on AD is rather limited. I however work with an AD admin who may answer to some questions. He said the server with which the relation has to be set is in a 2003 level forest with a 2003 R2 schema. He also made a reference to MS KB http://support.microsoft.com/kb/325874/ on establishing a trust relation between an NT server and 2003 server and this document does not explicitly state the Windows server must be set in mixed mode. I checked both the Samba3 Official guide and Samba 3 how-to guides but it seems both of them are stuck to 3.0 version. Is there some more updated information regarding domains and AD interoperability in Samba ? Many thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gaiseric Vandal on 5 Aug 2010 10:30
He is correct that the Windows 2003 native shd be able to trust an NT4 domain (which is what Samba pretends to be.) AD domain in Windows "mixed" mode supports NT4 domain members- which is not what you are trying to do anyway. But it suggested to me that when the AD domain moves to native mode it either tightens up some authentication protocols in such a way that don't play nice with older version of Samba. Of course, there could have been some weird issue with my environment that I couldn't isolate. If you really were setting up a domain trust between NT4 PDC and an Windows 2003 PDC, the NT4 PDC would "think" it was talking to another NT4 PDC. Samba , even tho it is providing the function of an NT4 PDC, looks like it will detect that the other domain is an Active Directory domain. Things like DNS name lookup (which wasn't so much of an issue for primitive OS's like NT4 or Windows 95) are a lot more important. (Active directory clients use DNS to locate AD LDAP and Kerberos servers.) It will probably make your life simpler if you use your Active Directory server as the main DNS and WINS server for the network. You may also want to update the krb5.conf file on your samba server to have information info on the AD "kerberos" domain. That may help samba locate the the DC for the AD domain. Also, pretty sure you need to keep NBT (netbios over tcp ) enable on your Windows AD server- which should be the default option. Windows XP (and later) AD clients don't need NBT to talk to an AD server so it is possible your AD admin turned it off. I also found that the samba documentation was not as complete or current as I would like. On 08/05/2010 09:18 AM, Marc Rechté wrote: > Hello Gaiseric, > > Thank you for your answer. > > My last experience in Windows server was on NT, therefore my knowledge > on AD is rather limited. I however work with an AD admin who may > answer to some questions. > > He said the server with which the relation has to be set is in a 2003 > level forest with a 2003 R2 schema. He also made a reference to MS KB > http://support.microsoft.com/kb/325874/ on establishing a trust > relation between an NT server and 2003 server and this document does > not explicitly state the Windows server must be set in mixed mode. > > I checked both the Samba3 Official guide and Samba 3 how-to guides but > it seems both of them are stuck to 3.0 version. Is there some more > updated information regarding domains and AD interoperability in Samba ? > > Many thanks > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |