samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Domain trust between a Samba PDC domain

Re: [Samba] Domain trust between a Samba PDC domain and W2K AD domain

From: Gaiseric Vandal <gaiseric.vandal_at_nospam>
Date: Thu Aug 05 2010 - 14:23:37 GMT

He is correct that the Windows 2003 native shd be able to trust an NT4
domain (which is what Samba pretends to be.) AD domain in Windows
"mixed" mode supports NT4 domain members- which is not what you are
trying to do anyway. But it suggested to me that when the AD domain
moves to native mode it either tightens up some authentication protocols
in such a way that don't play nice with older version of Samba. Of
course, there could have been some weird issue with my environment that
I couldn't isolate.

If you really were setting up a domain trust between NT4 PDC and an
Windows 2003 PDC, the NT4 PDC would "think" it was talking to another
NT4 PDC. Samba , even tho it is providing the function of an NT4 PDC,
looks like it will detect that the other domain is an Active Directory
domain. Things like DNS name lookup (which wasn't so much of an issue
for primitive OS's like NT4 or Windows 95) are a lot more important.
(Active directory clients use DNS to locate AD LDAP and Kerberos
servers.) It will probably make your life simpler if you use your
Active Directory server as the main DNS and WINS server for the
network. You may also want to update the krb5.conf file on your
samba server to have information info on the AD "kerberos" domain.
That may help samba locate the the DC for the AD domain.

Also, pretty sure you need to keep NBT (netbios over tcp ) enable on
your Windows AD server- which should be the default option. Windows XP
(and later) AD clients don't need NBT to talk to an AD server so it is
possible your AD admin turned it off.

I also found that the samba documentation was not as complete or current
as I would like.

On 08/05/2010 09:18 AM, Marc Rechté wrote:
> Hello Gaiseric,
> Thank you for your answer.
> My last experience in Windows server was on NT, therefore my knowledge
> on AD is rather limited. I however work with an AD admin who may
> answer to some questions.
> He said the server with which the relation has to be set is in a 2003
> level forest with a 2003 R2 schema. He also made a reference to MS KB
> on establishing a trust
> relation between an NT server and 2003 server and this document does
> not explicitly state the Windows server must be set in mixed mode.
> I checked both the Samba3 Official guide and Samba 3 how-to guides but
> it seems both of them are stuck to 3.0 version. Is there some more
> updated information regarding domains and AD interoperability in Samba ?
> Many thanks

-- To unsubscribe from this list go to the following URL and read the instructions: