Starting to look like Active Directory...

John H Terpstra jht at samba.org
Sun May 4 04:07:42 GMT 2003 

On Sun, 4 May 2003, Andrew Bartlett wrote:

> Over the past few months, Samba 3.0 has started to look very much like
> Active Directory to Win2k clients.
>
> This has occurred so much so, that clients actively look our netbios
> name up in DNS, for example. (resulting in even more addition silly load
> on global root servers)
>
> However, the problem I've noticed particularly is in getting a Win2k
> domain to 'trust' us - as in the 'trusted domains' sense of the word.
> To do this, Win2k needs to join our domain, with a machine trust
> account.  This is something that I've had in production with NT4 for
> quite a while now, and it is something that we need to have working for
> Samba 3.0 w/ Win2k.
>
> The problem is this:  The win2k server makes a call to:
> (from jmcd's CVS commit message)
>
> > Add LSA RPC 0x2E, lsa_query_info2.  Only level implemented is 0x0c,
> > which is netbios and dns domain info.  Also add code to set/fetch the
> > domain GUID from secrets.tdb (although set is not yet called by
> > anyone).
>
> This is all well and good, but the original implementation used
> 'lp_realm()' to get the DNS name, which caused 'invalid paramter' errors
> on the win2k client.  Now we return the real DNS domain name, but our
> clients (and the domain I'm trying to get us to trust) now really think
> we are AD, and start to lookup the magic names under our DNS domain
> name...
>
> Having not found these names, the potentially trusting domain bombs
> out...
>
> Where should we go from here?  Start disabling things, until it breaks
> back into NT4 - but what do we loose by doing that?   Start providing an
> example DNS zone file?

Yes. We have no choice - we must move forwards. We need to interoperate
cleanly with NT4 and Win 200x.

I have no objection to specifying that we support ADS mode operations ONLY
with Dynamic DNS. That is becoming the norm in DNS operations anyhow. This
way we can use samba to register the correct zone info for ADS mode
operations.

>
> I would appreciate some thoughts on this matter.

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba-technical mailing list