[PATCH 0/2] Allow Windows XP SP 2 to join Samba 3.2 ADS

Sergey Yanovich ynvich at gmail.com
Tue Jun 3 23:34:31 GMT 2008

Andrew Bartlett wrote:
> On Wed, 2008-06-04 at 01:48 +0300, Sergey Yanovich wrote:
>> After some experiments and with the help of Samba 4 code, I have finally made
>> a Windows workstation join Samba 3.2 ADS controller.
> How did you make it think it was ADS?

I am not 100% sure, but I saw with the wireshark that the client was 
using my kerberos tickets.

In our early research, we found
> ADS was either an 'on' or 'off' thing - particularly if you support the
> new call on the LSA pipe, then you must start supporting an lot more. 

It is true, but probably relates to after-join phase.

>> How hard is it to use separate Kerberos and LDAP servers?
> Difficult enough that I've spend the last 4 years working on Samba4.  We
> know it's possible (see XAD for the proof by example), but the approach
> currently taken was very deliberate. 

> As a Samba4 developer I would encourage you to help us make Samba4 work
> better for your use cases (a python script to export host/fqdn keytabs
> would be very easy to write) than to continue down this rat-hole. 

Now I know, it is rat hole :) IIUC, Samba 4 was using its own python 
until recently. In other words, there are precedents for decoupling 
external components. Maybe KDC is the next in the queue? Samba can talk 
to kadm using normal kadmin interface, so it will be possible to use 
normal *nix way of administering KADM/KDC. MIT Kerberos has a plugin to 
store keys in LDAP, and this can handle canonicalization. So the only 
big peace of work is PAC, right?

I am working an FOSS accounting package in Russia, and I plan to deploy 
it in an company with obsolete Windows infrastructure. My interest was 
to find out smooth transition path from a poorly managed W2K ADS to the 
linux domain. Samba 4 looks promising for the matter.

Sergey Yanovich

More information about the samba-technical mailing list