[Samba] Wiki: NT4 PDC Quickstart / Samba->Win SysVol repl. workaround
dale at BriannasSaladDressing.com
Tue Apr 19 18:43:05 UTC 2016
On 04/16/2016 2:11 PM, Marc Muehlfeld wrote:
> I published two new guides:
> * https://wiki.samba.org/index.php/Samba_NT4_PDC_quickstart
> A documentation, how to set up Samba as an NT4 PDC. I called
> it "Quickstart", because it covers only the basic stuff.
> For those of you having Samba DCs and Windows DCs in
> their domain. This is a workaround for the missing
> SysVol replication feature in a mixed environment.
Are any of the parameters mentioned under "Winbindd/Netlogon
improvements" in the release notes for 4.2.0 (shown below) needed? It
seems that some are, but maybe I'm reading too much into it.
Regardless, my Samba NT4 domain has not functioned since Debian moved
from 4.1.17 to 4.3.3, and I have tried using the parameters shown in the
Has anyone gotten their NT4 domain to work with any version of Samba
4.3.x? If so, what did you do to make it work?
The whole concept of maintaining the netlogon secure channel
to (other) domain controllers was rewritten in order to maintain
global state in a netlogon_creds_cli.tdb. This is the proper fix
for a large number of bugs:
In addition a strong session key is now required by default,
which means that communication to older servers or clients
might be rejected by default.
For the client side we have the following new options:
"require strong key" (yes by default), "reject md5 servers" (no by default).
E.g. for Samba 3.0.37 you need "require strong key = no" and
for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",
On the server side (as domain controller) we have the following new options:
"allow nt4 crypto" (no by default), "reject md5 client" (no by default).
E.g. in order to allow Samba < 3.0.27 or NT4 members to work
you need "allow nt4 crypto = yes"
More information about the samba-technical