Samba Server version, AD Authentication and Kerbaros

Nico Kadel-Garcia nkadel at gmail.com
Tue Dec 19 05:41:36 UTC 2017 

On Fri, Dec 15, 2017 at 2:59 AM, Singh, Madhav via samba-technical
<samba-technical at lists.samba.org> wrote:
> Hi,
>
> I am looking for some help with samba in our organization.  Below is the current installation of samba version and the operating systems which are almost out of support. We are planning to patch our AD servers with MS security patches and it is noted that those security patch might affect samba AD and Kerberos authentication.
>
> I would need some help understanding if we can update/upgrade current samba from 3.x to 4.x on the below OS (RHEL, AIX, HP, SUN OS and Debian  etc) ? and if I we need to integrated them to AD/Kerberos authentication what are the steps.
>
> OS
>
> Samba Version
>
> Total
>
> Comments/Recommendations
>
> RHEL 5
>
> 3.6.23;   4.6.2

Hold it *right* there. RHEL 5 is deprecated. Do *not* expect to run
Samba 4.x on it as a server, especially if you want or need full
Active Directory replacement support. You are going to *seriously*
hurt yourself if you try to backport Samba 4.x to RHEL 5, yourself.
I'd urge you to update to RHEL 7 as a matter of basic security
updates, and decide if you can use the default Samba 4.2.x.

Kerberos is authentication, AD, or Samba with full account management,
use LDAP for the account management. Keep these *separate* in your
head.

You can get recent versions of Samba for almost any operating system
that is not this obsolete. You can get versions with full Active
Directory compatible domain controller capabilities, but they're extra
work to compile the most recent versions of Samba with these features.
Sernet publishes them pre-built, but the most recent versions of
"gnutle" need for Samba 4.7 or other recent releases are extra work to
update and manage.

Note that you *do not need* a full Samba installation to activate LDAP
and Kerberos account management and authentication for a designated,
local, upstream Samba server. For simple CIFS based file system
mounting, or printer access, or even Kernberos managed authentication
for local accounts to support "single sign on" configuraitons, you do
not need a local Samba server on client machines. On many systems,
these are already built into tools like "nssswitch" and "cifs-utils"
and "krb5", and do not actually require a local copy of Samba at all.
Samba needs to be on the designated *servers* for your local
environment..

More information about the samba-technical mailing list