Samba Server version, AD Authentication and Kerbaros

[Singh, Madhav]

Thank you so much for your reply.

We have a group of users who use old SAMBA.  When specific Microsoft patches were rolled out on our domain controller, their SAMBA connectivity was broken. This why we are taking some extra care and trying to find out what would be the best approach that we install the MS security patch on our AD and also the connectivity to samba is not lost. I am assuming that the security patch is block the port/service for samba, I may be wrong too.

We need connectivity and authentication via AD and Kerberos which we would not want to break.


I explored for possibilities and found on some blogs/forums that Samba 3.6.x is compatible with RHEL 5, 6, 7 ; AIX 5.3, 6.1, 7.1 but not sure if it is compatible with HP UX 11.11, Sun OS 5.8 and Debiain 3. Am I on right directions? Please advise.

Second, can we leveraged our AD with Kerberos for authentication on the above version of OS with Samba 3.6.x ?

Is there a possibility I can call and seek advise.



Thank you, 
Madhav Singh,
Infrastructure Solution, Design & Delivery
Honeywell Enterprise IT
Plot 115, Nanakramguda,
Hyderabad-500019 
Office  : +91-40-66543570  x 61154
Mobile: +91-9000203423
Email:Madhav.Singh at Honeywell.com

-----Original Message-----
From: Nico Kadel-Garcia [mailto:nkadel at gmail.com] 
Sent: Tuesday, December 19, 2017 11:12 AM
To: Singh, Madhav <Madhav.Singh at Honeywell.com>
Cc: abartlet at samba.org; mailman at lists.samba.org; samba-technical at lists.samba.org; obnox at samba.org; gd at samba.org
Subject: Re: Samba Server version, AD Authentication and Kerbaros

On Fri, Dec 15, 2017 at 2:59 AM, Singh, Madhav via samba-technical <samba-technical at lists.samba.org> wrote:
> Hi,
>
> I am looking for some help with samba in our organization.  Below is the current installation of samba version and the operating systems which are almost out of support. We are planning to patch our AD servers with MS security patches and it is noted that those security patch might affect samba AD and Kerberos authentication.
>
> I would need some help understanding if we can update/upgrade current samba from 3.x to 4.x on the below OS (RHEL, AIX, HP, SUN OS and Debian  etc) ? and if I we need to integrated them to AD/Kerberos authentication what are the steps.
>
> OS
>
> Samba Version
>
> Total
>
> Comments/Recommendations
>
> RHEL 5
>
> 3.6.23;   4.6.2

Hold it *right* there. RHEL 5 is deprecated. Do *not* expect to run Samba 4.x on it as a server, especially if you want or need full Active Directory replacement support. You are going to *seriously* hurt yourself if you try to backport Samba 4.x to RHEL 5, yourself.
I'd urge you to update to RHEL 7 as a matter of basic security updates, and decide if you can use the default Samba 4.2.x.

Kerberos is authentication, AD, or Samba with full account management, use LDAP for the account management. Keep these *separate* in your head.

You can get recent versions of Samba for almost any operating system that is not this obsolete. You can get versions with full Active Directory compatible domain controller capabilities, but they're extra work to compile the most recent versions of Samba with these features.
Sernet publishes them pre-built, but the most recent versions of "gnutle" need for Samba 4.7 or other recent releases are extra work to update and manage.

Note that you *do not need* a full Samba installation to activate LDAP and Kerberos account management and authentication for a designated, local, upstream Samba server. For simple CIFS based file system mounting, or printer access, or even Kernberos managed authentication for local accounts to support "single sign on" configuraitons, you do not need a local Samba server on client machines. On many systems, these are already built into tools like "nssswitch" and "cifs-utils"
and "krb5", and do not actually require a local copy of Samba at all.
Samba needs to be on the designated *servers* for your local environment..