[Samba] Samba 3.0 - a bunch of really high level questions

Andrew Bartlett abartlet at samba.org
Wed Mar 26 09:25:25 GMT 2003

On Wed, Mar 26, 2003 at 09:08:18AM +0000, John H Terpstra wrote:
> On Wed, 26 Mar 2003 th0th at th0th.com wrote:
> > Hello everyone... I am a long time samba user (3 or 4 years), though I
> > never ventured into the alpha stages until recently (alpha 21, I'll move
> > to 22 in the near future once I get a better idea of what's going on). I
> > am very interested in Samba being part of a ADS domain, but I have been
> > a little frustrated due to the lack of documentation. Specifically, I've
> > read the HOWTO's from the University of Navarre and idealx, and I've
> > gotten to the stage where I have all users on my machine authenticating
> > through LDAP, samba is using LDAP to authenticate, etc. And I've gotten
> > it to act as what appears to be an NT4 PDC.
> Welcome to alpha releases! We are still working on Documentation, you will
> find the most up to date Samba-HOWTO in PDF format in the Samba HEAD
> branch CVS Code tree. Periodically we update the 3.0.0 code tree from the
> HEAD branch.

More up to date is the SGML source, or the HTML - in reality the PDF isn't
regenerated very often.
> > Reading through the available documentation, the WHATSNEW.TXT, etc. I am
> > reading all these entries like "Active Directory support. This release
> > is able to join a ADS realm as a member server and authenticate users
> > using LDAP/kerberos." etc. but I have found very little guides on how to
> > implement this, or even what is meant by "member server". I am assuming
> > this means that the 3.0 branch cannot yet act as an AD server in a
> > native mode (i.e., non mixed mode) 2000 domain. Well what exactly CAN it
> > do?
> This is still being documented. Any pointers anyone discovers that may
> help other users should be reported to jht at samba.org (at least while I
> am working on documentation updates). In other words - your help is much
> appreciated - and Yes, even you can help. As you spot errors or incomplete
> information, please let me know. I will be working on updates throughout
> this week.

To clarify this, Samba 3.0 is intended to function in an active directory
domain, as a domsin member (a machine that trusts the domain for all account
information) with NO backward compatiability options enabled on the DC.  When 
directly joined to such a domain, I beleive this is functional.

> > These may sound like stupid questions, but I've found very little on
> > exactly:
> >     1) what ./configure options I should be compiling samba with in
> > order to use as much of the active directory member features
> > available.
> It is best to use the binary packages made available by the Samba-Team on
> the samba FTP sites. These are usually built with maximum available
> functionality for your platform.

I would disagree here, and note that for alphas, a source install is appropriate,
as we don't get a particularly wide range of platforms done for the binaries.

As to configure options, we try to pick up as much as possible automaticly - 
this means that you should have both you ldap and kerberos development
headers installed (and naturally, the actual libs too).

> >     2) whether I need to have a kerberos kdc installed on the smb
> > server, or anywhere on the network, or not at all.
> See the ADS-Howto in the samba HEAD branch docs area.

As a member server, the Win2k ADS server is a kerberos server.  

> >     3) I know that ADS realms utilize special SRV records in the DNS,
> > should I implement these, how?
> Ditto above.
> >     4) trust relationships in 2000 environment. Is it possible, what
> > needs to be done.
> This is undocumented at this time. Sorry, we will get around to it soon.

Trust relationships behave exactly as for NT4 - modulo bugs, for the member
server.  For the PDC, we only provide an NT4 PDC, and have not yet compleated
all that is required to trust other domains.  

Having other domains trust us is a much simpiler task, and is simply a 
matter of establishing the shared secret.  The smbpasswd -i command does
this, and I think this is documented.  This works well in my production

> >
> > Basically, I have a reasonable amount of free time, am very interested
> > in the project, have minimal coding skills but a pretty firm grasp on
> > the technologies, have a basement full of linux, XP, and 2000 machines
> > with a VPN into a "pure win2000 domain" for comparative testing, and
> > want to help you people test this puppy out... just need a little more
> > specific guidance on what it can do, and how to implement it.
> Hope this helps a little.
> - John T.
> -- 
> John H Terpstra
> Email: jht at samba.org
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list