[Samba] Samba 3.0.2 & Exchange 2003 / Active Directory?

Brandon samba at email.msc.tamu.edu
Sat Feb 14 07:37:44 GMT 2004

We have semi-successfully set up Samba 3.0.2 and Exchange 2003.  Exchange
2003 requires Active Directory, however we wanted to still use Samba as a
PDC in our domain.  We set up Exchange in a Windows2000 separate domain and
then established a one-way trust between the exchange domain and the samba
domain (where the samba domain is the trusted domain).  We established our
users on Exchange and corresponding users on the Samba PDC.

Getting Exchange to authenticate off the Samba PDC was tricky but not
impossible.  In Exchange you must set the msExchMasterAccountSid variable in
Active Directory to the Samba domain SID of the mailbox's owner.  Microsoft
has documented this procedure in KB article 278888:
This procedure will make the Samba SID (account) the owner of the exchange
mailbox; the corresponding account in the exchange domain becomes disabled.
It is essential to set exchange up this way or else OWA, public folders,
mailbox sharing, and other exchange features will not work correctly.  It is
not enough to just check the "Associated External Rights" box without
following the steps to set the msExchMasterAccountSid variable.  Failing to
set this attribute will cause Exchange to randomly bounce emails and other
features to work sporadically.

To get Outlook Web Access to work properly with this setup you must disable
Integrated Windows Authentication in IIs for the all virtual directories
associated with exchange (exchange, public, exchweb).  Instead use Basic
Authentication where the domain name is the Samba domain.  Be aware this
sends the users password unencrypted so be sure you are using SSL when you
authenticate a user.  This solution will all Exchange to authenticate off
the Samba PDC domain when using OWA.

We ran into a little trouble when trying to set up the Samba-Windows2000
trusts.  When trying two-way trusts, everything would work fine for a few
hours, but then Windows2000 would stop letting us view the Samba PDC users
(which we needed because we had to associate these accounts with mailboxes).
Two-way windows2000 trusts aren't working too well yet it seems, however
Exchange only needs a one way trust.  The one-way trust solution (with Samba
as the trusted domain) has been working fine.

Associating Samba accounts with Exchange mailboxes using this procedure may
not work for more then 100 or so accounts.  I am sure there is a way to do
it programmatically, such as KB article 322890:

- Brandon

More information about the samba mailing list