[Samba] Re: Samba 3.0.2 & Exchange 2003 / Active Directory?

[Dan]

Brandon

How did you deal with licensing then, don't you still have to pay 
domain/AD client access licenses as well as Exchange client access licenses?


Brandon wrote:

> We have semi-successfully set up Samba 3.0.2 and Exchange 2003.  Exchange
> 2003 requires Active Directory, however we wanted to still use Samba as a
> PDC in our domain.  We set up Exchange in a Windows2000 separate domain and
> then established a one-way trust between the exchange domain and the samba
> domain (where the samba domain is the trusted domain).  We established our
> users on Exchange and corresponding users on the Samba PDC.
> 
> Getting Exchange to authenticate off the Samba PDC was tricky but not
> impossible.  In Exchange you must set the msExchMasterAccountSid variable in
> Active Directory to the Samba domain SID of the mailbox's owner.  Microsoft
> has documented this procedure in KB article 278888:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;278888
> This procedure will make the Samba SID (account) the owner of the exchange
> mailbox; the corresponding account in the exchange domain becomes disabled.
> It is essential to set exchange up this way or else OWA, public folders,
> mailbox sharing, and other exchange features will not work correctly.  It is
> not enough to just check the "Associated External Rights" box without
> following the steps to set the msExchMasterAccountSid variable.  Failing to
> set this attribute will cause Exchange to randomly bounce emails and other
> features to work sporadically.
> 
> To get Outlook Web Access to work properly with this setup you must disable
> Integrated Windows Authentication in IIs for the all virtual directories
> associated with exchange (exchange, public, exchweb).  Instead use Basic
> Authentication where the domain name is the Samba domain.  Be aware this
> sends the users password unencrypted so be sure you are using SSL when you
> authenticate a user.  This solution will all Exchange to authenticate off
> the Samba PDC domain when using OWA.
> 
> We ran into a little trouble when trying to set up the Samba-Windows2000
> trusts.  When trying two-way trusts, everything would work fine for a few
> hours, but then Windows2000 would stop letting us view the Samba PDC users
> (which we needed because we had to associate these accounts with mailboxes).
> Two-way windows2000 trusts aren't working too well yet it seems, however
> Exchange only needs a one way trust.  The one-way trust solution (with Samba
> as the trusted domain) has been working fine.
> 
> Associating Samba accounts with Exchange mailboxes using this procedure may
> not work for more then 100 or so accounts.  I am sure there is a way to do
> it programmatically, such as KB article 322890:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322890
> 
> - Brandon
>