[Samba] Re: Vista SP1, Server 2008 joining NT4/Samba Domain

[Peter Slickers]

> It seems, that Vista SP1 and Server 2008 cannot join an NT4/Samba-domain.

According to my trials, the above statement is not true. Computer systems
running Windows Vista SP1 or Windows 2008 server can be joined successfully
to a domain controlled by a Samba 3.0.28a PDC.

Opposingly, these systems cannot be joined to a domain hosted by a native
Windows NT4.0 SP6 PDC.

Unfortunately, netlogon is broken with the newest Samba version 3.0.30, and
thus this version cannot be used for any trails in this field.

Since Vista and 2008 are able to join a Samba 3.0.28a domain, a Samba
server can be used as a proxy server for netlogon. In this way a Vista client
is enabled to authenticate and autorize user and group accounts stored in a
native NT4 PDC. With the help of a Samba proxy, Vista workstations can be run
in an organization which still uses a NT4 PDC.

In order to make Samba a netlogon proxy, the Samba server is set up as a PDC
and then an interdomain trust is established where the Samba PDC is trusting
the NT4 domain. Then the Vista workstations are joined to the Samba PDC. The
Samba PDC stores only machine accounts, but no user accounts. User accounts
are solely managed by the NT4 domain.

This setup works fine for logon, but some other features associated with
domain membership fail. So far I was not able to make netlogon scripts
run. I also failed to add users of the NT4 domain to the domain groups
of the Samba domain.

Finally, the 'net localgroup' command has to be used on Vista clients to add
NT4 domain users/groups to local groups. The Windows GUI tool for group
management completely fails to list users and groups of the NT4 domain.
[The listing operation is presumably done via a direct connection between
Vista client and NT4 server and without involving the Samba proxy.]


Peter Slickers