[Samba] Re: Vista SP1, Server 2008 joining NT4/Samba Domain

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Jun 20 07:40:03 GMT 2008

On Fri, Jun 20, 2008 at 01:04:00AM +0200, Peter Slickers wrote:
> According to my trials, the above statement is not true. Computer systems
> running Windows Vista SP1 or Windows 2008 server can be joined successfully
> to a domain controlled by a Samba 3.0.28a PDC.
> Opposingly, these systems cannot be joined to a domain hosted by a native
> Windows NT4.0 SP6 PDC.
> Unfortunately, netlogon is broken with the newest Samba version 3.0.30, and
> thus this version cannot be used for any trails in this field.

Can you tell us how to reproduce this?

> Since Vista and 2008 are able to join a Samba 3.0.28a domain, a Samba
> server can be used as a proxy server for netlogon. In this way a Vista client
> is enabled to authenticate and autorize user and group accounts stored in a
> native NT4 PDC. With the help of a Samba proxy, Vista workstations can be run
> in an organization which still uses a NT4 PDC.
> In order to make Samba a netlogon proxy, the Samba server is set up as a PDC
> and then an interdomain trust is established where the Samba PDC is trusting
> the NT4 domain. Then the Vista workstations are joined to the Samba PDC. The
> Samba PDC stores only machine accounts, but no user accounts. User accounts
> are solely managed by the NT4 domain.
> This setup works fine for logon, but some other features associated with
> domain membership fail. So far I was not able to make netlogon scripts
> run. I also failed to add users of the NT4 domain to the domain groups
> of the Samba domain.

Same here, we would like to make this work.

> Finally, the 'net localgroup' command has to be used on Vista clients to add
> NT4 domain users/groups to local groups. The Windows GUI tool for group
> management completely fails to list users and groups of the NT4 domain.
> [The listing operation is presumably done via a direct connection between
> Vista client and NT4 server and without involving the Samba proxy.]

This *might* be because Vista assumes AD and is not able to
list using RPCs. To diagnose this, a sniff (best done by
wireshark on the Vista box) of the failure would be needed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20080620/ca737626/attachment.bin

More information about the samba mailing list