[Samba] Re: what's good for security=ads ?
knuffiandy at web.de
Tue Sep 16 20:42:27 GMT 2008
d tbsky schrieb:
> we have a 2003 R2 domain. it is running on 2003 native mode. we
> want to setup some samba member file servers. our client is windows
> i try samba 3.2 with "security = domain" and "idmap backend = rid".
> it seems fine. but i saw there are more advanced options in samba like
> "security = ads" and even parameter about "rfc2307" to mix windows
> and samba. they are complex settings and i wonder what benefits they
> bring to us.
> our situation is: we want to use samba as file server for windows
> xp,and we have one single 2003 R2 domain. we may want to migrate to
> samba 4.0 when it is ready.
> is simple "security = domain" enough?, or we should setup
> "security = ads" to prepare for the future?
> thanks a lot for your help!!
Shortly ! The difference between "domain" and "ads" as i understand:
domain = NT4 style domain membership
In my experience it should be enough unless using Vista clients.
ads = like NT4 + kerberos
If you want to use "ads" you have to setup a little kerberos client
configuration on your samba server. This is a little bit more work.
We had issues from windows Vista client to connect to samba server
unless we changed from "domain" to "ads" mode, but i dont know the
But maybe it help to set:
client ntlmv2 auth = yes
in smb.conf for SMB auth negotiatening with the vista client without
changing from "domain" to "ads".
Before using Vista "domain" membership works very well with 2003 R2
(native mode), Windows XP and winbind.
This is a schemata extension (part of 2003 R2) for ActiveDirectory to
make it possible to put posix information to an existing Windows user/group.
This information are read out by winbind if:
winbind nss info = rfc2307
is set !
I hope i could help you. If i type something wrong please correct me.
I'am writing about my experience and tests.
More information about the samba