[Samba] Domain trust between a Samba PDC domain and W2K AD domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Aug 5 08:23:37 MDT 2010

He is correct that the Windows 2003 native shd be able to trust an NT4 
domain (which is what Samba pretends to be.)   AD domain in Windows 
"mixed" mode supports NT4 domain members-  which is not what you are 
trying to do anyway.  But it suggested to me that when the AD domain 
moves to native mode it either tightens up some authentication protocols 
in such a way that don't play nice with older version of Samba.  Of 
course, there could have been some weird issue with my environment that 
I couldn't isolate.

If you really were setting up a domain trust between NT4 PDC and an 
Windows 2003 PDC, the NT4 PDC would "think" it was talking to another 
NT4 PDC.   Samba , even tho it is providing the function of an NT4 PDC,  
looks like it will detect that the other domain is an Active Directory 
domain.   Things like DNS name lookup (which wasn't so much of an issue 
for primitive OS's like NT4 or Windows 95) are a lot more important.   
(Active directory clients use DNS to locate AD  LDAP and Kerberos 
servers.)    It will probably make your life simpler if you use your 
Active Directory server as the main DNS and WINS server for the 
network.      You may also want to update the krb5.conf file on your 
samba server to have information info on the AD "kerberos" domain.       
That may help samba locate the the DC for the AD domain.

Also, pretty sure you need to keep NBT (netbios over tcp ) enable on 
your Windows AD server-  which should be the default option.  Windows XP 
(and later)  AD clients don't need NBT to talk to an AD server so it is 
possible your AD admin turned it off.

I also found that the samba documentation was not as complete or current 
as I would like.

On 08/05/2010 09:18 AM, Marc Rechté wrote:
> Hello Gaiseric,
> Thank you for your answer.
> My last experience in Windows server was on NT, therefore my knowledge 
> on AD is rather limited. I however work with an AD admin who may 
> answer to some questions.
> He said the server with which the relation has to be set is in a 2003 
> level forest with a 2003 R2 schema. He also made a reference to MS KB 
> http://support.microsoft.com/kb/325874/ on establishing a trust 
> relation between an NT server and 2003 server and this document does 
> not explicitly state the Windows server must be set in mixed mode.
> I checked both the Samba3 Official guide and Samba 3 how-to guides but 
> it seems both of them are stuck to 3.0 version. Is there some more 
> updated information regarding domains and AD interoperability in Samba ?
> Many thanks

More information about the samba mailing list