[Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbac ked PDC and MS Exchange 5.5 still

Derek Werthmuller dwerthmu at ctg.albany.edu
Fri Oct 28 11:56:35 MDT 2011

Thanks for the advice - Good to know not to go down the trust relationship
path.  A seperate domain does sound like a good path.  Leave the existing
nt/exchange setup as just an email platform.  Users are likely to need to
login again once we move that email/calendar/contacts funtion to the cloud

Gives a nice clean migration path - here is your new win7 pc and your new
login for it.

Though I've also considered not making the new win7 domain members anyway.
They are all going laptops and staff are somewhat mobile to highly mobile.
When the domain is not avilable because of poor network link quality or no
network at all laptop performance suffers.  I know this to be the case with
XP, I have no indication that its
any different with Win7.  


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Gaiseric Vandal
Sent: Friday, October 28, 2011 11:05 AM
To: samba at lists.samba.org
Subject: Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x
ldapbacked PDC and MS Exchange 5.5 still

If you are getting rid of the exchange server it seems a lot of work to do
the trusts thing.  Having outlook remember your password isn't a major
problem.  Except of course then people are pretty likely to have forgotten
their e-mail password if they ever use another PC.

I have found Samba trusts to be fairly painful.  I had a Samba 3.0.x PDC
(LDAP backend) which I tried having a trust with a Windows 2003 
domain.    In order for trusts to work, the Samba machine uses Idmap to 
create a range of unix uid's and gid's for the trusted Windows users.    
With Samba 3.0.x, these idmap entries were created but would stop 
working after the cache period expired.    I don't know why.  When I 
moved to Samba 3.4.x, the expiration issue went away but then idmap 
entries were not automatically.   We didn't have many people in the 
Windows 2003 domain so I can manually create idmap entries as needed.

My gut feeling is that any changes you make to support Windows 7 machines
will break compatibility with legacy machines  (e.g. NT4) or the domain
trusts-  altho installing the latest NT4 SP pack (6a?) may help.

Could you make migrate the PDC role from your NT server to a samba 3.4.x 
or 3.5.x server?   I don't think Exchange 5.5 has to be on the domain 

At my work we have a Samba domain for most of the users and computers.  
We also have a separate untrusted  Win 2008 domain just to support our 
Exchange 2007 server.    It would be nice if we could consolidate to a 
single domain (or at least a single Active Directory tree) but for the
moment people have to maintain separate e-mail accounts.

FYI-  I had a look at the latest version of Zimbra- it looks like a pretty
nice product for a small business, if you decide not to go with 
the hosting route.    I do like Exchange 2007 but it can be a big 
challenge to set up and maintain, and you really have to have a 
background with Active Directory and Exchange.    Not what I would use 
for a really small site.

On 10/28/2011 10:34 AM, Derek Werthmuller wrote:
> Looking to make some changes to an old but working LAN, that has about 10
> samba servers serving printers and network shares and a NT 4 PDC server
> Exchange 5.5 on it.  The samba servers are members of the nt4 domain, XP
> systems are members of the nt 4 domain also.  Samba servers are
> We use the ldap component directly to login to the Linux servers.
> I'd like to be able to support windows 7 clients as domain members, right
> now the clients are all XP.  The plan I'm considering is building a new
> domain with the latest version of samba 3.x stable series for my RHEL6
> servers, join my new windows clients to that domain and create a trust
> relationship to the NT 4 domain.  The existing samba servers can be joined
> to the new domain so that only the email server will be in the old domain.
> The idea behind the trust
> relationship is so that entering email for my users can be just a click
> won't have to login again.  We'd want to keep the ldap backend capability
> too.
> Keeping the exchange is really a stop gap till we can move that function
> the cloud.
> Have others done similar upgrades successfully?  Does this sound
> Is the trust relationship overkill and likely to cause problems? (tell
> to cache the outlook login and be done)
> Thanks
> 	Derek
> Derek Werthmuller
> Director of Technology Innovation and Services
> Center for Technology in Government
> 518.442.3892
> www.ctg.albany.edu<www.ctg.albany.edu>

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list