[Samba] Samba 3.4 and Windows 2008R2 Interdomain trusts
Andrew Bartlett
abartlet at samba.org
Thu Dec 20 01:35:15 MST 2012
On Sat, 2012-12-15 at 12:31 +0100, Romain wrote:
> Hello list,
>
> Sorry to top again but do we need Kerberos on Samba server to make this
> work ?
For the best chance of success, I would first upgrade to Samba 4.0.
Samba 3.4 is old, well out of security support and long out of support
from the Samba team from an technical perspective, given the complexity
of the issues you raise.
When you upgrade to Samba 4.0, ensure that Samba is built with Kerberos
support, so that the ADS mode can be used by winbindd.
The other issue you may hit is just that the NT4 protocols we implement
on the server-side as a classic domain are quite old now, and so Windows
2008R2 might simply not wish to talk to a classic Samba domain over an
interdomain trust.
This has worked in the past, which is why the tools are in place, but as
to what works currently, I can only suggest you maximise your chances by
running the very latest code, and compiling with features such as
kerberos.
Samba as an AD domain (which Samba 4.0 provides the first release of)
would work better, but Samba 4.0's AD DC doesn't support trusting
interdomain trusts at all yet (sorry). This means you shouldn't upgrade
into the AD server mode quite yet. It can be trusted by another forest
however.
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list