[Samba] Samba 3.4 and Windows 2008R2 Interdomain trusts

Romain gromly at gmail.com
Thu Dec 20 07:57:00 MST 2012

Hi Andrew,

Actually we have a Samba 3.5 (i made a reply before to correct my mistake
about the version) but i suppose that your recommandation is still to
upgrade in 4.0

Problem is that we can't upgrade in Samba 4.0 for now (maybe in few month)
and as you said, two-way interdomain trusts is not supported yet (hope it
will be).

But if it give me more change to get this work, we may can downgrade AD to
2008, or even 2003 because it is a new installation? Actually, we need this
trust to be able to use Microsoft PKI and enroll certificat for Samba
users. So we need at least one user from AD domain that can logon on Samba
domain (product prerequisite).


Le jeudi 20 décembre 2012, Andrew Bartlett a écrit :

> On Sat, 2012-12-15 at 12:31 +0100, Romain wrote:
> > Hello list,
> >
> > Sorry to top again but do we need Kerberos on Samba server to make this
> > work ?
> For the best chance of success, I would first upgrade to Samba 4.0.
> Samba 3.4 is old, well out of security support and long out of support
> from the Samba team from an technical perspective, given the complexity
> of the issues you raise.
> When you upgrade to Samba 4.0, ensure that Samba is built with Kerberos
> support, so that the ADS mode can be used by winbindd.
> The other issue you may hit is just that the NT4 protocols we implement
> on the server-side as a classic domain are quite old now, and so Windows
> 2008R2 might simply not wish to talk to a classic Samba domain over an
> interdomain trust.
> This has worked in the past, which is why the tools are in place, but as
> to what works currently, I can only suggest you maximise your chances by
> running the very latest code, and compiling with features such as
> kerberos.
> Samba as an AD domain (which Samba 4.0 provides the first release of)
> would work better, but Samba 4.0's AD DC doesn't support trusting
> interdomain trusts at all yet (sorry).  This means you shouldn't upgrade
> into the AD server mode quite yet.  It can be trusted by another forest
> however.
> I hope this helps,
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list