[Samba] Samba4 as an additional Domain Controller in existing Windows 2016 AD

[Andrew Bartlett]

On Mon, 2018-10-08 at 15:21 +0200, David Wilson via samba wrote:
> Sorry for the pressure guys. Any ideas on this please? 
> 
> 
> 
> Regards, 
> 
> David Wilson 
> 
> From: "samba. org" <samba at lists.samba.org> 
> To: "samba. org" <samba at lists.samba.org> 
> Sent: Wednesday, 3 October, 2018 16:45:42 
> Subject: [Samba] Samba4 as an additional Domain Controller in existing Windows 2016 AD 
> 
> Good day guys, 
> 
> I hope all is well on your side. 
> 
> We are looking at implementing the latest stable version of Samba4 to function as a (secondary) domain controller in an existing Active Directory environment that is currently managed by an existing single Windows Server 2016 server. 
> 
> Aside from fairly easily-addressed sysvol replication challenges - looking at the official Samba documentation, it seems that nothing higher than a Domain/Forest Function Level of 2008r2 is supported, if Samba4 is to function as Domain Controller in an existing (Windows Server controlled) Active Directory environment? 
> The information available seems to indicate that the reason for this is due to changes within the Windows Server Kerberos services, that are possibly not available within MIT or Heimdal Kerberos? 

The Kerberos issues come from the newer functional levels, they imply
that the KDC has to do more things.  As long as the functional level
remains at 2008R2 that won't be the blocker. 

But why do you need to mix Samba and windows? 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba