[Samba] Schema version 87 and windows Hello

Andrew Bartlett abartlet at samba.org
Fri Sep 11 18:42:48 UTC 2020

On Fri, 2020-09-11 at 17:33 +0200, mailist via samba wrote:
> Hi,
> thank you for your answer :)
> ohhh that is new I thought that samba 4 was to this day incompatible
> with a schema update >= v67 (it is I think somewhere it is  written in
> the documentation that the reason why windows > 2016 can't be used as
> domain controller is partly due to the schema that is what bothered me))

Yeah, we write scary things, but I don't expect major drama once an
engineer starts work.  Our schema handling has got a lot better (or
perhaps I'm just an optimist).

> I already have set up an ADFS (win 2016) (works with heimdal krb without
> problems, MIT seems to also work). The problem is with the enterprise
> Device Registration Service that requires a schema of windows 2016
> (which I thought was not yet supported by samba).
> For me making heimdal do this would be pointless. The idea that I had
> was to have a windows 2012 R2 ADDC with whom the ADFS would be only
> talking (great no krb problems) so the key trust model would technically
> work :) the only point missing was the schema.

OK, then I suggest you look into that. :-)

> Thank you so much for your answers you actually helped me a lot :)
> Yes the smart card login was the alternative thought (probably even
> better but users like fashion).
> (and yes it looks like ADFS is only needed for the enrollment but with
> windows better wireshark everything)
> I am just an Ops but I would love to help if there is smth I can do.
> Thx for the great work that you guys are doing


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list