[Samba] Is a mixed MS/Samba DC environment doable?
Anders Östling
anders.ostling at gmail.com
Wed Dec 6 22:16:13 UTC 2023
> On Dec 6, 2023, at 22:00, Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Wed, 2023-12-06 at 11:34 +0100, Anders Östling via samba wrote:
>> Hi
>> I'd like to learn more on the pros and cons of a mixed domain that
>> consists
>> of both MS and Samba domain controllers and member servers.
>
> This is a situation that is meant to work, but is not actively tested
> (all our tests are pure Samba), but seems to work for some folks.
>
> However given the way Windows CAL licensing works, it is not often
> deployed as you get the costs of Windows and the complexity of a mixed
> domain.
>
>> What I have learnt so far is this;
>>
>> I created a new lab domain with an MS DC 2019. I then added a Samba
>> 4.19-3
>> file server as a domain member w/o any issues.
>>
>> The clients are 2 Win 10 VM's for tests of shares, GPO's and related
>> technologies. Still no issues that wasn't self-inflicted. File
>> sharing with
>> Samba and setting up permissions and group memberships worked as
>> expected.
>> I created GPO's for home directory, roaming profiles and folder
>> redirection
>> and verified these.
>>
>> Yesterday I fired up a Debian 12 and joined this as a DC. First
>> attempt
>> failed due to schema incompatibility (known issue). I downgraded the
>> MS
>> schema to 2008R2 and after that the join was successful.
>
> I presume you mean the functional level. With the correct options, it
> should work. See the release notes.
>
Yes. I used PowerShell cmdlets to lower both functional and domain levels to 2008R
>> From what I can see, replication also works as it should. I then
>> tested to
>> transfer roles back and forth between Samba and MS, and that worked
>> also
>> fine.
>>
>> Some iissues noted so far.
>>
>> 1. Existing GPO's on the MS server side are not replicated to the
>> Samba DC.
>> At least there are no files/directories under
>> /var/lib/samba/sysvol/<domain>/ visible. I guess this is caused by
>> the lack
>> of DFS/RPC on the Samba side.
>
> Correct.
This missing feature seems to be key to more complete compatibility if I understand it correctly. Not an easy task to implement for sure.
>
>> The event viewer on both client VM's shows the same error messages,
>> probably caused by the lack of DFS, event 1058. My guess is that they
>> are
>> attempting to read the GPO's from the Samba AD after that this DC was
>> added. Originally they got the GPO's from the MS. I will read up more
>> on
>> GPO''s and Samba to better understand the interoperatility.
>>
>> 2. I shutdown the MS AD vm and tried a logon onto one of the W10
>> clients. I
>> expected that the Samba DC would handle the logon, but that didn't
>> work.
>> The logon process just hung there until I fired up the MS DC again.
>> Could
>> not find anything in the client except the GPO messages mentioned
>> above.
>
> It should work, perhaps look into DNS?
>
Yes, it was probably caused by the fact that the client lacked DNS server info for the DC02/Samba AD. Fixed and verified now.
>> To conclude this rant, is a mixed environment really doable, or would
>> it
>> just create a lot of issues as times go by? Any advice is welcome!
>
> It all comes down to why you are doing it. Some folks ran such a setup
> to work around bugs in our DRS code for Azure AD connect, but I fixed
> those recently.
>
No particular reason except a wish to learn more and understand how good interoperability is. I don’t have any death wish, so I won’t implement this in production (yet).
> If there was a specific application I was using, that needed a
> operational (generated) attribute we didn't have working, that would be
> another good reason, and it helps give a reference so we know that we
> could fix such a thing.
>
> Andrew Bartlett
>
Thanks for the answers Andrew!
>
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org <https://samba.org/>
> Samba Team Lead https://catalyst.net.nz/services/samba
> Catalyst.Net <http://catalyst.net/> Ltd
>
> Proudly developing Samba for Catalyst.Net <http://catalyst.net/> Ltd - a Catalyst IT group
> company
>
> Samba Development and Support: https://catalyst.net.nz/services/samba
>
> Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list