[Samba] Is a mixed MS/Samba DC environment doable?

Anders Östling anders.ostling at gmail.com
Wed Dec 6 22:16:13 UTC 2023 


> On Dec 6, 2023, at 22:00, Andrew Bartlett <abartlet at samba.org> wrote:
> 
> On Wed, 2023-12-06 at 11:34 +0100, Anders Östling via samba wrote:
>> Hi
>> I'd like to learn more on the pros and cons of a mixed domain that
>> consists
>> of both MS and Samba domain controllers and member servers.
> 
> This is a situation that is meant to work, but is not actively tested
> (all our tests are pure Samba), but seems to work for some folks.  
> 
> However given the way Windows CAL licensing works, it is not often
> deployed as you get the costs of Windows and the complexity of a mixed
> domain.
> 
>> What I have learnt so far is this;
>> 
>> I created a new lab domain with an MS DC 2019. I then added a Samba
>> 4.19-3
>> file server as a domain member w/o any issues.
>> 
>> The clients are 2 Win 10 VM's for tests of shares, GPO's and related
>> technologies. Still no issues that wasn't self-inflicted. File
>> sharing with
>> Samba and setting up permissions and group memberships worked as
>> expected.
>> I created GPO's for home directory, roaming profiles and folder
>> redirection
>> and verified these.
>> 
>> Yesterday I fired up a Debian 12 and joined this as a DC. First
>> attempt
>> failed due to schema incompatibility (known issue). I downgraded the
>> MS
>> schema to 2008R2 and after that the join was successful.
> 
> I presume you mean the functional level.  With the correct options, it
> should work.  See the release notes. 
> 

Yes. I used PowerShell cmdlets to lower both functional and domain levels to 2008R

>> From what I can see, replication also works as it should. I then
>> tested to
>> transfer roles back and forth between Samba and MS, and that worked
>> also
>> fine.
>> 
>> Some iissues noted so far.
>> 
>> 1. Existing GPO's on the MS server side are not replicated to the
>> Samba DC.
>> At least there are no files/directories under
>> /var/lib/samba/sysvol/<domain>/ visible. I guess this is caused by
>> the lack
>> of DFS/RPC on the Samba side.
> 
> Correct.

This missing feature seems to be key to more complete compatibility if I understand it correctly. Not an easy task to implement for sure.

> 
>> The event viewer on both client VM's shows the same error messages,
>> probably caused by the lack of DFS, event 1058. My guess is that they
>> are
>> attempting to read the GPO's from the Samba AD after that this DC was
>> added. Originally they got the GPO's from the MS. I will read up more
>> on
>> GPO''s and Samba to better understand the interoperatility.
>> 
>> 2. I shutdown the MS AD vm and tried a logon onto one of the W10
>> clients. I
>> expected that the Samba DC would handle the logon, but that didn't
>> work.
>> The logon process just hung there until I fired up the MS DC again.
>> Could
>> not find anything in the client except the GPO messages mentioned
>> above.
> 
> It should work, perhaps look into DNS?
> 

Yes, it was probably caused by the fact that the client lacked DNS server info for the DC02/Samba AD. Fixed and verified now.
 

>> To conclude this rant, is a mixed environment really doable, or would
>> it
>> just create a lot of issues as times go by? Any advice is welcome!
> 
> It all comes down to why you are doing it.  Some folks ran such a setup
> to work around bugs in our DRS code for Azure AD connect, but I fixed
> those recently.
> 

No particular reason except a wish to learn more and understand how good interoperability is. I don’t have any death wish, so I won’t implement this in production (yet). 

> If there was a specific application I was using, that needed a
> operational (generated) attribute we didn't have working, that would be
> another good reason, and it helps give a reference so we know that we
> could fix such a thing. 
> 
> Andrew Bartlett
> 

Thanks for the answers Andrew!

> 
> -- 
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org <https://samba.org/>
> Samba Team Lead                https://catalyst.net.nz/services/samba
> Catalyst.Net <http://catalyst.net/> Ltd
> 
> Proudly developing Samba for Catalyst.Net <http://catalyst.net/> Ltd - a Catalyst IT group
> company
> 
> Samba Development and Support: https://catalyst.net.nz/services/samba
> 
> Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list