[Samba] AD Functional Level vs very old SaMBa member server

Rowland Penny rpenny at samba.org
Wed Jan 11 09:59:30 UTC 2023

On 11/01/2023 09:21, Tamás Németh via samba wrote:
> Dear All!
>   There is a very old (SaMBa 3.2.5 on Debian 6.0.9)

Are you sure about that ?
Samba 3.2.5 was released in November 2008 and the entire 3.2.x series 
went EOL in March 2010, nearly a year before Debian 6 was released. It 
was Debian 5 that used Samba 3.2.5

Whatever the case, why are you still using an EOL OS and an EOL version 
of Samba ? Note that we are not talking years here, we are talking just 
over a decade.

  Active Directoy MEMBER
> fileserver at my workplace. Our Forest/Domain Functional Level is at the
> lowest possible (Windows 2000), and we can't postpone raising it anymore.
> I've read at Microsoft's "Understanding Active Directory Domain Services
> (AD DS) Functional Levels" page that "functional levels do not affect which
> operating systems you can run on workstations and member servers that are
> joined to the domain or forest". Is it true even in our extreme case?
>   Can we raise the functional levels all the way to Windows 2016, while -
> temporarily - keeping this ancient SaMBa fileserver? In /etc/samba/smb.conf
> `security = domain` and `password server = ONE_OF_OUR_DCs`, from which it
> authenticates via TCP/445 presumably with some old protocol (e.g. NTLM).
> There is also winbindd running on this SaMBa.
>   Will this authentication and winbindd remain REALLY functional after
> raising the Forest/Domain Functional Level or are there any unknown caveats
> or obstruction unknown to us? As far as I know we have to enable SMBv1 on
> our Windows clients in order to make them able to mount shares from this
> SaMBa server, but what about the domain controller which is used by our
> SaMBa as password server? Will it have to be tweaked in a similar way, or
> can we just raise the functional level without any regedit (or similar)
> tricks?
> Thank you in advance,
> Tamás Németh

Samba in the years that have passed has changed substantially, Taking 
the '3' series, there were 4 minor versions released before the major 
version '4' was released and there have been 17 minor version of that 
branch to date. Putting it bluntly, Samba 4.17.4 is a lot different than 
3.2.5, however it should work.

It might help if we could see the smb.conf you are using at the moment, 
you might have to make changes, 'security = domain' for instance, this 
is meant for connecting to an NT4-style domain (PDC) and you now use 
'security = ADS' to connect to an AD domain.


More information about the samba mailing list