[Samba] AD Functional Level vs very old SaMBa member server

Fri Mar 10 12:31:00 UTC 2023

Thank you for your help. I'm further analyzing the problem: I'm trying to
migrate to a brand new SaMBa server, but the deadlines are too tight, and
it's possible I won't be able to finish in time. So, preparing for this
worst case scenario:

What if I enable the 'domain logons' option on a fairly up-to-date SaMBa
MEMBER server in this AD? Can this new SaMBa MEMBER server (despite not
being a DC) serve as "proxy" server as the 'password server' for the
ancient fileserver? Do i have to rejoin the domain with the ancient SaMBa
or is it enough to restart it? Anyway: Can a MEMBER server provide 'domain
logons' service and act like a proxy between an ancient member and a
kerberos based AD?

Thank you in advance,

NÉMETH, Tamás

Rowland Penny via samba <samba at lists.samba.org> ezt írta (időpont: 2023.
jan. 11., Sze, 11:00):

>
>
> On 11/01/2023 09:21, Tamás Németh via samba wrote:
> > Dear All!
> >
> >   There is a very old (SaMBa 3.2.5 on Debian 6.0.9)
>
> Are you sure about that ?
> Samba 3.2.5 was released in November 2008 and the entire 3.2.x series
> went EOL in March 2010, nearly a year before Debian 6 was released. It
> was Debian 5 that used Samba 3.2.5
>
> Whatever the case, why are you still using an EOL OS and an EOL version
> of Samba ? Note that we are not talking years here, we are talking just
> over a decade.
>
>   Active Directoy MEMBER
> > fileserver at my workplace. Our Forest/Domain Functional Level is at the
> > lowest possible (Windows 2000), and we can't postpone raising it anymore.
> > I've read at Microsoft's "Understanding Active Directory Domain Services
> > (AD DS) Functional Levels" page that "functional levels do not affect
> which
> > operating systems you can run on workstations and member servers that are
> > joined to the domain or forest". Is it true even in our extreme case?
> >
> >   Can we raise the functional levels all the way to Windows 2016, while -
> > temporarily - keeping this ancient SaMBa fileserver? In
> /etc/samba/smb.conf
> > `security = domain` and `password server = ONE_OF_OUR_DCs`, from which it
> > authenticates via TCP/445 presumably with some old protocol (e.g. NTLM).
> > There is also winbindd running on this SaMBa.
> >
> >   Will this authentication and winbindd remain REALLY functional after
> > raising the Forest/Domain Functional Level or are there any unknown
> caveats
> > or obstruction unknown to us? As far as I know we have to enable SMBv1 on
> > our Windows clients in order to make them able to mount shares from this
> > SaMBa server, but what about the domain controller which is used by our
> > SaMBa as password server? Will it have to be tweaked in a similar way, or
> > can we just raise the functional level without any regedit (or similar)
> > tricks?
> >
> > Thank you in advance,
> > Tamás Németh
>
> Samba in the years that have passed has changed substantially, Taking
> the '3' series, there were 4 minor versions released before the major
> version '4' was released and there have been 17 minor version of that
> branch to date. Putting it bluntly, Samba 4.17.4 is a lot different than
> 3.2.5, however it should work.
>
> It might help if we could see the smb.conf you are using at the moment,
> you might have to make changes, 'security = domain' for instance, this
> is meant for connecting to an NT4-style domain (PDC) and you now use
> 'security = ADS' to connect to an AD domain.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>