Tamás Németh
2023-Jan-11 09:21 UTC
[Samba] AD Functional Level vs very old SaMBa member server
Dear All! There is a very old (SaMBa 3.2.5 on Debian 6.0.9) Active Directoy MEMBER fileserver at my workplace. Our Forest/Domain Functional Level is at the lowest possible (Windows 2000), and we can't postpone raising it anymore. I've read at Microsoft's "Understanding Active Directory Domain Services (AD DS) Functional Levels" page that "functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest". Is it true even in our extreme case? Can we raise the functional levels all the way to Windows 2016, while - temporarily - keeping this ancient SaMBa fileserver? In /etc/samba/smb.conf `security = domain` and `password server = ONE_OF_OUR_DCs`, from which it authenticates via TCP/445 presumably with some old protocol (e.g. NTLM). There is also winbindd running on this SaMBa. Will this authentication and winbindd remain REALLY functional after raising the Forest/Domain Functional Level or are there any unknown caveats or obstruction unknown to us? As far as I know we have to enable SMBv1 on our Windows clients in order to make them able to mount shares from this SaMBa server, but what about the domain controller which is used by our SaMBa as password server? Will it have to be tweaked in a similar way, or can we just raise the functional level without any regedit (or similar) tricks? Thank you in advance, Tam?s N?meth
Rowland Penny
2023-Jan-11 09:59 UTC
[Samba] AD Functional Level vs very old SaMBa member server
On 11/01/2023 09:21, Tam?s N?meth via samba wrote:> Dear All! > > There is a very old (SaMBa 3.2.5 on Debian 6.0.9)Are you sure about that ? Samba 3.2.5 was released in November 2008 and the entire 3.2.x series went EOL in March 2010, nearly a year before Debian 6 was released. It was Debian 5 that used Samba 3.2.5 Whatever the case, why are you still using an EOL OS and an EOL version of Samba ? Note that we are not talking years here, we are talking just over a decade. Active Directoy MEMBER> fileserver at my workplace. Our Forest/Domain Functional Level is at the > lowest possible (Windows 2000), and we can't postpone raising it anymore. > I've read at Microsoft's "Understanding Active Directory Domain Services > (AD DS) Functional Levels" page that "functional levels do not affect which > operating systems you can run on workstations and member servers that are > joined to the domain or forest". Is it true even in our extreme case? > > Can we raise the functional levels all the way to Windows 2016, while - > temporarily - keeping this ancient SaMBa fileserver? In /etc/samba/smb.conf > `security = domain` and `password server = ONE_OF_OUR_DCs`, from which it > authenticates via TCP/445 presumably with some old protocol (e.g. NTLM). > There is also winbindd running on this SaMBa. > > Will this authentication and winbindd remain REALLY functional after > raising the Forest/Domain Functional Level or are there any unknown caveats > or obstruction unknown to us? As far as I know we have to enable SMBv1 on > our Windows clients in order to make them able to mount shares from this > SaMBa server, but what about the domain controller which is used by our > SaMBa as password server? Will it have to be tweaked in a similar way, or > can we just raise the functional level without any regedit (or similar) > tricks? > > Thank you in advance, > Tam?s N?methSamba in the years that have passed has changed substantially, Taking the '3' series, there were 4 minor versions released before the major version '4' was released and there have been 17 minor version of that branch to date. Putting it bluntly, Samba 4.17.4 is a lot different than 3.2.5, however it should work. It might help if we could see the smb.conf you are using at the moment, you might have to make changes, 'security = domain' for instance, this is meant for connecting to an NT4-style domain (PDC) and you now use 'security = ADS' to connect to an AD domain. Rowland