Rowland Penny
2023-Mar-10 13:04 UTC
[Samba] AD Functional Level vs very old SaMBa member server
On 10/03/2023 12:31, Tam?s N?meth via samba wrote:> Thank you for your help. I'm further analyzing the problem: I'm trying to > migrate to a brand new SaMBa server, but the deadlines are too tight, and > it's possible I won't be able to finish in time. So, preparing for this > worst case scenario:So you have had over 10 years to upgrade and now everything has to be done in a rush, (though your idea of rush and mine appears to be different).> > What if I enable the 'domain logons' option on a fairly up-to-date SaMBa > MEMBER server in this AD?You cannot do this, 'domain logons' is an NT4-style thing and doesn't work with AD. Can this new SaMBa MEMBER server (despite not> being a DC) serve as "proxy" server as the 'password server' for the > ancient fileserver?No, the administrators of truths in an AD domain are the Domain Controllers, that is where the passwords etc will come from. Do i have to rejoin the domain with the ancient SaMBa> or is it enough to restart it? Anyway: Can a MEMBER server provide 'domain > logons' service and act like a proxy between an ancient member and a > kerberos based AD?No, several times, No I am beginning to think that everything in your network is ancient, next you will be telling me that you are still using XP. Rowland
Tamás Németh
2023-Mar-10 14:18 UTC
[Samba] AD Functional Level vs very old SaMBa member server
Okay then, this sounds very bad :-( One more thing: There is a system using PAM SMB (https://www.samba.org/~airlied/) with lanman1 protocol on port 139. After upgrading our domain level, will we be able to keep some MEMBER servers, to which this PAM SMB remains to be able to authenticate via TCP/139 and some kind of NTLM (let's say NTLMv1) authentication, or even member servers will only authenticate via kerberos? Thank you in advance Rowland Penny via samba <samba at lists.samba.org> ezt ?rta (id?pont: 2023. m?rc. 10., P, 14:05):> > > On 10/03/2023 12:31, Tam?s N?meth via samba wrote: > > Thank you for your help. I'm further analyzing the problem: I'm trying to > > migrate to a brand new SaMBa server, but the deadlines are too tight, and > > it's possible I won't be able to finish in time. So, preparing for this > > worst case scenario: > > So you have had over 10 years to upgrade and now everything has to be > done in a rush, (though your idea of rush and mine appears to be > different). > > > > > What if I enable the 'domain logons' option on a fairly up-to-date SaMBa > > MEMBER server in this AD? > > You cannot do this, 'domain logons' is an NT4-style thing and doesn't > work with AD. > > Can this new SaMBa MEMBER server (despite not > > being a DC) serve as "proxy" server as the 'password server' for the > > ancient fileserver? > > No, the administrators of truths in an AD domain are the Domain > Controllers, that is where the passwords etc will come from. > > Do i have to rejoin the domain with the ancient SaMBa > > or is it enough to restart it? Anyway: Can a MEMBER server provide > 'domain > > logons' service and act like a proxy between an ancient member and a > > kerberos based AD? > > No, several times, No > > I am beginning to think that everything in your network is ancient, next > you will be telling me that you are still using XP. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >