samba - Sep 2003 - Samba-3.0.0rc4/ADS experience (with how-to change suggestion)

I'm nearly finished setting up a new Samba server in a Win2000 ADS 
domain. So far, things have been going quite well, the combination of 
Samba 3.0.0rc4 (with winbindd), krb5 1.3.1, CUPS 1.1.19, etc. has 
performed admirably and was easy to configure.

I have only three issues to mention:

- the HOWTO collection, in the section talking about joining an ADS 
domain as a member server, does not mention using the "net ads join" 
command, rather it uses "net join". This really should be fixed,
"net
ads join" produces a much better result.

- in the same HOWTO, there is mention of creating a krb5.conf file to 
tell the krb5 libraries where the KDC for the ADS domain is. With MIT 
krb5, this is completely unnecessary, and actually detrimental. All 
ADS domains will automatically create SRV records in the DNS zone 
_kerberos.REALM.NAME for each KDC in the realm. MIT's krb5 libraries 
default to checking for these records, so they will automatically find 
the KDCs. In addition, krb5.conf only allows specifying a _single_ 
KDC, even there if there is more than one. Using the DNS lookup allows 
the krb5 libraries to use whichever KDCs are available. I can't speak 
to the Heimdal implementation as I've never seen it, but I'd suggest 
modifying the HOWTO to suggest that the krb5.conf file is strictly 
optional for users using the MIT krb5 libraries.

- when setting up some printers, and using driver upload from a 
Windows 2000 machine (which all worked as expected), I ended up with 
some smbd processes consuming lots and lots of CPU time but not 
accomplishing anything. I haven't been able to reliably reproduce the 
problem, so I guess this report is not very useful...

Otherwise, kudos on a wonderful package. I've been an ardent Samba 
supporter and user for years now, but this was my first experience 
with Samba-3 and ADS. Well done!

KEvin,

Thanks for your feedback. I will update the HOWTO pages as suggested.

Cheers,
John T.

On Wed, 17 Sep 2003, Kevin P. Fleming wrote:
> I'm nearly finished setting up a new Samba server in a Win2000 ADS
> domain. So far, things have been going quite well, the combination of
> Samba 3.0.0rc4 (with winbindd), krb5 1.3.1, CUPS 1.1.19, etc. has
> performed admirably and was easy to configure.
>
> I have only three issues to mention:
>
> - the HOWTO collection, in the section talking about joining an ADS
> domain as a member server, does not mention using the "net ads
join"
> command, rather it uses "net join". This really should be fixed,
"net
> ads join" produces a much better result.
>
> - in the same HOWTO, there is mention of creating a krb5.conf file to
> tell the krb5 libraries where the KDC for the ADS domain is. With MIT
> krb5, this is completely unnecessary, and actually detrimental. All
> ADS domains will automatically create SRV records in the DNS zone
> _kerberos.REALM.NAME for each KDC in the realm. MIT's krb5 libraries
> default to checking for these records, so they will automatically find
> the KDCs. In addition, krb5.conf only allows specifying a _single_
> KDC, even there if there is more than one. Using the DNS lookup allows
> the krb5 libraries to use whichever KDCs are available. I can't speak
> to the Heimdal implementation as I've never seen it, but I'd
suggest
> modifying the HOWTO to suggest that the krb5.conf file is strictly
> optional for users using the MIT krb5 libraries.
>
> - when setting up some printers, and using driver upload from a
> Windows 2000 machine (which all worked as expected), I ended up with
> some smbd processes consuming lots and lots of CPU time but not
> accomplishing anything. I haven't been able to reliably reproduce the
> problem, so I guess this report is not very useful...
>
> Otherwise, kudos on a wonderful package. I've been an ardent Samba
> supporter and user for years now, but this was my first experience
> with Samba-3 and ADS. Well done!
>
>
-- 
John H Terpstra
Email: jht@samba.org