samba - Feb 2004 - Samba 3.0.2 & Exchange 2003 / Active Directory?

My dilemma is this.  My company is in the midst of doing some moves.  Our 
network will be merged with another section of the company.  They are 
completely MS servers, while all my servers are running linux / samba.  Our 
new CTO told me that the company IS moving to Exchange 2003 (in ~ 6 months), 
and said that he is open to use linux for authentication, file servers, print 
servers, etc IF I can point him to other companys who have this setup.  
	I am currently running samba 3.0.2 as a PDC authenticating a mix of win98, 
win2k, and XP clients (I've been told we're moving completely to XP for 
clients), but I have not dealt with any integration with Exchange.  The 
googling I've done so far hasn't turned anything I can give the CTO. 

*	I was wondering if anyone was using Samba 3 with Exchange 2003 using the 
Samba server to authenticate Exchange users?

*	If you have this kind of setup, what problems did you run into during 
setup/implementation.

*	If you know of anyone that has done this, and has written about it, please 
forward the article / URL to me.

Thanks for your time, Any information would be extremely helpful

-= Jesse =-

Hi Jesse,

	the biggest issue you have is Exchange 2000 & 2003 are both dependant on
Active Directory (absolutely no getting around this I'm afraid), so I would
guess your only option is deploy AD and join your Samba servers to the AD
domain. I guess you could keep your Samba PDC and setup a trust to the new AD
domain but this adds complexity to the configuration and I can't see any
benefits,

		thanks Andy.

-----Original Message-----
From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
[mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of
Book, Jesse
Posted At: 12 February 2004 12:10
Posted To: Samba
Conversation: [Samba] Samba 3.0.2 & Exchange 2003 / Active Directory?
Subject: [Samba] Samba 3.0.2 & Exchange 2003 / Active Directory?


	My dilemma is this.  My company is in the midst of doing some moves.  Our 
network will be merged with another section of the company.  They are 
completely MS servers, while all my servers are running linux / samba.  Our 
new CTO told me that the company IS moving to Exchange 2003 (in ~ 6 months), 
and said that he is open to use linux for authentication, file servers, print 
servers, etc IF I can point him to other companys who have this setup.  
	I am currently running samba 3.0.2 as a PDC authenticating a mix of win98, 
win2k, and XP clients (I've been told we're moving completely to XP for 
clients), but I have not dealt with any integration with Exchange.  The 
googling I've done so far hasn't turned anything I can give the CTO. 

*	I was wondering if anyone was using Samba 3 with Exchange 2003 using the 
Samba server to authenticate Exchange users?

*	If you have this kind of setup, what problems did you run into during 
setup/implementation.

*	If you know of anyone that has done this, and has written about it, please 
forward the article / URL to me.

Thanks for your time, Any information would be extremely helpful

-= Jesse =-


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

We have semi-successfully set up Samba 3.0.2 and Exchange 2003.  Exchange
2003 requires Active Directory, however we wanted to still use Samba as a
PDC in our domain.  We set up Exchange in a Windows2000 separate domain and
then established a one-way trust between the exchange domain and the samba
domain (where the samba domain is the trusted domain).  We established our
users on Exchange and corresponding users on the Samba PDC.

Getting Exchange to authenticate off the Samba PDC was tricky but not
impossible.  In Exchange you must set the msExchMasterAccountSid variable in
Active Directory to the Samba domain SID of the mailbox's owner.  Microsoft
has documented this procedure in KB article 278888:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278888
This procedure will make the Samba SID (account) the owner of the exchange
mailbox; the corresponding account in the exchange domain becomes disabled.
It is essential to set exchange up this way or else OWA, public folders,
mailbox sharing, and other exchange features will not work correctly.  It is
not enough to just check the "Associated External Rights" box without
following the steps to set the msExchMasterAccountSid variable.  Failing to
set this attribute will cause Exchange to randomly bounce emails and other
features to work sporadically.

To get Outlook Web Access to work properly with this setup you must disable
Integrated Windows Authentication in IIs for the all virtual directories
associated with exchange (exchange, public, exchweb).  Instead use Basic
Authentication where the domain name is the Samba domain.  Be aware this
sends the users password unencrypted so be sure you are using SSL when you
authenticate a user.  This solution will all Exchange to authenticate off
the Samba PDC domain when using OWA.

We ran into a little trouble when trying to set up the Samba-Windows2000
trusts.  When trying two-way trusts, everything would work fine for a few
hours, but then Windows2000 would stop letting us view the Samba PDC users
(which we needed because we had to associate these accounts with mailboxes).
Two-way windows2000 trusts aren't working too well yet it seems, however
Exchange only needs a one way trust.  The one-way trust solution (with Samba
as the trusted domain) has been working fine.

Associating Samba accounts with Exchange mailboxes using this procedure may
not work for more then 100 or so accounts.  I am sure there is a way to do
it programmatically, such as KB article 322890:
http://support.microsoft.com/default.aspx?scid=kb;en-us;322890

- Brandon