samba - Jun 2008 - Vista SP1, Server 2008 joining NT4/Samba Domain

Hello!

It seems, that Vista SP1 and Server 2008 cannot join an NT4/Samba-domain. 
Vista once could join before SP1, if one did some modifications to the 
system (LAN Manager authentication level, Encryption of secure channel). 
But these workarounds do not seem to work with SP1 anymore.

Microsoft points out that joining NT4-domains with  Vista SP1 and Server 
2008 is not supported/tested (Article ID 940268, 
http://support.microsoft.com/?scid=kb%3Ben-us%3B940268&x=8&y=11).

To my knowledge Samba 3.0.x - acting as an PDC/BDC - basically provides 
NT4-domain functions/services. We tried to join Vista SP1 and Server 2008 
to a Microsoft NT4-domain (PDC running NT4.0 SP6a) as well as to a Samba-
domain (Samba 3.0.24 [Debian] with LDAP Backend slpapd 2.3.30 [Debian]). 
Both tries failed, symptoms as mentioned in der MS articel. Other systems 
(2000, XP, 2003) join without problems.

Conclusion: As Vista SP1 and Server 2008 do not "cooperate" with NT4-
domains, you cannot join these systems in Samba 3.0.x domains, which 
basically "emulate" NT4-domains.

Can someone confirm the conclusion/scenario or confute it by providing 
empiric values of working samba domains containing Vista SP1 and Server 
2008 sytems? The latter ist more appreciated ... ;-)

Greetings,
Stefan

On Tue, Jun 17, 2008 at 10:07:18AM +0000, Stefan Oberwahrenbrock
wrote:
> It seems, that Vista SP1 and Server 2008 cannot join an NT4/Samba-domain. 
> Vista once could join before SP1, if one did some modifications to the 
> system (LAN Manager authentication level, Encryption of secure channel). 
> But these workarounds do not seem to work with SP1 anymore.
Did you test with recent Samba or only with 3.0.24?

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20080617/c53ada1b/attachment.bin

Volker Lendecke <Volker.Lendecke@SerNet.DE> wrote in
news:E1K8YWR-0034JJ-7F@intern.SerNet.DE: 
 
> Did you test with recent Samba or only with 3.0.24?
Only 3.0.24 - until now :-)

Meantime I have set up virtual machines for testing. The testing system 
acting as PDC is basically running Debian 4.0 and packages from the 
correspondig Debian archives (slapd, smbldap-tools, ...) -  except for the 
Samba package. That I took from the SerNet archives. I tested versions 
3.0.28 and 3.0.30 -  Vista SP1 and Server 2008 could be joined both times 
successfully without modifications to the operating system!

Thus it seems with Samba >= 3.0.28 everything is fine concerning the 
described problems.

Thanks to you/SerNet for providing up-to-date packages!



Greetings,
Stefan

> It seems, that Vista SP1 and Server 2008 cannot join an NT4/Samba-domain.
According to my trials, the above statement is not true. Computer systems
running Windows Vista SP1 or Windows 2008 server can be joined successfully
to a domain controlled by a Samba 3.0.28a PDC.

Opposingly, these systems cannot be joined to a domain hosted by a native
Windows NT4.0 SP6 PDC.

Unfortunately, netlogon is broken with the newest Samba version 3.0.30, and
thus this version cannot be used for any trails in this field.

Since Vista and 2008 are able to join a Samba 3.0.28a domain, a Samba
server can be used as a proxy server for netlogon. In this way a Vista client
is enabled to authenticate and autorize user and group accounts stored in a
native NT4 PDC. With the help of a Samba proxy, Vista workstations can be run
in an organization which still uses a NT4 PDC.

In order to make Samba a netlogon proxy, the Samba server is set up as a PDC
and then an interdomain trust is established where the Samba PDC is trusting
the NT4 domain. Then the Vista workstations are joined to the Samba PDC. The
Samba PDC stores only machine accounts, but no user accounts. User accounts
are solely managed by the NT4 domain.

This setup works fine for logon, but some other features associated with
domain membership fail. So far I was not able to make netlogon scripts
run. I also failed to add users of the NT4 domain to the domain groups
of the Samba domain.

Finally, the 'net localgroup' command has to be used on Vista clients to
add
NT4 domain users/groups to local groups. The Windows GUI tool for group
management completely fails to list users and groups of the NT4 domain.
[The listing operation is presumably done via a direct connection between
Vista client and NT4 server and without involving the Samba proxy.]


Peter Slickers

Volker Lendecke wrote:
 > Can you tell us how to reproduce this?

I have reported this bug to Debian (#484309), please see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484309

The Debian maintainer has forwarded it to Samba [Bug 5518], and the
reply from upstrean was:

------- Comment #1 from jra@samba.org  2008-06-03 17:02 CST -------
This was broken on 3.0.30. We'll be doing a bugfix release (3.0.31) soon to
address this. Sorry for the bug.
Jeremy.


So hopefully broken netlogon with interdomain trust will be fixed
with the next Samba release.
-- 

Peter Slickers