thr3ads.net - samba - [Samba] Wiki: NT4 PDC Quickstart / Samba->Win SysVol repl. workaround [Apr 2016]

If this information is useful, please help other people find it:
Share via:

Marc Muehlfeld

2016-Apr-16 19:11 UTC

[Samba] Wiki: NT4 PDC Quickstart / Samba->Win SysVol repl. workaround

Hello,

I published two new guides:

* https://wiki.samba.org/index.php/Samba_NT4_PDC_quickstart
  A documentation, how to set up Samba as an NT4 PDC. I called
  it "Quickstart", because it covers only the basic stuff.

*
https://wiki.samba.org/index.php/Robocopy_based_SysVol_replication_workaround
  For those of you having Samba DCs and Windows DCs in
  their domain. This is a workaround for the missing
  SysVol replication feature in a mixed environment.


Regards,
Marc

Dale Schroeder

2016-Apr-19 18:43 UTC

head link

[Samba] Wiki: NT4 PDC Quickstart / Samba->Win SysVol repl. workaround

On 04/16/2016 2:11 PM, Marc Muehlfeld wrote:> Hello,
>
> I published two new guides:
>
> * https://wiki.samba.org/index.php/Samba_NT4_PDC_quickstart
>    A documentation, how to set up Samba as an NT4 PDC. I called
>    it "Quickstart", because it covers only the basic stuff.
>
> *
>
https://wiki.samba.org/index.php/Robocopy_based_SysVol_replication_workaround
>    For those of you having Samba DCs and Windows DCs in
>    their domain. This is a workaround for the missing
>    SysVol replication feature in a mixed environment.
>
>
> Regards,
> Marc
Marc,

Are any of the parameters mentioned under "Winbindd/Netlogon 
improvements" in the release notes for 4.2.0 (shown below) needed? It 
seems that some are, but maybe I'm reading too much into it.

Regardless, my Samba NT4 domain has not functioned since Debian moved 
from 4.1.17 to 4.3.3, and I have tried using the parameters shown in the 
release notes.

Has anyone gotten their NT4 domain to work with any version of Samba 
4.3.x?  If so, what did you do to make it work?

Thanks,
Dale

Winbindd/Netlogon improvements
=============================
The whole concept of maintaining the netlogon secure channel
to (other) domain controllers was rewritten in order to maintain
global state in a netlogon_creds_cli.tdb. This is the proper fix
for a large number of bugs:

   https://bugzilla.samba.org/show_bug.cgi?id=6563
   https://bugzilla.samba.org/show_bug.cgi?id=7944
   https://bugzilla.samba.org/show_bug.cgi?id=7945
   https://bugzilla.samba.org/show_bug.cgi?id=7568
   https://bugzilla.samba.org/show_bug.cgi?id=8599

In addition a strong session key is now required by default,
which means that communication to older servers or clients
might be rejected by default.

For the client side we have the following new options:
"require strong key" (yes by default), "reject md5 servers"
(no by default).
E.g. for Samba 3.0.37 you need "require strong key = no" and
for NT4 DCs you need "require strong key = no" and "client NTLMv2
auth = no",

On the server side (as domain controller) we have the following new options:
"allow nt4 crypto" (no by default), "reject md5 client" (no
by default).
E.g. in order to allow Samba < 3.0.27 or NT4 members to work
you need "allow nt4 crypto = yes"

Seemingly Similar Threads

Search for more possibly parallel threads

samba - Apr 2016 - Wiki: NT4 PDC Quickstart / Samba->Win SysVol repl. workaround

[Samba] Wiki: NT4 PDC Quickstart / Samba->Win SysVol repl. workaround

[Samba] Wiki: NT4 PDC Quickstart / Samba->Win SysVol repl. workaround

Seemingly Similar Threads