samba - Mar 2023 - AD Functional Level vs very old SaMBa member server

Thank you for your help. I'm further analyzing the problem: I'm trying
to
migrate to a brand new SaMBa server, but the deadlines are too tight, and
it's possible I won't be able to finish in time. So, preparing for this
worst case scenario:

What if I enable the 'domain logons' option on a fairly up-to-date SaMBa
MEMBER server in this AD? Can this new SaMBa MEMBER server (despite not
being a DC) serve as "proxy" server as the 'password server'
for the
ancient fileserver? Do i have to rejoin the domain with the ancient SaMBa
or is it enough to restart it? Anyway: Can a MEMBER server provide 'domain
logons' service and act like a proxy between an ancient member and a
kerberos based AD?

Thank you in advance,

N?METH, Tam?s

Rowland Penny via samba <samba at lists.samba.org> ezt ?rta (id?pont:
2023.
jan. 11., Sze, 11:00):
>
>
> On 11/01/2023 09:21, Tam?s N?meth via samba wrote:
> > Dear All!
> >
> >   There is a very old (SaMBa 3.2.5 on Debian 6.0.9)
>
> Are you sure about that ?
> Samba 3.2.5 was released in November 2008 and the entire 3.2.x series
> went EOL in March 2010, nearly a year before Debian 6 was released. It
> was Debian 5 that used Samba 3.2.5
>
> Whatever the case, why are you still using an EOL OS and an EOL version
> of Samba ? Note that we are not talking years here, we are talking just
> over a decade.
>
>   Active Directoy MEMBER
> > fileserver at my workplace. Our Forest/Domain Functional Level is at
the
> > lowest possible (Windows 2000), and we can't postpone raising it
anymore.
> > I've read at Microsoft's "Understanding Active Directory
Domain Services
> > (AD DS) Functional Levels" page that "functional levels do
not affect
> which
> > operating systems you can run on workstations and member servers that
are
> > joined to the domain or forest". Is it true even in our extreme
case?
> >
> >   Can we raise the functional levels all the way to Windows 2016,
while -
> > temporarily - keeping this ancient SaMBa fileserver? In
> /etc/samba/smb.conf
> > `security = domain` and `password server = ONE_OF_OUR_DCs`, from which
it
> > authenticates via TCP/445 presumably with some old protocol (e.g.
NTLM).
> > There is also winbindd running on this SaMBa.
> >
> >   Will this authentication and winbindd remain REALLY functional after
> > raising the Forest/Domain Functional Level or are there any unknown
> caveats
> > or obstruction unknown to us? As far as I know we have to enable SMBv1
on
> > our Windows clients in order to make them able to mount shares from
this
> > SaMBa server, but what about the domain controller which is used by
our
> > SaMBa as password server? Will it have to be tweaked in a similar way,
or
> > can we just raise the functional level without any regedit (or
similar)
> > tricks?
> >
> > Thank you in advance,
> > Tam?s N?meth
>
> Samba in the years that have passed has changed substantially, Taking
> the '3' series, there were 4 minor versions released before the
major
> version '4' was released and there have been 17 minor version of
that
> branch to date. Putting it bluntly, Samba 4.17.4 is a lot different than
> 3.2.5, however it should work.
>
> It might help if we could see the smb.conf you are using at the moment,
> you might have to make changes, 'security = domain' for instance,
this
> is meant for connecting to an NT4-style domain (PDC) and you now use
> 'security = ADS' to connect to an AD domain.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 10/03/2023 12:31, Tam?s N?meth via samba wrote:
> Thank you for your help. I'm further analyzing the problem: I'm
trying to
> migrate to a brand new SaMBa server, but the deadlines are too tight, and
> it's possible I won't be able to finish in time. So, preparing for
this
> worst case scenario:
So you have had over 10 years to upgrade and now everything has to be 
done in a rush, (though your idea of rush and mine appears to be different).
> 
> What if I enable the 'domain logons' option on a fairly up-to-date
SaMBa
> MEMBER server in this AD? 
You cannot do this, 'domain logons' is an NT4-style thing and
doesn't
work with AD.

Can this new SaMBa MEMBER server (despite not
> being a DC) serve as "proxy" server as the 'password
server' for the
> ancient fileserver?
No, the administrators of truths in an AD domain are the Domain 
Controllers, that is where the passwords etc will come from.

  Do i have to rejoin the domain with the ancient SaMBa
> or is it enough to restart it? Anyway: Can a MEMBER server provide
'domain
> logons' service and act like a proxy between an ancient member and a
> kerberos based AD?
No, several times, No

I am beginning to think that everything in your network is ancient, next 
you will be telling me that you are still using XP.

Rowland