samba - Dec 2023 - Is a mixed MS/Samba DC environment doable?

Hi
I'd like to learn more on the pros and cons of a mixed domain that consists
of both MS and Samba domain controllers and member servers.

What I have learnt so far is this;

I created a new lab domain with an MS DC 2019. I then added a Samba 4.19-3
file server as a domain member w/o any issues.

The clients are 2 Win 10 VM's for tests of shares, GPO's and related
technologies. Still no issues that wasn't self-inflicted. File sharing with
Samba and setting up permissions and group memberships worked as expected.
I created GPO's for home directory, roaming profiles and folder redirection
and verified these.

Yesterday I fired up a Debian 12 and joined this as a DC. First attempt
failed due to schema incompatibility (known issue). I downgraded the MS
schema to 2008R2 and after that the join was successful.
>From what I can see, replication also works as it should. I then tested to
transfer roles back and forth between Samba and MS, and that worked also
fine.

Some iissues noted so far.

1. Existing GPO's on the MS server side are not replicated to the Samba DC.
At least there are no files/directories under
/var/lib/samba/sysvol/<domain>/ visible. I guess this is caused by the
lack
of DFS/RPC on the Samba side.

The event viewer on both client VM's shows the same error messages,
probably caused by the lack of DFS, event 1058. My guess is that they are
attempting to read the GPO's from the Samba AD after that this DC was
added. Originally they got the GPO's from the MS. I will read up more on
GPO''s and Samba to better understand the interoperatility.

2. I shutdown the MS AD vm and tried a logon onto one of the W10 clients. I
expected that the Samba DC would handle the logon, but that didn't work.
The logon process just hung there until I fired up the MS DC again. Could
not find anything in the client except the GPO messages mentioned above.

To conclude this rant, is a mixed environment really doable, or would it
just create a lot of issues as times go by? Any advice is welcome!

Learning is Living!

-- 
------ -------------------- 8 ------------------ ------
"A *wise* man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders ?stling
+46 768 716 165 (Mobil)

On Wed, 2023-12-06 at 11:34 +0100, Anders ?stling via samba
wrote:
> Hi
> I'd like to learn more on the pros and cons of a mixed domain that
> consists
> of both MS and Samba domain controllers and member servers.
This is a situation that is meant to work, but is not actively tested
(all our tests are pure Samba), but seems to work for some folks.  

However given the way Windows CAL licensing works, it is not often
deployed as you get the costs of Windows and the complexity of a mixed
domain.
> What I have learnt so far is this;
> 
> I created a new lab domain with an MS DC 2019. I then added a Samba
> 4.19-3
> file server as a domain member w/o any issues.
> 
> The clients are 2 Win 10 VM's for tests of shares, GPO's and
related
> technologies. Still no issues that wasn't self-inflicted. File
> sharing with
> Samba and setting up permissions and group memberships worked as
> expected.
> I created GPO's for home directory, roaming profiles and folder
> redirection
> and verified these.
> 
> Yesterday I fired up a Debian 12 and joined this as a DC. First
> attempt
> failed due to schema incompatibility (known issue). I downgraded the
> MS
> schema to 2008R2 and after that the join was successful.
I presume you mean the functional level.  With the correct options, it
should work.  See the release notes. 
> From what I can see, replication also works as it should. I then
> tested to
> transfer roles back and forth between Samba and MS, and that worked
> also
> fine.
> 
> Some iissues noted so far.
> 
> 1. Existing GPO's on the MS server side are not replicated to the
> Samba DC.
> At least there are no files/directories under
> /var/lib/samba/sysvol/<domain>/ visible. I guess this is caused by
> the lack
> of DFS/RPC on the Samba side.
Correct.
> The event viewer on both client VM's shows the same error messages,
> probably caused by the lack of DFS, event 1058. My guess is that they
> are
> attempting to read the GPO's from the Samba AD after that this DC was
> added. Originally they got the GPO's from the MS. I will read up more
> on
> GPO''s and Samba to better understand the interoperatility.
> 
> 2. I shutdown the MS AD vm and tried a logon onto one of the W10
> clients. I
> expected that the Samba DC would handle the logon, but that didn't
> work.
> The logon process just hung there until I fired up the MS DC again.
> Could
> not find anything in the client except the GPO messages mentioned
> above.
It should work, perhaps look into DNS?
> To conclude this rant, is a mixed environment really doable, or would
> it
> just create a lot of issues as times go by? Any advice is welcome!
It all comes down to why you are doing it.  Some folks ran such a setup
to work around bugs in our DRS code for Azure AD connect, but I fixed
those recently.

If there was a specific application I was using, that needed a
operational (generated) attribute we didn't have working, that would be
another good reason, and it helps give a reference so we know that we
could fix such a thing. 

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions