[Gllug] Samba 2 co-existance with AD

Mike Brodbelt m.brodbelt at acu.ac.uk
Wed Jun 29 22:53:58 UTC 2005 

Anthony Newman wrote:
> Ken Smith wrote:
> 
>>Hi - I hope you can help with a question about Samba 2. I'm supporting a
>>config where there is an old Samba 2 (RH 7) system which has been running
>>fine for years. Recently the original NT4 DC has been migrated to a W2K3
>>machine and the NT4 box retired.
>>
>>Now there are problems with XP SP2 machines unable to map shares. The shares
>>were mapped by IP address so nmb/wins issues shouldn’t be a problem. 
>>
>>I recall there being some changes to the password authentication
>>methods/algorithms from NT4 to AD and I think port 445 began to be used
>>rather than 13*. 
> 
> 
> It's since Win2k(NT5.0) IIRC that port 445 was used for various things.

Port 445 is just SMB over TCP, as opposed to SMB encapsulated in NetBIOS.

>>So the basic question - can an XP SP2 machine, which is otherwise part of an
>>AD domain, map a share from a machine that would look as if it were share an
>>NT4 machine that is not in the AD domain?

Yes, I believe so. There are some caveats though.

> Password authentication on NT4/Win98 machines was via LANMAN hash I 
> believe, which was "weak". Later schemes use challenge/response 
> authentication and stronger encryption. "encrypted passwords = yes" 

NT4 moved to requiring "encrypted passwords=yes" with service pack 3, IIRR.

> should feature in your smb.conf for later machines to be able to connect 
> to your Samba server, although it seems odd as you'd expect an XP 
> machine to be able to revert to enable it to share from, say, a Win98 
> machine.

XP SP2 may require registry changes to connect. Google for "sign or seal
secure channel" and you should find some potentially useful information.
I've had XP SP2 connecting to Samba 2.2.8 in an NT4 PDC environment
(though smbd segfaults with printing in some versions, see samba bug
1147). Samba 3 does not require you to make changes to the client
registry, as it supports the secure channel.

> There's no reason a domain-attached machine shouldn't be able to connect 
> to a legacy machine (the other way around is the problem), although 
> presumably there's some security policy that allows you to forbid it 
> somehow or other.

For an AD domain you may need to upgrade to Samba 3.0. You then join the
domain from the Samba box using "net rpc join" (not "net ads join"), and
 thereafter should have no problems connecting to Samba shares from SP2.

HTH,

Mike.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list