On Sat, 2012-12-15 at 12:31 +0100, Romain wrote: > Hello list, > > Sorry to top again but do we need Kerberos on Samba server to make this > work ?
For the best chance of success, I would first upgrade to Samba 4.0. Samba 3.4 is old, well out of security support and long out of support from the Samba team from an technical perspective, given the complexity of the issues you raise. When you upgrade to Samba 4.0, ensure that Samba is built with Kerberos support, so that the ADS mode can be used by winbindd. The other issue you may hit is just that the NT4 protocols we implement on the server-side as a classic domain are quite old now, and so Windows 2008R2 might simply not wish to talk to a classic Samba domain over an interdomain trust. This has worked in the past, which is why the tools are in place, but as to what works currently, I can only suggest you maximise your chances by running the very latest code, and compiling with features such as kerberos. Samba as an AD domain (which Samba 4.0 provides the first release of) would work better, but Samba 4.0's AD DC doesn't support trusting interdomain trusts at all yet (sorry). This means you shouldn't upgrade into the AD server mode quite yet. It can be trusted by another forest however. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
