Looking for a mentor/adviser

Sean Parsons sean at theparsonsfamily.com
Sat Jan 30 17:49:00 MST 2010 

Craig,
	I don't doubt that people do it. I made several honest attempts to
research, understand and implement a Samba file server in and existing Small
Business Server 2003 network using LDAP and Kerberos. I was not able to make
it work, so I changed my plan and I asked if someone was willing to mentor
me through another try. Since I didn't need multiple opinions, I just need
to discover what I did wrong/what works, I wanted to avoid a large forum,
and I'm sorry if that seems to keep upsetting people.

Here's What happened:

	The How tos were really vague for adding Samba to anything but the
simplest windows network (NT4), Then most examples assumed I was building a
standalone server with the same functionality, not adding one. Based on my
research it looked like the process was straight forward and so I built a
Ubuntu server (LAMPS) and I set out to join it to my domain.

	I knew I needed LDAP and Kerberos so I tried to set those up with
Webmin, they attempted to alter my existing domain controller and things
went horribly wrong. I recovered my DC from backup and tried it a second
time using the CLI, but I was not able to find where settings were stored
and again, I tried to use the example files from Samba.org as a model, not
knowing what is needed or not, may have contributed to a second failure.
Again I recovered my Server form backup and changed tactics.

	I then tried to join a linux workstation to the domain with "like
wise" and it worked, sort of. Small Business Server isn't just Windows
Server 2003 with a new name. It adds Exchange and SQL has other scripted
functionality embedded into AD which is why you have to use it's wizards for
everything. After joining I started to have problems as AD was not properly
formatted when the workstation was joined. SBS uses the AD tables for more
than just domain membership, we have exchange, etc that rely on it. So Yes
it probably can be done, but it is not simple, nor is it intuitive, it is
specific to the type of environment. My AD environment isn't broken, it
required specific settings that couldn't be anticipated from the how to and
guides I found on Samba.org. 

	I asked in IRC #Samba, #ubuntu-server, #Ubuntu-us-az, and #plugaz
several times for help to understand where I went wrong and nobody answered,
or if they did, I was told "Oh that is really tricky and I never did
it"..... Samba's documentation admits issues with non NT4 AD implementation
and promises to fix it in V4, but I wanted to talk to someone who had done
it and nobody answered. 

	
Sean Parsons

-----Original Message-----
From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Craig
White
Sent: Saturday, January 30, 2010 9:27 AM
To: Main PLUG discussion list
Subject: Re: Looking for a mentor/adviser

On Fri, 2010-01-29 at 09:31 -0600, sean at theparsonsfamily.com wrote:
> Craig,
>  It has never been my intention to deprive anyone of anything, but this
> forum is not appropriate for a project like this as I can't seem to build
> the network on my own, as my failed attempts have shown.
> 
> Your comment about AD is what I thought and have been proven wrong
> numerous times with catastrophic results. Samba in it's current
> configuration doesn't work with Kerberos and LDAP except for NT4 and I'm
> running Server 2003, so it broke the Domain Controllers when Linux
> attempted to join the domain. I have been through the Samba forums and
> documentation and it's not as simple as it is made to look in an existing
> network.
----
I will only address one aspect of this... joining a Linux system to AD.

It is done day in and day out by large and small corporations everywhere
and can not and does not 'break' domain controllers simply by joining an
AD domain/forest.

The process of joining a Linux system to AD is essentially the same as
joining a Windows system to AD and if it broke, the AD was already
broken and you just realized the evidence of the breakage. The process
of joining a Linux system to AD involves 2 steps... getting a kerberos
ticket (validation) and then joining. It's benign in concept and
operation. I didn't say that it was entirely simple but it's not overly
complicated either.

Craig

PS - I am a samba team member


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list