Machines with Samba acting as Domain Controllers.

[Guest]

I'm helping to migrating an NT 4.0 domain into my existing W2K AD domain OU.

The NT domain has one or more Unix boxes running Samba to provide file
sharing capabilitles for that domain.

I know very little about Samba, but I have read that it can be set to
emulate (at least NT 4.0 and maybe W2K) Domain Controllers.

What kind of damage can these Samba users do to the DCs in my W2Ksp4 AD
Forest/Domain.

Can they cause a Denial of Service if incorrectly set to emulate DCs in the
domain.

Is there anything special I need to do to my AD to protect it from them.
Is there anything I need to make sure the Samba users don't do that could
cause a problem.

None of the Samba users will have Administrative rights in my Forest or
Domain at this point, however, they may have the ability to create/remove
users in their OU at some point.

In the past, I've had users 'attempt' to configure Samba against my native
Microsoft domains in the past and they appear to 'pound' the DCs if
mis-configured (appearently attempting to authenticate?, even if not part of
the domain?). This has always gone away if I ask if they are using Samba and
they say yes and ask them to stop. I don't know what they did in these
cases, either turned it off, or configured it correctly?

Sorry this is so rambling, but I'm not sure what to ask as I don't run/use
the Samba product, so I don't really know how it works against standard
MS-DCs.

 

[Chriss3 [MVP]]

Samba can't emulate Domain Controllers in a Active Directory Domain
environment.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Herb Martin]

I believe that Samba machines can however interfere
with the Domain Master Browser.

Someone told me this is perhaps a default -- which is
terrible programming if true. A feature, fine, but making
it the default without explicit steps by the admin would
be just stupid.

 

[Enkidu]

I'm helping to migrating an NT 4.0 domain into my existing W2K AD domain OU.

The NT domain has one or more Unix boxes running Samba to provide file
sharing capabilitles for that domain.

I know very little about Samba, but I have read that it can be set to
emulate (at least NT 4.0 and maybe W2K) Domain Controllers.

What kind of damage can these Samba users do to the DCs in my W2Ksp4 AD
Forest/Domain.

If they are not already acting as PDC or BDC, I would not make them
into such. They would be one more thing to manage through the change.
Samba machines can act as PDC or BDC in an NT4 Domain, but they cannot
(I believe) run as a Domain Controller in an AD Domain. They could
possibly act as BDCs in a mixed mode AD Domain, but I would not want
that complication myself.

Samba boxes can operate in an AD Domain as member servers. Why not
leave them as such.

Can they cause a Denial of Service if incorrectly set to emulate DCs in the
domain.
I can't see how.

Is there anything special I need to do to my AD to protect it from them.
Is there anything I need to make sure the Samba users don't do that could
cause a problem.

None of the Samba users will have Administrative rights in my Forest or
Domain at this point, however, they may have the ability to create/remove
users in their OU at some point.

In the past, I've had users 'attempt' to configure Samba against my native
Microsoft domains in the past and they appear to 'pound' the DCs if
mis-configured (appearently attempting to authenticate?, even if not part of
the domain?). This has always gone away if I ask if they are using Samba and
they say yes and ask them to stop. I don't know what they did in these
cases, either turned it off, or configured it correctly?

Without knowing exactly how the were misconfigured, it's hard to know
why this happened. It's possible for a Samba server to try to become
Master Browser, but that would not exactly "pound" the DCs. A samba
server would not try to authenticate if configured to not join the
Domain (ie be in a workgroup configuration), but again, without more
knowledge of what was wrong it's difficult to guess what happened.

Sorry this is so rambling, but I'm not sure what to ask as I don't run/use
the Samba product, so I don't really know how it works against standard
MS-DCs.

I would not use the Samba servers as BDCs. You would still need a
Windows DC for the Domain anyway, since the Samba servers cannot act
as AD DCs (yet).

Cheers,

Cliff

 

[Bill]

"Herb Martin" wrote in message

I believe that Samba machines can however interfere
with the Domain Master Browser.
Someone told me this is perhaps a default -- which is
terrible programming if true. A feature, fine, but making
it the default without explicit steps by the admin would
be just stupid.

----------------------------------------

First, Thanks to everyone who replied to my post.

I understand in general about Domain Master Browers, but...

- Since the AD clients (W2K Pro, W2K server, XP) are theoretically using
dynamic DNS.
- And all desktops, member servers and DC are also part of the same WINS
environment.
- And since this is a routed network, but note, the DCs sit in a different
network than the MS desktop clients and member servers which belong to the
specific OU which will also contain Samba servers in question. Or to put it
another way all these specific OU machines MS and non-MS are in the same but
different network from the DCs for the Forest/Domain.

How might Samba servers acting as (or trying to act as) Domain Master
Browers cause problems here?

Again, thanks in advance for all your comments, sorry for the delay in this
reply, but it took me a day to think about your answers, to have a relevant
question. - bill

 

[Herb Martin]

I understand in general about Domain Master Browers, but...

- Since the AD clients (W2K Pro, W2K server, XP) are theoretically using
dynamic DNS.

WINS still plays a role in most (practically all) Microsoft
domains/networks.

- And all desktops, member servers and DC are also part of the same WINS
environment.

Good, but broadcasts may still occur and the browser election itself is
broadcast based.

- And since this is a routed network, but note, the DCs sit in a different

Where the Domain Master Browser is critical for full browsing
to work (also critical in multiple domain environments).

network than the MS desktop clients and member servers which belong to the
specific OU which will also contain Samba servers in question.

OUs are irrelevant to browsing and most network operations.

It is doubtful the Samba machines (OS) is in an OU.

Or to put it
another way all these specific OU machines MS and non-MS are in the same but
different network from the DCs for the Forest/Domain.

And the role of the Domain Master Browser is to interchange browse
lists with the Master Browsers (same domain) of the other (sub)networks.

How might Samba servers acting as (or trying to act as) Domain Master
Browers cause problems here?

Because the actual PDC(or emulator) is also doing this.
Two DMBs are a bad thing. (Neither will be fully in
charge.)