June 5, 2008

Debian Etch, Samba and Windows Server 2008 Domain Controllers

Filed under: Networking — pj @ 3:25 pm

Teztech is in the process of upgrading one of our customers from Microsoft Exchange Server 2003 to Exchange Server 2007. Exchange Server 2007 requires a Windows 2003 or newer domain controller. This client happens to still have a Windows Server 2000 PDC, so we first have to upgrade the PDC. We decided to go ahead and dive in and replace the PDC with a server running Windows Server 2008.

After promoting the 2008 server to a domain controller, I noticed that our file server running Debian Etch could no longer resolve Windows domain usernames and groups. This server runs winbind, so normally you can use the Windows domain usernames and groups as if they were usernames and groups from /etc/passwd and /etc/group. In the smb and winbind logs, I noticed a couple of recurring errors:

ads_krb5_mk_req: krb5_get_credentials failed for not_defined_in_RFC4178@please_ignore(Server not found in Kerberos database)
ads_connect for domain MYDOMAIN failed: Server not found in Kerberos database

One of the troubleshooting steps I read about was to install krb5-user and run kinit, klist and kdestory to see if basic Kerbose tickets worked. That is when I noticed that our server was trying to use the new 2008 PDC. From this, I suspected compatibility problems between Samba and Windows Server 2008. I saw quite a few mentions of Windows Server 2008 compatibility issues and fixes in the Samba mailing lists, so I wanted to try a more modern version of Samba.

The version of Samba I wanted was in the Debian unstable archive. Running a mixed stable/unstable system currently looks like a mess and was something I did not want to try on this customer’s file server. So, I decided to try backporting the unstable samba packages to stable. The backport turned out to be very easy: added my version number to the samba changelog, installed a new build dependency. Then, I rebuilt the .deb packages and installed the ones I needed.¬† Samba and Winbind are working again.

4 Responses to “Debian Etch, Samba and Windows Server 2008 Domain Controllers”

  1. Christoph says:

    Hi!

    Can I have the backported debs?

    Greetz

  2. pj says:

    Sure, I’ll email you a URL with the files you need.

  3. Christoph says:

    oh ups, I have forgot to write, I have a amd64 system… :/

  4. Christoph says:

    have build my own debs, although big thx for your help!

Leave a Reply

Powered by Teztech