[PATCH 0/2] Allow Windows XP SP 2 to join Samba 3.2 ADS
Sergey Yanovich
ynvich at gmail.com
Tue Jun 3 22:48:03 GMT 2008
After some experiments and with the help of Samba 4 code, I have finally made
a Windows workstation join Samba 3.2 ADS controller.
The job isn't nearly complete, and the workstation doesn't see the domain
after reboot. But that's the next story. I used stock OpenLDAP and MIT
Kerberos packages from Debian/unstable. The configuration was typical, the
only addition was to use wrappers around smbldap-useradd/del to call kadmin
to add/remove users, and usage of kadmin -k -q "cpw %u" as a passwd program.
To make make kadmin work, I've added host/fqdn at REALM.ORG to kadm.acl
I also tried Samba 4. It is good at managing Windows worstations in simple
SSO setup! And python bindings are awesome. However, it is very difficult
to manage linux services with it. Both ldap and kerberos system services are
hidden behind ADS-like interface, and even getting host/fqdn keytabs to make
ssh work isn't a trivial task.
Since the patch will probably be reviewed by the person, who knows the answer,
a question:
How hard is it to use separate Kerberos and LDAP servers?
There are definite technical challenges for this, but the current design,
IMHO, will hamper Samba 4 adoption. Samba 3 is a good linux citizen, it obeys
the laws and leverages advances in other products. But Samba 4 enforces
Windows rules. F.e., to allow ssh on a host, the host must join domain.
Sergey Yanovich (2):
nmbd: fix netlogon in ads mode
rpc: allow trailing dollar sign in user names
source/nmbd/nmbd_processlogon.c | 46 ++++++++++++++++++++++-----------------
source/rpc_server/srv_samr_nt.c | 6 ++--
source/smbd/chgpasswd.c | 6 +++-
3 files changed, 33 insertions(+), 25 deletions(-)
More information about the samba-technical
mailing list