[Samba] Samba 3.0 and Active Directory Replication

John H Terpstra jht at samba.org
Sat Jul 12 17:09:58 GMT 2003 

On Sat, 12 Jul 2003, John Brown wrote:

> I have been following the development ot Samba 3.0 with great interest.
> There is something that still confuses me.
>
> Can Samba 3.0 join a Windows 2000 network as a domain controller and
> replicate Active Directory information with existing Windows 2000 domain
> controllers?

NO! I hope that is clear.

When you hear "Active Directory" you should immediately think, "Oh, that's
LDAP plus Kerberos - with Microsoft proprietary extensions of course."

When you hear "Domain Control" you should immediately think, "Oh, that
means a CIFS (common internet file system) server."

Samba is a CIFS server. Got that? It's a CIFS file and print server.

OpenLDAP and Kerberos are services that can substitute for Microsoft
Active Directory. Got that too? These bits handle the authentication
backend technology. Where it gets messy is that with the introduction of
Kerberos authentication Microsoft married this into the CIFS server
functionality.

Samba is NOT a Kerberos (KDC) server.

Samba is not an LDAP server.

Now to add to this, Samba-3.0.0 CAN work fine with an LDAP backend, and
also within an MIT Kerberos, or a Heimdal Kerberos, environment. These
provide 'alternatives' to Active Directory, but are not the same as Active
Driectory. For example, none of the Active Directory administration tools
that come with Windows XP Pro will work against the "Samba-3.0.0 +
OpenLDAP + Kerberos" combination.

Microsoft Windows 200x Active Directory CAN be used apart from the CIFS
server functionality. This allows native UNIX / Linux clients to use an
Active Directory server for Kerberos based authentication. It's very messy
- but it can be done.

The answer to your question is:

1. Samba-3.0.0 can natively join an Active Directory as a MEMBER server

2. Samba-3.0.0 can natively join an Active Directory as a MEMBER server
that does have domain control capability.

3. Samba-3.0.0 CAN NOT participate in Active Directory Replication AT ALL!

At this time the Samba-3.0.0 domain controller will function as a Windows
NT4 style domain controller.

Samba can use an LDAP authentication backend, this effectively substitutes
for the registry based User Accounts part of the NT4 SAM (security account
manager).


> If Samba 3.0 is the only domain controller on a network with Windows 2000/XP
> clients, will the clients see it as a domain controller running Active
> Directory?

If Samba-3.0.0 is configured as a domain controller with Windows 200x/XP
clients these clients can work fine as domain members. There are some
compromises that you must accept, none of these are serious issues. For
example


- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list