Samba/Samba-TNG and LDAP/PDC State?

Tarjei Huse tarjei at nu.no
Fri Nov 30 01:09:08 GMT 2001 

> Are you using Win2K in "native mode" or the NT4 compartible "mixed
> mode"?
Isn't W2K native mode Kerberos? If so, none of the sambas can do it(native 
mode) today (AFAIK), but there's an effort to develop one going on. 

> Can Samba serve as a PDC in a Win2K "native mode" domain?
Not yet. 
 
> I'm trying to integrate Win2K into our ldap/UNIX network.  I'm hoping 
> that Samba can be used as a sought of "gateway" or "bridge" by using 
> LDAP as it's back-end while supplying authenication services to the 
> Win2K domain.
Remember that you'll need to store the NT/LM passwords i the ldap entry. 
Else from that, Samba will do the job :)

Tarjie
> 
> --Kervin
> 
> 
> Doug Douglass wrote:
> 
>> Michael,
>> 
>> I'll take a first stab at answering some of your questions.
>> 
>> As a frame of reference, we maintain all unix user/group, and samba
>> domain info in OpenLDAP 2.x on RH 7.1, using Samba 2.2.1a + LDAP
>> support as PDC. All Windows clients are domain members and are some
>> version of 2000 (SP2, Server). Plus we have a couple samba domain
>> members. All authentication is done against ldap. We are a smal
>> network.
>> 
>> 
>>>   - PDC functionality
>>>
>> 
>> Samba works great. Samba-TNG works, but I believe the intent with TNG
>> was to prove the technology not produce a production system.
>> 
>> 
>>>   - Replication of SAM database/SID from PDC to BDC
>>>
>> 
>> Based on comments from this list, Samba does not properly act as a
>> BDC.
>> 
>> 
>>>   - login script support/replication
>>>
>> 
>> Samba and TNG should both work fine
>> 
>> 
>>>   - Supports trust relationships between domains (NT or samba)
>>>
>> 
>> Based on comments from this list, Samba does support domain trusts
>> 
>> 
>>>   - Supports global and local groups
>>>
>> 
>> Samba supports two domain groups: Domain Admins, and Domain Users.
>> From having read the TNG docs over time, I believe it supports the
>> full set of domain groups.
>> 
>> 
>>>   - Ability to add and remove machine from the domain
>>>
>> 
>> Samba and TNG both do this (must do this for PDC support)
>> 
>> 
>>>   - Store SAM database/SID in LDAP?
>>>
>> 
>> Samba 2.2.2 has broken LDAP support. We use Samba 2.2.1a from
>> http://sking.mesd.k12.or.us/ at our site with good results. Note that
>> this implementation only looks to LDAP for sambaAccount objects.
>> 
>> TNG provides broader LDAP support for domain accounts, domain groups
>> (more?)
>> 
>> 
>>>   - Wins server capability
>>>
>> 
>> Samba works well. Don't know about TNG.
>> 
>> 
>>>   - Able to to support roaming profiles
>>>
>> 
>> Samba works well. Don't know about TNG.
>> 
>> 
>>>   - Will allow all avaliable versions of windows to join/access the
>>>     domain.
>>>
>> 
>> Read the list. It seems many people have many problems with adding
>> machines with various Windows OS to a Samba domain. I have not had any
>> difficulty with 2K, so I leave it to yourself and others to judge.
>> 
>> 
>>>What is my best choice.. Samba or Samba-TNG?
>>>
>>>
>> 
>> One alternative I have heard suggested is combining the two,
>> leveraging the strengths of each: TNG for PDC (account and group
>> management,
>> authentication) and Samba for file/print sharing.
>> 
>> HTH,
>> Doug
>> 
>> 
>> 
>> 


____________________
Tarjei Huse
920 63 413

More information about the samba-ntdom mailing list