Samba as BDC in windows domain?

Steve Langasek vorlon at netexpress.net
Tue Jun 11 09:51:05 GMT 2002 

On Tue, Jun 11, 2002 at 05:05:35PM +0100, David Lee wrote:
> On Tue, 11 Jun 2002, Paul Reilly wrote:

> > I've been reading about setting up Samba as a PDC with LDAP storage.
> > However if I am to do this it needs to co-exist with the exisitng windows
> > NT domain using windows NT PDC's. Everything I've read so far says you
> > can't have a Samba BDC unless it's in a Samba PDC controlled domain. Is this
> > correct? Is there *any_possible_way* of having a Samba BDC get SAM updates
> > from a windows NT PDC ?

> > If not, is there any other way to sync an OpenLDAP server against a NT PDC ?

> Might be possible, but first the disclaimer...

> Disclaimer:  I have absolutely zero knowledge of PDC/BDC/NT internals.
> Zero, zilch, rein, nothing, nil, nowt, ...

> At our site, we have just started dabbling with a thing called "Microsoft
> Services for UNIX" (hereinafter called "SFU") that our PC folk obtained.

> Until now, our service has been basically UNIX.  Although most of the
> user-visible front-end (i.e. desktop machines) is a variant of W2K, the
> "real work" has hitherto been UNIX: the identifier and password the user
> gives is actually a UNIX pair, used to authenticate their Samba drive from
> UNIX.  (Behind the scenes on W2K, there was simply a blanket guest-type
> login just before this.)

> Now...  we are contemplating a migration to Active Directory ("AD") of
> these accounts: some 20,000 or them.  (Gives me, as a UNIX person, the
> shudders, but that's another story...!)  One reason is so that the id/pw
> pair can be a real Windows authentication, so they can do real Windozy
> things.  We are very keen to preserve the "single authentication" model.

> Our plan is to set up accounts for all users in AD.  We would then use
> UNIX password-aging mechanisms to "persuade" all users to change their
> password "at leisure, in their own time".  But behind the scenes we would
> be using the UNIX PAM module from Microsoft's SFU to copy (synchronise)
> these password changes out from UNIX into AD.  (We'll also be using SFU's
> corresponding "ssod" daemon for a small number of real-AD folk who might
> want to maintain synchronisation from AD towards UNIX.)

FWIW, what I'm hearing from the Kerberos world is that it's possible to
store all of your actual accounts in a traditional Unix KDC, creating a
trust relationship with your AD server, and still get most of the
"Windozy" things out of the mix.  There's also a PAM module called
pam_krb5_migrate that can help with this as well, though I've never
tested it in a Solaris environment.  It does at least require an
MIT-like KDC (Solaris probably qualifies) with matching client libraries
(kadm5clnt).

Synchronizing passwords via PAM has always been hairy.  Migrating to a
single unified backend such as Kerberos and using that for /all/
systems, Windows and Unix, is a much more promising long-term solution.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020611/ba7be246/attachment.bin

More information about the samba-technical mailing list