empty accounts on a dc

David Bear David.Bear at asu.edu
Mon May 12 23:33:42 GMT 2003

I'm still trying to plug into an existing authentication
infrastructure with samba.  It consists of two discrete systems,
kerberos, and Active Directory.  

My first choice would be to have my samba service pass authentication
requests to kerberos.  something like
security = domain
password server = kerberos server

But, I don't think thats possible.  If anyone has done this, where all
the windows 2000 clients can use samba servers where samba passes
authentication requests to kerberos, I'd really like to hear/see it.

Next choice would be to have an 'empty' samba domain controller, ie a
samba server that trusted an NT domain controller -- so all
authenticaion requests could be passed on to the server.  I don't want
to manage passwords. ( The reason I call this empty is that it would 
only authenticate..  there would be NO SHARES.)
If I could hook into the existing systems that
already do password management that would be great.  Its what I'm
doing now using 
security = server
password server = domaincontroller

However, this is starting to cause problems with password server not
connected errors.  ( I posted this last week and the response was to
go with a samba controlled domain)  

The third choice would be to have a win2k domain controller that was
part of active directory.  This box would 'trust' the active directory
tree.  I assume I would create an OU to join the dc to the AD tree
with.  Then, I guest my samba servers would be joined to that domain
by creating a machine trust account.  So the configuration would still
be security = domain, password server = mydc -- and mydc would be a
win2k domain controller.

any other possible scenario's I'm missing?  The goal as stated above
is to plug into an existing password management system that I don't

David Bear
phone: 	480-965-8257
fax: 	480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 "Beware the IP portfolio, it will make criminals out of innovators"

More information about the samba-technical mailing list