[PATCH 0/2] Allow Windows XP SP 2 to join Samba 3.2 ADS

[Jeremy Allison]

On Wed, Jun 04, 2008 at 01:48:03AM +0300, Sergey Yanovich wrote:
> After some experiments and with the help of Samba 4 code, I have finally made
> a Windows workstation join Samba 3.2 ADS controller.
> 
> The job isn't nearly complete, and the workstation doesn't see the domain
> after reboot. But that's the next story. I used stock OpenLDAP and MIT
> Kerberos packages from Debian/unstable. The configuration was typical, the
> only addition was to use wrappers around smbldap-useradd/del to call kadmin
> to add/remove users, and usage of kadmin -k -q "cpw %u" as a passwd program.
> To make make kadmin work, I've added host/fqdn at REALM.ORG to kadm.acl
> 
> I also tried Samba 4. It is good at managing Windows worstations in simple
> SSO setup! And python bindings are awesome. However, it is very difficult
> to manage linux services with it. Both ldap and kerberos system services are
> hidden behind ADS-like interface, and even getting host/fqdn keytabs to make
> ssh work isn't a trivial task.
> 
> Since the patch will probably be reviewed by the person, who knows the answer,
> a question:
> 
> How hard is it to use separate Kerberos and LDAP servers?
> 
> There are definite technical challenges for this, but the current design,
> IMHO, will hamper Samba 4 adoption. Samba 3 is a good linux citizen, it obeys
> the laws and leverages advances in other products. But Samba 4 enforces
> Windows rules. F.e., to allow ssh on a host, the host must join domain.

Oooooohhhh ! Oooooohhhhh !!!!!

I'm excited :-). Please send in all these patches asap !!!!

Thanks a *LOT* for this work.

Jeremy.