[PATCH 0/2] Allow Windows XP SP 2 to join Samba 3.2 ADS

Tue Jun 3 23:06:04 GMT 2008

On Wed, 2008-06-04 at 01:48 +0300, Sergey Yanovich wrote:
> After some experiments and with the help of Samba 4 code, I have finally made
> a Windows workstation join Samba 3.2 ADS controller.

How did you make it think it was ADS?  In our early research, we found
ADS was either an 'on' or 'off' thing - particularly if you support the
new call on the LSA pipe, then you must start supporting an lot more. 

> The job isn't nearly complete, and the workstation doesn't see the domain
> after reboot. But that's the next story. I used stock OpenLDAP and MIT
> Kerberos packages from Debian/unstable. The configuration was typical, the
> only addition was to use wrappers around smbldap-useradd/del to call kadmin
> to add/remove users, and usage of kadmin -k -q "cpw %u" as a passwd program.
> To make make kadmin work, I've added host/fqdn at REALM.ORG to kadm.acl
> 
> I also tried Samba 4. It is good at managing Windows worstations in simple
> SSO setup! And python bindings are awesome. However, it is very difficult
> to manage linux services with it. Both ldap and kerberos system services are
> hidden behind ADS-like interface, and even getting host/fqdn keytabs to make
> ssh work isn't a trivial task.
> 
> Since the patch will probably be reviewed by the person, who knows the answer,
> a question:
> 
> How hard is it to use separate Kerberos and LDAP servers?

Difficult enough that I've spend the last 4 years working on Samba4.  We
know it's possible (see XAD for the proof by example), but the approach
currently taken was very deliberate. 

> There are definite technical challenges for this, but the current design,
> IMHO, will hamper Samba 4 adoption. Samba 3 is a good linux citizen, it obeys
> the laws and leverages advances in other products. But Samba 4 enforces
> Windows rules. F.e., to allow ssh on a host, the host must join domain.

I have no objection to allowing 'normal' Kerberos authentication to
Samba4.  It is a trivial extension to gensec_gssapi - indeed the main
challenge is just to decide how to map the resultant users, which is a
challenge Samba3 shares.  

I commend you on your efforts, but the reason that this area was left at
a stub in Samba3 was that the full scope of the problem was realised. 

As a Samba4 developer I would encourage you to help us make Samba4 work
better for your use cases (a python script to export host/fqdn keytabs
would be very easy to write) than to continue down this rat-hole. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080604/ea732cbb/attachment.bin