[PATCH 0/2] Allow Windows XP SP 2 to join Samba 3.2 ADS
Sergey Yanovich
ynvich at gmail.com
Tue Jun 3 23:34:31 GMT 2008
Andrew Bartlett wrote:
> On Wed, 2008-06-04 at 01:48 +0300, Sergey Yanovich wrote:
>> After some experiments and with the help of Samba 4 code, I have finally made
>> a Windows workstation join Samba 3.2 ADS controller.
>
> How did you make it think it was ADS?
I am not 100% sure, but I saw with the wireshark that the client was
using my kerberos tickets.
In our early research, we found
> ADS was either an 'on' or 'off' thing - particularly if you support the
> new call on the LSA pipe, then you must start supporting an lot more.
It is true, but probably relates to after-join phase.
>> How hard is it to use separate Kerberos and LDAP servers?
>
> Difficult enough that I've spend the last 4 years working on Samba4. We
> know it's possible (see XAD for the proof by example), but the approach
> currently taken was very deliberate.
> As a Samba4 developer I would encourage you to help us make Samba4 work
> better for your use cases (a python script to export host/fqdn keytabs
> would be very easy to write) than to continue down this rat-hole.
Now I know, it is rat hole :) IIUC, Samba 4 was using its own python
until recently. In other words, there are precedents for decoupling
external components. Maybe KDC is the next in the queue? Samba can talk
to kadm using normal kadmin interface, so it will be possible to use
normal *nix way of administering KADM/KDC. MIT Kerberos has a plugin to
store keys in LDAP, and this can handle canonicalization. So the only
big peace of work is PAC, right?
I am working an FOSS accounting package in Russia, and I plan to deploy
it in an company with obsolete Windows infrastructure. My interest was
to find out smooth transition path from a poorly managed W2K ADS to the
linux domain. Samba 4 looks promising for the matter.
--
Sergey Yanovich
More information about the samba-technical
mailing list