[PATCH 1/2] nmbd: fix netlogon in ads mode

Andrew Bartlett abartlet at samba.org
Tue Jun 3 23:47:24 GMT 2008

On Wed, 2008-06-04 at 02:05 +0300, Sergey Yanovich wrote:
> Andrew Bartlett wrote:
> > On Wed, 2008-06-04 at 01:48 +0300, Sergey Yanovich wrote:
> >> Signed-off-by: Sergey Yanovich <ynvich at gmail.com>
> > 
> > This code ('fixing' Samba3's nmbd handling of ADS-style netlogon
> > mailslots) should be removed, not fixed up...
> > 
> > The recent work I've done in Samba4 shows that this area is far more
> > complex than this first attempt makes out, and must be in common with
> > the CLDAP server to have any chance of being correct. 
> With this patch Samba 3 fools Windows client to thinking it talks to 
> ADS. So the external part is correct. I agree, that internals are not so 
> easy, and that's why the workstation doesn't see the domain after reboot.


> > Why are you trying to patch Samba3 for this?
> Samba 4 overtakes ports 88, 389, 636. Established linux infrastructure 
> isn't working with it. Configuring linux client/services to live with 
> Samba 4 isn't a trivial task also...

Sure - there isn't a way to avoid this, except to use seperate IP
addresses.  If we could use a stock KDC, then we would have.  I'm sure
an enterprising programmer could probably make Heimdal load the PAC
generating plugin, and an AD-compatible hdb backend (because that's what
we do internally anyway), but then it's not a stock KDC any more.

Fortunately the services linux clients require of a KDC is a subset of
those our modified Heimdal provides.

We bundle the KDC because given the high degree of linkage required, we
felt it was easier to have it 'just work' than the traditional linux
nightmare to setup Kerberos and LDAP.  (We also have an internal
implementation of kpasswd).

LDAP is a much more difficult question - windows client require the AD
schema be loaded,and while we have a project to allow us to map Samba4's
requirements onto standard-ish LDAP schema (on an external LDAP server),
we have no choice but to present an AD-like view to AD clients such as
Windows XP.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080604/652b2dce/attachment.bin

More information about the samba-technical mailing list