[PATCH 0/2] Allow Windows XP SP 2 to join Samba 3.2 ADS

Andrew Bartlett abartlet at samba.org
Tue Jun 3 23:53:11 GMT 2008

On Wed, 2008-06-04 at 02:34 +0300, Sergey Yanovich wrote:
> Andrew Bartlett wrote:
> > On Wed, 2008-06-04 at 01:48 +0300, Sergey Yanovich wrote:
> >> After some experiments and with the help of Samba 4 code, I have finally made
> >> a Windows workstation join Samba 3.2 ADS controller.
> > 
> > How did you make it think it was ADS?
> I am not 100% sure, but I saw with the wireshark that the client was 
> using my kerberos tickets.

Given that your KDC was not generating the PAC, windows clients can't
use it for logon.  They certainly could use it in the join - but that
isn't really the interesting part. 

> In our early research, we found
> > ADS was either an 'on' or 'off' thing - particularly if you support the
> > new call on the LSA pipe, then you must start supporting an lot more. 
> It is true, but probably relates to after-join phase.

One consequence of this is that as soon as you pretend to be AD, your
NT4 system policy files are no longer applied, and you must use group
policy.  This requires an AD-like LDAP...

> >> How hard is it to use separate Kerberos and LDAP servers?
> > 
> > Difficult enough that I've spend the last 4 years working on Samba4.  We
> > know it's possible (see XAD for the proof by example), but the approach
> > currently taken was very deliberate. 
> > As a Samba4 developer I would encourage you to help us make Samba4 work
> > better for your use cases (a python script to export host/fqdn keytabs
> > would be very easy to write) than to continue down this rat-hole. 
> Now I know, it is rat hole :) IIUC, Samba 4 was using its own python 
> until recently. 

We never used our own python - it was always the system python, but to
ensure the Samba libraries were found until we got all the shared
libraries working we linked them staticly against a 3-line program
called 'smbpython', which called python's own 'main()'. 

> In other words, there are precedents for decoupling 
> external components. Maybe KDC is the next in the queue? Samba can talk 
> to kadm using normal kadmin interface, so it will be possible to use 
> normal *nix way of administering KADM/KDC. MIT Kerberos has a plugin to 
> store keys in LDAP, and this can handle canonicalization. So the only 
> big peace of work is PAC, right?

The MIT plugin design is a disaster.  But yes, as per my other mail you
could probably build a Samba4 Heimdal plugin, should you wish to.  

> I am working an FOSS accounting package in Russia, and I plan to deploy 
> it in an company with obsolete Windows infrastructure. My interest was 
> to find out smooth transition path from a poorly managed W2K ADS to the 
> linux domain. Samba 4 looks promising for the matter.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080604/55859eef/attachment.bin

More information about the samba-technical mailing list