SAMBA digest 1497

David Collier-Brown davecb at Canada.Sun.COM
Wed Nov 19 16:20:08 GMT 1997

You wrote:
> Date: Tue, 18 Nov 1997 15:29:50 -0700
> From: Daniel Robbins <drobbins at>
> To: samba at
> Subject: Replacing an NT Domain
> Message-ID: <19971118152950.47445 at>
> Hello,
> We are going to be using samba in our NT network as a file server.  Thanks
> to everyone who is involved with Samba -- it's really neat now that I have
> it working properly.  I especially like the ability to block requests based
> on IP#! :-) My question is whether you guys know of any way to get rid of our
> NT PDC but still have the ability to log in as any user in the department from
> any NT workstation. 

  There are basically three approaches:
	0) Unix authentication on unix, aka security = user
	1) NT authentication on NT, aka security = server
	2) NT authentication on Unix, courtesy of
  	   Luke Kenneth Casson Leighton
	3) Other authentication, including Kerberos

  The elegant way is #2, but it's relatively new.  It allows Samba 
to be a full-fledged master server of an NT authentication domain,
speaking native NT. (Note I'm not necessarily using NT terminology:
I can never remember which kind of master rules what (:-))
It allows you to mix Samba and NT seamlessly, and only learn a bit
of Unix to administer a lot of functionality for Windows and NT
clients.  I tend to call it the ``Just Another Server'' scenario.

  An easy way, if you're an NT person, is #1.  You don't have
Samba be a godlike being, you just tell it god's hostname (:-)).
Samba forwards authentication requests to an NT machine, which
does the work.  You still have the equivalent of access control
using the smb.conf and possible dummy entries in the /etc/passwd file.
I call this the ``Passthrough'' scenario.

  An easy way, if you're a Unix person, is #0, having accounts
on Unix, not using NT authentication domains, and having Unix do 
the authentication, using whatever authentication you've got there
(which included PAM, /etc/passwd. yp, nis, kerberos or blue pages).

  To address your specific questions...

Question:		Answer:
			0: Unix	  1: NT     2: PDC        3: Other
a) Can samba reliably process NT login requests yet,
			fakes it  yes       yes           no
b) is there an alternate way of replicating account data between 
			many      yes       yes           yes
c) we don't have to have a Microsoft PDC processing login requests
         		yes       no        no            yes

d) is having an NT PDC devoted to processing login requests and 
  storing profiles currently the best solution? 
                        no        yes       yes            no
e) I would much rather manage user accounts using Samba and Linux 
			yes	  no	    yes            yes
f) I don't want to have to give up the convenience of having a domain.
  (If you mean having centralized control...)
			yes	  yes       yes            yes

  I mildly recommend 0 and 2: they fit pure-unix and pure-nt
best.  Mixing worlds and assumptions leads to errors, and to mere
like trying to remember which of the three kinds of domain and four
of master you're talking about at any given moment (:-))

  Zero and one, by the way, are popular enough you'll get lots of
advice (:-))

David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | davecb at,
M2N 1Y3. 416-223-8968 |

More information about the samba mailing list