[Samba] Re: Samba as BDC in windows domain?
vorlon at netexpress.net
Tue Jun 11 09:51:29 GMT 2002
On Tue, Jun 11, 2002 at 05:05:35PM +0100, David Lee wrote:
> On Tue, 11 Jun 2002, Paul Reilly wrote:
> > I've been reading about setting up Samba as a PDC with LDAP storage.
> > However if I am to do this it needs to co-exist with the exisitng windows
> > NT domain using windows NT PDC's. Everything I've read so far says you
> > can't have a Samba BDC unless it's in a Samba PDC controlled domain. Is this
> > correct? Is there *any_possible_way* of having a Samba BDC get SAM updates
> > from a windows NT PDC ?
> > If not, is there any other way to sync an OpenLDAP server against a NT PDC ?
> Might be possible, but first the disclaimer...
> Disclaimer: I have absolutely zero knowledge of PDC/BDC/NT internals.
> Zero, zilch, rein, nothing, nil, nowt, ...
> At our site, we have just started dabbling with a thing called "Microsoft
> Services for UNIX" (hereinafter called "SFU") that our PC folk obtained.
> Until now, our service has been basically UNIX. Although most of the
> user-visible front-end (i.e. desktop machines) is a variant of W2K, the
> "real work" has hitherto been UNIX: the identifier and password the user
> gives is actually a UNIX pair, used to authenticate their Samba drive from
> UNIX. (Behind the scenes on W2K, there was simply a blanket guest-type
> login just before this.)
> Now... we are contemplating a migration to Active Directory ("AD") of
> these accounts: some 20,000 or them. (Gives me, as a UNIX person, the
> shudders, but that's another story...!) One reason is so that the id/pw
> pair can be a real Windows authentication, so they can do real Windozy
> things. We are very keen to preserve the "single authentication" model.
> Our plan is to set up accounts for all users in AD. We would then use
> UNIX password-aging mechanisms to "persuade" all users to change their
> password "at leisure, in their own time". But behind the scenes we would
> be using the UNIX PAM module from Microsoft's SFU to copy (synchronise)
> these password changes out from UNIX into AD. (We'll also be using SFU's
> corresponding "ssod" daemon for a small number of real-AD folk who might
> want to maintain synchronisation from AD towards UNIX.)
FWIW, what I'm hearing from the Kerberos world is that it's possible to
store all of your actual accounts in a traditional Unix KDC, creating a
trust relationship with your AD server, and still get most of the
"Windozy" things out of the mix. There's also a PAM module called
pam_krb5_migrate that can help with this as well, though I've never
tested it in a Solaris environment. It does at least require an
MIT-like KDC (Solaris probably qualifies) with matching client libraries
Synchronizing passwords via PAM has always been hairy. Migrating to a
single unified backend such as Kerberos and using that for /all/
systems, Windows and Unix, is a much more promising long-term solution.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20020611/ba7be246/attachment.bin
More information about the samba