[Samba] Samba or Win2K Server as Domain Controller?

Scott Ehrlich scott at ai.mit.edu
Tue Oct 22 14:49:00 GMT 2002


We are looking at implementing a Windows Domain structure very soon and I 
have been asked to evaluate/investigate the differences between using Samba 
as a DC vs a true Win2k DC.   We run TCP/IP and Appletalk on a 100Base-T 
network.

I'm the main Microsoft person in the group and have a lot of Windows 
experience (9x - XP).

We currently have a primary NT 4 domain controller mainly acting as a print 
and software install server.   99% of workstations are in workgroup mode.

We have a contingent of Mac users (OS 9 and above) who also utilize the DC 
for printing and software installation.

I know the full capabilities of a Win2K DC, and have just read the Samba 
2.2 FAQ from the samba.org web site, so I am generally familiar with what 
I'll get.

Some of the functionality I want include:

- Roaming profiles (Samba FAQ says this can be done)

- Magically add printers to workstations which become domain members (maybe 
through a policy or template?)

- Permit an account to be used for registration-only so users can make 
themselves domain members on their own

- Enable full auditing with Tripwire so I am kept fully up-to-date on 
changes (machine adds/removals/changes)

- Permit seemless password changes between our UNIX and Windows world

- Permit Mac users seemless access to shared printers and file storage 
(using Services for Mac on an existing NT 4 server)

- Implement policies to permit patch pushing or service changes to clients


Our model will likely end up being having an external machine (Linux most 
likely) doing just LDAP.   We may authenticate to it, or we may try to 
implement Kerberos.  We'll see how much pain is involved in setting and 
maintaining our own Kerberos server/realm.   Being on the MIT campus, we 
know how Kerberos works ;-)
Thus, we might authenticate to a separate Kerberos server and have the 
remaining info in a separate LDAP database on its own server.

Now, if we have a dedicated LDAP server with possibly also a Kerberos 
server (neither will be the Win2K Domain Controller), how will I/we get the 
Windows functionality we want knowing the DC uses LDAP plus some 
proprietary additions to LDAP, and that the DC wants to be a KDC?

It almost looks like the Mac, Linux, and Solaris clients will have no 
problems, but the Windows world is the obstacle.

Can LDAP and Kerberos be disabled/separated/modified to permit even 
pass-through authentication to the dedicated server(s), thus permitting a 
domain world, the Windows clients think they are talking to a true DC, and 
the DC thinks it is the boss, yet it gets its info from external sources?

Does this make any sense?

Thanks in advance.

Scott




More information about the samba mailing list