[Samba] Re: Samba 3.0 and Active Directory Replication
dmc_jamrock at yahoo.com
Sat Jul 12 20:39:38 GMT 2003
"If Samba-3.0.0 is configured as a domain controller with Windows 200x/XP
lients these clients can work fine as domain members. There are some
compromises that you must accept, none of these are serious issues. "
Please clarify these compromises.
"At this time the Samba-3.0.0 domain controller will function as a Windows
NT4 style domain controller".
Do you mean that it will work as a BDC and keep a non-writeable duplicate
of the SAM database?
"NO! I hope that is clear".
Clear as a bell. Are there any plans to add this functionality in the
"John H Terpstra" <jht at samba.org> wrote in message
news:Pine.LNX.4.50.0307121646490.19672-100000 at dp.samba.org...
> On Sat, 12 Jul 2003, John Brown wrote:
> > I have been following the development ot Samba 3.0 with great interest.
> > There is something that still confuses me.
> > Can Samba 3.0 join a Windows 2000 network as a domain controller and
> > replicate Active Directory information with existing Windows 2000 domain
> > controllers?
> NO! I hope that is clear.
> When you hear "Active Directory" you should immediately think, "Oh, that's
> LDAP plus Kerberos - with Microsoft proprietary extensions of course."
> When you hear "Domain Control" you should immediately think, "Oh, that
> means a CIFS (common internet file system) server."
> Samba is a CIFS server. Got that? It's a CIFS file and print server.
> OpenLDAP and Kerberos are services that can substitute for Microsoft
> Active Directory. Got that too? These bits handle the authentication
> backend technology. Where it gets messy is that with the introduction of
> Kerberos authentication Microsoft married this into the CIFS server
> Samba is NOT a Kerberos (KDC) server.
> Samba is not an LDAP server.
> Now to add to this, Samba-3.0.0 CAN work fine with an LDAP backend, and
> also within an MIT Kerberos, or a Heimdal Kerberos, environment. These
> provide 'alternatives' to Active Directory, but are not the same as Active
> Driectory. For example, none of the Active Directory administration tools
> that come with Windows XP Pro will work against the "Samba-3.0.0 +
> OpenLDAP + Kerberos" combination.
> Microsoft Windows 200x Active Directory CAN be used apart from the CIFS
> server functionality. This allows native UNIX / Linux clients to use an
> Active Directory server for Kerberos based authentication. It's very messy
> - but it can be done.
> The answer to your question is:
> 1. Samba-3.0.0 can natively join an Active Directory as a MEMBER server
> 2. Samba-3.0.0 can natively join an Active Directory as a MEMBER server
> that does have domain control capability.
> 3. Samba-3.0.0 CAN NOT participate in Active Directory Replication AT ALL!
> At this time the Samba-3.0.0 domain controller will function as a Windows
> NT4 style domain controller.
> Samba can use an LDAP authentication backend, this effectively substitutes
> for the registry based User Accounts part of the NT4 SAM (security account
> > If Samba 3.0 is the only domain controller on a network with Windows
> > clients, will the clients see it as a domain controller running Active
> > Directory?
> If Samba-3.0.0 is configured as a domain controller with Windows 200x/XP
> clients these clients can work fine as domain members. There are some
> compromises that you must accept, none of these are serious issues. For
> - John T.
> John H Terpstra
> Email: jht at samba.org
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba