[Samba] Re: Samba 3.0 and Active Directory Replication

John H Terpstra jht at samba.org
Sun Jul 13 06:34:24 GMT 2003


On Sat, 12 Jul 2003, John Brown wrote:

> John,
>
> You said,
>
> "If Samba-3.0.0 is configured as a domain controller with Windows 200x/XP
> lients these clients can work fine as domain members. There are some
> compromises that you must accept, none of these are serious issues. "
>
> Please clarify these compromises.

1. No machine policy files
2. No Group Policy Objects
3. No synchonrously executed AD logon scripts
4. Can't use ANY Active Directory management tools to manage users and
machines
5. Registry changes tattoo the main registry, while with AD they do NOT
	ie: Leave permanent changes in effect
6. Without AD you can not peprform the function of exporting specific
applications to specific users or groups

Is that sufficient for now?


> "At this time the Samba-3.0.0 domain controller will function as a Windows
> NT4 style domain controller".
>
> Do you mean that it will work as a  BDC and keep a non-writeable duplicate
> of the SAM database?

Nope. A Samba BDC can use a common LDAP backend (ie: the same as the one
used by the PDC). But Samba-3 does NOT provide all the services and
protocol capabilities of an MS Windows 200x server. Samba-3 does not
implement many of the advanced RPC calls that MS products do.


> "NO! I hope that is clear".
>
> Clear as a bell.  Are there any plans to add this functionality in the
> future?

Please clarify your question. Are you asking, "Will samba integrate
OpenLDAP and Kerberos and will it become an Active Directory server?"

No! Not at this time. To do this will require changes that cross over into
all three projects (samba, openldap and kerberos (MIT or Heimdal)). Some
of the changes required may not fit the goals and objectives of all three
projects. The only way to get around the barrier would be to build LDAP
and Kerberos servers into samba. The samba-team is having enough
difficulty just managing samba, I can not imagine how it will deal with a
project that is three times more complex.

- John T.

>
> Thank you.
>
> "John H Terpstra" <jht at samba.org> wrote in message
> news:Pine.LNX.4.50.0307121646490.19672-100000 at dp.samba.org...
> > On Sat, 12 Jul 2003, John Brown wrote:
> >
> > > I have been following the development ot Samba 3.0 with great interest.
> > > There is something that still confuses me.
> > >
> > > Can Samba 3.0 join a Windows 2000 network as a domain controller and
> > > replicate Active Directory information with existing Windows 2000 domain
> > > controllers?
> >
> > NO! I hope that is clear.
> >
> > When you hear "Active Directory" you should immediately think, "Oh, that's
> > LDAP plus Kerberos - with Microsoft proprietary extensions of course."
> >
> > When you hear "Domain Control" you should immediately think, "Oh, that
> > means a CIFS (common internet file system) server."
> >
> > Samba is a CIFS server. Got that? It's a CIFS file and print server.
> >
> > OpenLDAP and Kerberos are services that can substitute for Microsoft
> > Active Directory. Got that too? These bits handle the authentication
> > backend technology. Where it gets messy is that with the introduction of
> > Kerberos authentication Microsoft married this into the CIFS server
> > functionality.
> >
> > Samba is NOT a Kerberos (KDC) server.
> >
> > Samba is not an LDAP server.
> >
> > Now to add to this, Samba-3.0.0 CAN work fine with an LDAP backend, and
> > also within an MIT Kerberos, or a Heimdal Kerberos, environment. These
> > provide 'alternatives' to Active Directory, but are not the same as Active
> > Driectory. For example, none of the Active Directory administration tools
> > that come with Windows XP Pro will work against the "Samba-3.0.0 +
> > OpenLDAP + Kerberos" combination.
> >
> > Microsoft Windows 200x Active Directory CAN be used apart from the CIFS
> > server functionality. This allows native UNIX / Linux clients to use an
> > Active Directory server for Kerberos based authentication. It's very messy
> > - but it can be done.
> >
> > The answer to your question is:
> >
> > 1. Samba-3.0.0 can natively join an Active Directory as a MEMBER server
> >
> > 2. Samba-3.0.0 can natively join an Active Directory as a MEMBER server
> > that does have domain control capability.
> >
> > 3. Samba-3.0.0 CAN NOT participate in Active Directory Replication AT ALL!
> >
> > At this time the Samba-3.0.0 domain controller will function as a Windows
> > NT4 style domain controller.
> >
> > Samba can use an LDAP authentication backend, this effectively substitutes
> > for the registry based User Accounts part of the NT4 SAM (security account
> > manager).
> >
> >
> > > If Samba 3.0 is the only domain controller on a network with Windows
> 2000/XP
> > > clients, will the clients see it as a domain controller running Active
> > > Directory?
> >
> > If Samba-3.0.0 is configured as a domain controller with Windows 200x/XP
> > clients these clients can work fine as domain members. There are some
> > compromises that you must accept, none of these are serious issues. For
> > example
> >
> >
> > - John T.
> > --
> > John H Terpstra
> > Email: jht at samba.org
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
>
>
>
>

-- 
John H Terpstra
Email: jht at samba.org



More information about the samba mailing list