[Samba] Re: Re: Samba 3.0 and Active Directory Replication
John Brown
dmc_jamrock at yahoo.com
Sun Jul 13 16:03:03 GMT 2003
Your answers have helped quite a bit. I understand a lot more now.
These compromises are small issues compared to the benefits of Samba. We
use Samba 2.x and we have benefitted from:
Less expensive software
Lower hardware requirements
Significantly fewer reboots
Greater stability
Faster performance
Many companies don't use group policy anyway.
One last thing. We will be using OpenLDAP with Samba 3.0. I have
downloaded the code and have read through the documentation on samba.org.
How does the whole authentication thing work? Do we still need the
/etc/passwd and /etc/samba/smbpasswd files? If so, are there any plans to
have just one password database?
I have read of people using the User Manager for Domains and Server Manager
tools from Microsoft. Where can I get them and what version has been
tested?
What are the differences between the sambaAccount and posixAccount
objectclasses. Why is the posixAccount necessary?
Regards.
"John H Terpstra" <jht at samba.org> wrote in message
news:Pine.LNX.4.50.0307130622590.19672-100000 at dp.samba.org...
> On Sat, 12 Jul 2003, John Brown wrote:
>
> > John,
> >
> > You said,
> >
> > "If Samba-3.0.0 is configured as a domain controller with Windows
200x/XP
> > lients these clients can work fine as domain members. There are some
> > compromises that you must accept, none of these are serious issues. "
> >
> > Please clarify these compromises.
>
> 1. No machine policy files
> 2. No Group Policy Objects
> 3. No synchonrously executed AD logon scripts
> 4. Can't use ANY Active Directory management tools to manage users and
> machines
> 5. Registry changes tattoo the main registry, while with AD they do NOT
> ie: Leave permanent changes in effect
> 6. Without AD you can not peprform the function of exporting specific
> applications to specific users or groups
>
> Is that sufficient for now?
>
>
> > "At this time the Samba-3.0.0 domain controller will function as a
Windows
> > NT4 style domain controller".
> >
> > Do you mean that it will work as a BDC and keep a non-writeable
duplicate
> > of the SAM database?
>
> Nope. A Samba BDC can use a common LDAP backend (ie: the same as the one
> used by the PDC). But Samba-3 does NOT provide all the services and
> protocol capabilities of an MS Windows 200x server. Samba-3 does not
> implement many of the advanced RPC calls that MS products do.
>
>
> > "NO! I hope that is clear".
> >
> > Clear as a bell. Are there any plans to add this functionality in the
> > future?
>
> Please clarify your question. Are you asking, "Will samba integrate
> OpenLDAP and Kerberos and will it become an Active Directory server?"
>
> No! Not at this time. To do this will require changes that cross over into
> all three projects (samba, openldap and kerberos (MIT or Heimdal)). Some
> of the changes required may not fit the goals and objectives of all three
> projects. The only way to get around the barrier would be to build LDAP
> and Kerberos servers into samba. The samba-team is having enough
> difficulty just managing samba, I can not imagine how it will deal with a
> project that is three times more complex.
>
> - John T.
>
> >
> > Thank you.
> >
> > "John H Terpstra" <jht at samba.org> wrote in message
> > news:Pine.LNX.4.50.0307121646490.19672-100000 at dp.samba.org...
> > > On Sat, 12 Jul 2003, John Brown wrote:
> > >
> > > > I have been following the development ot Samba 3.0 with great
interest.
> > > > There is something that still confuses me.
> > > >
> > > > Can Samba 3.0 join a Windows 2000 network as a domain controller and
> > > > replicate Active Directory information with existing Windows 2000
domain
> > > > controllers?
> > >
> > > NO! I hope that is clear.
> > >
> > > When you hear "Active Directory" you should immediately think, "Oh,
that's
> > > LDAP plus Kerberos - with Microsoft proprietary extensions of course."
> > >
> > > When you hear "Domain Control" you should immediately think, "Oh, that
> > > means a CIFS (common internet file system) server."
> > >
> > > Samba is a CIFS server. Got that? It's a CIFS file and print server.
> > >
> > > OpenLDAP and Kerberos are services that can substitute for Microsoft
> > > Active Directory. Got that too? These bits handle the authentication
> > > backend technology. Where it gets messy is that with the introduction
of
> > > Kerberos authentication Microsoft married this into the CIFS server
> > > functionality.
> > >
> > > Samba is NOT a Kerberos (KDC) server.
> > >
> > > Samba is not an LDAP server.
> > >
> > > Now to add to this, Samba-3.0.0 CAN work fine with an LDAP backend,
and
> > > also within an MIT Kerberos, or a Heimdal Kerberos, environment. These
> > > provide 'alternatives' to Active Directory, but are not the same as
Active
> > > Driectory. For example, none of the Active Directory administration
tools
> > > that come with Windows XP Pro will work against the "Samba-3.0.0 +
> > > OpenLDAP + Kerberos" combination.
> > >
> > > Microsoft Windows 200x Active Directory CAN be used apart from the
CIFS
> > > server functionality. This allows native UNIX / Linux clients to use
an
> > > Active Directory server for Kerberos based authentication. It's very
messy
> > > - but it can be done.
> > >
> > > The answer to your question is:
> > >
> > > 1. Samba-3.0.0 can natively join an Active Directory as a MEMBER
server
> > >
> > > 2. Samba-3.0.0 can natively join an Active Directory as a MEMBER
server
> > > that does have domain control capability.
> > >
> > > 3. Samba-3.0.0 CAN NOT participate in Active Directory Replication AT
ALL!
> > >
> > > At this time the Samba-3.0.0 domain controller will function as a
Windows
> > > NT4 style domain controller.
> > >
> > > Samba can use an LDAP authentication backend, this effectively
substitutes
> > > for the registry based User Accounts part of the NT4 SAM (security
account
> > > manager).
> > >
> > >
> > > > If Samba 3.0 is the only domain controller on a network with Windows
> > 2000/XP
> > > > clients, will the clients see it as a domain controller running
Active
> > > > Directory?
> > >
> > > If Samba-3.0.0 is configured as a domain controller with Windows
200x/XP
> > > clients these clients can work fine as domain members. There are some
> > > compromises that you must accept, none of these are serious issues.
For
> > > example
> > >
> > >
> > > - John T.
> > > --
> > > John H Terpstra
> > > Email: jht at samba.org
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: http://lists.samba.org/mailman/listinfo/samba
> > >
> >
> >
> >
> >
>
> --
> John H Terpstra
> Email: jht at samba.org
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list