[Samba] Samba 3.0 as Active Directory Domain Controller with MIT Kerberos

[Jane Deer]

"Gerald (Jerry) Carter" <jerry at samba.org> wrote in message 
news:<zwyd.1Tn.5 at gated-at.bofh.it>...
> The Samba Team is proud to announce the availability of the
> first official release of the Samba 3.0 code base.
> 
> Major new features:
> - -------------------
> 
> 1)  Active Directory support.  Samba 3.0 is now able to
>      join a ADS realm as a member server and authenticate
>      users using LDAP/Kerberos.
> 

Hi Gerald (Jerry) and Samba Team!

Before anythings else, I'd just like to start by thanking you for your
magnificent contribution to the Open Source community.  I've been
using Samba in various contexts for almost 2 years now and it's been a
huge benefit to me.  Thank you, Thank you, Thank you!

I've been using Samba 2.2 as a PDC for a production environment with
Windows XPP and Windows 2000 Pro clients and serving up a database
application and Samba does beautifully at this task and has done so
for more than a year.

Since I see that with 3.0, Samba now supports Active Directory, it
occurs to me that I might now be able to use Samba as an emulated
Windows 2000 Domain Controller (i.e., an Active Directory Domain
Controller with Kerberos), but perhaps that level of functionality is
not there yet?  I see in the Samba-HOWTO collection documentation
(included with the 3.0 stable tarball and dated 21 April 2003) the
following statements:

=====================
The following functionalities are not provided by Samba-3: 

          SAM replication with Windows NT4 Domain Controllers (i.e., a
Samba PDC and a Windows NT BDC or vice versa). This means Samba cannot
operate as a BDC when the PDC is Microsoft-based or replicate account
data to Windows BDCs.

         Acting as a Windows 2000 Domain Controller (i.e., Kerberos
and Active Directory). In point of fact, Samba-3 does have some Active
Directory Domain Control ability that is at this time         purely
experimental that is certain to change as it becomes a fully supported
feature some time during the Samba-3 (or later) life cycle. However,
Active Directory is more then just SMB it's also LDAP, Kerberos, DHCP,
and other protocols (with proprietary extensions, of course).
=====================

But in the official press release I see the following:

=====================
Replacement of Windows NT4 ® Domains

Samba 3.0 contains the first Open Source/Free Software implementation
of Windows NT Primary and Backup Domain Controller functionality.
Customers can transparently migrate their existing Windows NT domains
to Samba 3.0 whilst keeping their existing user and group account
databases. This enables significant cost of ownership savings over a
Windows NT4 domain as a Samba 3.0 Domain Controller does not require
client access licenses. Existing Windows tools can be used to manage a
Samba PDC, allowing customer Windows expertise to be leveraged in a
domain migration. A choice of LDAP back-ends allows integration with
an existing customer directory service.

Single Sign-on with Active Directory ® Integration   <-----<<<

Samba 3.0 seamlessly integrates into a Microsoft Active Directory
domain in both native and mixed mode. Samba 3.0 provides single
sign-on for UNIX ® / Linux ® clients in an Active Directory
environment, allowing both servers and clients to transparently use
Active Directory as an authentication and account source. Domain trust
relationships are fully supported, allowing Samba 3.0 Controlled
Domains to integrate easily into any Active Directory environment.

Complete Integration with Windows Security

Samba 3.0 fully implements Kerberos 5 authentication, SMB signing for
tamper-proof file serving sessions, and SCHANNEL security for secure
remote procedure calls. Samba 3.0 works "out of the box" with the
improved security settings of Windows 2003 Domain Controllers.
=====================

It looks like the press release contradicts the documentation on at
least some points (BDC functionality), but then again the docs were
something like 6 months old.

So, my fundamental question is:

Can Samba 3.0 act as a Windows 2000 Domain Controller (i.e., an Active
Directory Domain Controller with Kerberos)?

I already have an MIT Kerberos 1.3 installation on my network that is
working fine with Mac OS X and Linux kerberos authentication, but I
seem to have discovered something rather important about Microsoft
Window XPP and kerberos authentication: it seems only to work with
Microsoft Windows 2000 Server and Microsoft Windows 2003 Server---not
with an MIT unix kerberos Key Distribution Center (KDC).

I actually found a Microsoft-authored howto on using Windows 2000
Professional client computers to authenticate against an MIT Kerberos
KDC, so I just assumed that this functionality would also exist in
XPP, but I've hunted all over for guidance on how to do it, and I've
come to the (perhaps premature) conclusion that XPP will not do this. 
So I'm hoping that Samba 3.0 combined with a functional MIT Kerberos
1.3 system _would_ allow me to use the wonderful kerberos protocol to
authenticate my Windows XPP client machines without investing the $$$$
in a M$ Windows 2000 Server or 2003 Server with per client licensing
and all that stuff.

Is there any hope for doing this with Samba 3.0?  If not...  <sigh>
then I'll just make do with Samba 3.0 as my NT4 PDC for authenticating
my XPP client machines, but I'd really like to use kerberos if at all
possible (and not use M$ Windows 200x Server).

If this functionality _is_ built into Samba 3.0, can anyone point me
to documentation on setting it up?  I find none in the ORA book, the
Samba-HOWTO-Collection (though they don't seem to accurately document
everything about the newest 3.0 stable release from just last
month---understandable as documentation must follow the coding
itself), etc.

Thanks in advance, and again, many thanks to the Samba Team for
creating a terrific software suite!

-Jane