[Samba] Re: A bit OT: LDAP and AD interoperability with LDAP as master

[Adrian Gschwend]

On Thu, 19 Feb 2004 18:51:48 +1100, Andrew Bartlett wrote:

> You can't make AD talk to an external LDAP server, as AD is based on
> it's internal database - LDAP is just a view.

ok

> Why are you using AD?  (There are many good answers to this question).

First let me say that I personally don't know AD at all, I'm doing this job
because I noted that those who should do it don't do it ;) And I rely on
it so I better do it myself.

What I know is that they use AD for things like Software updates and other
stuff. I don't know exactly what for but it seems not to be possible
without AD.

> Samba 3.0 acts as a PDC, and the same password database can be used to
> implement a unix Kerberos system.  (I have a demonstration patch that
> does just that).  This works by extending Heimdal's LDAP password
> backend.

Sounds very interesting

> Password sync scripts will always cause trouble.  You would be better to
> choose one server to hold the passwords, and hack everything else to
> talk to it.  

that's an option too, the question is how much work would that be.

> So why is a Samba PDC not an option.  You loose kerberos authentication
> for windows (for the moment at least), but NTLM does work.

I simply didn't consider it yet because I didn't know that Samba is that
mature.

Thanks for the pointers, I will definitely do some more research on that.

BTW we will document what we are doing and publish that in the web as soon
as we reached the final state (will be late summer I guess). I will
announce that on this list as soon as it's done.

cu

Adrian