bringing the discussion back online -- thanks jerry for the responses. please see below..
On Tue, Jan 28, 2003 at 10:56:24AM -0600, Gerald (Jerry) Carter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 27 Jan 2003, David Bear wrote: > > thanks for the reply. I was not aware that I could use > > password server = somewindowserver > > with security = domain > Yup. In fact, in Samba 3.0 you can use > password server = DC1 DC2 * > which will fail over to autolookups if DC1 and DC2 are unavailable. > > > I would like to be able to use domain security. That buys me domain > > functionality with machine trusts. However, I DO NOT control the NT > > domain that we authenticated users against. So, my domain controller > > would be in the position of 1) storing and authenticating MACHINE > > accounts in its OWN smbpasswd file and 2) authentication users against a > > different smb server (in this case a windows active directory) which I > > do not control. > > You have a Samba PDC that is authenticating against a Windows NT PDC? > No. This would not be a good configuration. Why do you need Samba as a > PDC in this case? > Actually this is a very valid scenario for us. We have central IT that provided AD and kerberos authentication services. However, they do not create administrative principal/identities for us. They only create user accounts. (and they manage all the links for password updates) This leaves us with a very powerfull service but powerless. Now I could bring up a windows AD and become an OU in the grand unified microsoft directory. But that has side effect that I don't want -- ie I don't want to rely on microsoft for something as important as directory service. What I prefer is to use CENTRAL account managment services for authenticating the unwashed masses. Then I want to create my own set of administrative principals that are authenticated against my own authentication servers (smbpasswd is fine now, but LDAP/kerberos is what I think the futurer holds) Then, we create our own domain controllers to manage user profiles -- and handle or OWN adminstrative identites (ergo we retain complete control of administrative accounts rather than relegate them to AD and have the possibility of an AD hack steal admin accounts). This would be similar to an old style trust relationship betwen NT domains. For large organizations even mickeysoft recommended have resource domains and user account domains. If SAMBA could implement this, then the trust would be a 'limited' trust -- very enticing? That trust of course limited to just authenticating users (and those users priviledge would further be contolled through our own group schema) and then not all users. Some may think this a strange request, but in a large university like ours, there is such decentralization that it makes sense. To recap, what I want is something like security = domain password server = somesmbserver without having to join the samba box to the domain AND retain machine trust accounts on my samba box as well as additional administrative identities that could be used to manage machines in my domain.. AND be able to have additional samba servers join my domain as member servers and use a transitive relationship to authenticate users against my samba server which then authenticates to microsoft AD. My guess is this shouldn't be too hard to implement. I'm no C programmer though -- and this is way out of my league. -- David Bear College of Public Programs/ASU Mail Code 0803
