On Mon, 2012-12-17 at 20:54 +0100, Admin wrote: > Hi, > i have to deploy a integrated services platform consisting of a samba3, > web-groupware and email (exim+cyrus) service, which has very limited > options for user management. This new server is to replace a windows > 2008 server. I am free to create all users anew. > I'll try to configure it to use an external source as a single source of > authentication and join the samba3 to a samba4-Domain but i'm unsure > about the mail and webservices: should i/can i use samba4's build in > ldap server? Or would it be better to use the kerberos service? Or winbind? > I would appreciate any advice for the most standard conformant way to > get things working.
When deployed as an AD DC, all of these will work, and work well. You can do 'ldap authentication' as a simple bind, you can get a kerberos ticket (even better is to accept a kerberos ticket, from kerberos-enabled clients, but I know that's probably not what you are after), or you can use pam and winbind via a domain join. The more secure options are kerberos (as long as you actually validate the ticket you get back) and winbind (which will perform the authentication across the secure channel). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
