On Fri, 31 Jan 2003, Andreas Hasenack wrote: > Em Fri, Jan 31, 2003 at 03:01:30PM +0000, John H Terpstra escreveu: > > > And, since the w2k server is on a different subnet, I don't think I can make it > > > the logon server for my clients, or can I? I mean, broadcasts mean a lot in a > > > MS network... > > > > You must use WINS to avoid broadcast traffic. With WINS the important UDP > > traffic will be unicast. WINS can reduce UDP broadcast traffic by up to > > 95%. Using WINS, you clients will readilly locate the logon server. I > > would recommend not using file and print shares over the WAN link though. > > But how does the windows client find out who the domain controller is for > a specific domain? Does WINS advertise that info too? > When I make a windows client join a domain, it never asks me for the name > of the domain controller... Just the name of the domain.
Firstly, when you use WINS you configure one machine as your WINS server. Then ALL SMB clients (Samba as well as MS Windows) get configured (part of the TCP/IP stack configuration) to use that WINS server. Now when the client starts up it registers with the WINS server. As it starts it's networking services it registers various name types with the WINS server also. The Domain Controllers that are providing the NETLOGON services do this also. The MS Windows client will then ask the WINS server for the IP address of machines that have registered for their domain name (let's call it MYDOMTHING) MYDOMTHING<1c> - the <1c> type means it runs the netlogon service. The client then connects to one of the addresses it obtained from thr WINS server to commence the logon proceesses. WINS is you best friend - DNS does NOT allow name type lookups that are particular to NetBIOS networking over TCP/IP. Please read the documentation - all of this is explained in the Entire-HOWTO-Collection for which there is a link on the SWAT home page. > > > Should I then just make the clients authenticate against the remote w2k machine > > > anyway? I know, in both scenarios, the w2k server will be contacted anyway, >either > > > by the samba server or by the linux client. > > > > Correct. That's my recommendation. > > What about using security = server, point the password server at the w2k > machine and set domain logons = yes? Should this work? Yes, it will work. However, be aware that SERVER mode security does a few very nasty things. Because the machine is NOT a trusted domain member it needs to step around some old bugs. SERVER mode security causes samba to send a bogus username/password pair before trying the real username/password pair. It needs to do this so that an old bug that was present in some MS Windows systems does not inadvertently allow a user with a wrong set of credentials (username/password pair) to gain system access. If we did not do this then it could be used as a potential root exploit So what does this mean? Well, if your Win2K adminsitrator has set a lockout threashold on the number of bad logins for a user, then this may be triggered, Alternatively, the Event log on the Win2K machine will record errors for each authentication attempt. The undesirability applies only to use of MS WIndows NT4/2K authentication servers, with samba<->samba authentication this poses no issues and is how we can achieve a BDC type role. My clear preference is to make the samba server a full Win2K domain member. Of course the Win2K needs to be running either in NT4 domain security mode _or_ Active Directory in mixed mode. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
