Hi All- Please pardon my repost of my usenet article in this list.
Previously, I asked if Samba 3.0 could be an Active Directory Domain Controller (ADDC). I have the feeling that the answer is no. If so, then I have this other question: Can I use Samba as an NT4 PDC for making a Windows NT4 domain that would host several M$ Windows XPP client computers as domain clients/members, but have these client computers (and their users) actually do their authentication not against the PDC, but rather, against an MIT kerberos 1.3 (v5) Key Distribution Center (KDC) or kerberos server? I've now read one or two cases of educational institutions using similar arrangements, but in their circumstances, they often had a M$ Windows 2000 Server machine that was the ADDC for a domain, then they established trust between the ADDC and their MIT kerberos v5 KDC, and then their client computers did pass-through authentication not against the ADDC, but rather, against the KDC. To be more specific, the client computers were domain members of a domain hosted by the ADDC (perhaps could also be an NT4 PDC?), and their authentication requests apparently did a pass-through of the ADDC and then were checked against the kerberos database on the KDC. If the authentication was successful, then the users ended up with a single-sign-on (SSO) onto their Win2k/WinXP boxes, got kerberos tickets for services from the KDC, and then obtained access to authorized services (apparently, services that were a part of the domain that they logged into, thus Samba would provide), and also (possibly) services that were made available by unix machines that were not necessarily a part of the ADDC (or NT4) domain, but that did have service principals in the kerberos database. Does that make sense? So, does anyone know if such a scheme would work with no ADDC (since I don't have and don't want a M$ server), but rather, with Samba 3.0 acting as the PDC in an NT4 domain rather than an ADS domain? Since, as I said above, I get the impression that Samba 3.0 cannot be an ADDC, using it to provide an NT4 domain seems like the next best alternative---if it will work. Thanks in advance for any thoughts, suggestions, advice on whether this will or will not work and, if the former (it will work), then any tips/tricks or gotchas on actually implementing the plan. Thanks again, Samba Team, for your terrific suite of software! -Jane -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
