On Sun, 12 Oct 2003, Jane Deer wrote: > > "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> wrote in message > news:<[EMAIL PROTECTED]>... > > The Samba Team is proud to announce the availability of the > > first official release of the Samba 3.0 code base. > > > > Major new features: > > - ------------------- > > > > 1) Active Directory support. Samba 3.0 is now able to > > join a ADS realm as a member server and authenticate > > users using LDAP/Kerberos. > > > > Hi Gerald (Jerry) and Samba Team! > > Before anythings else, I'd just like to start by thanking you for your > magnificent contribution to the Open Source community. I've been > using Samba in various contexts for almost 2 years now and it's been a > huge benefit to me. Thank you, Thank you, Thank you! > > I've been using Samba 2.2 as a PDC for a production environment with > Windows XPP and Windows 2000 Pro clients and serving up a database > application and Samba does beautifully at this task and has done so > for more than a year. > > Since I see that with 3.0, Samba now supports Active Directory, it > occurs to me that I might now be able to use Samba as an emulated > Windows 2000 Domain Controller (i.e., an Active Directory Domain > Controller with Kerberos), but perhaps that level of functionality is > not there yet? I see in the Samba-HOWTO collection documentation > (included with the 3.0 stable tarball and dated 21 April 2003) the > following statements: > > ===================== > The following functionalities are not provided by Samba-3: > > SAM replication with Windows NT4 Domain Controllers (i.e., a > Samba PDC and a Windows NT BDC or vice versa). This means Samba cannot > operate as a BDC when the PDC is Microsoft-based or replicate account > data to Windows BDCs. > > Acting as a Windows 2000 Domain Controller (i.e., Kerberos > and Active Directory). In point of fact, Samba-3 does have some Active > Directory Domain Control ability that is at this time purely > experimental that is certain to change as it becomes a fully supported > feature some time during the Samba-3 (or later) life cycle. However, > Active Directory is more then just SMB it's also LDAP, Kerberos, DHCP, > and other protocols (with proprietary extensions, of course). > ===================== > > But in the official press release I see the following: > > ===================== > Replacement of Windows NT4 � Domains > > Samba 3.0 contains the first Open Source/Free Software implementation > of Windows NT Primary and Backup Domain Controller functionality. > Customers can transparently migrate their existing Windows NT domains > to Samba 3.0 whilst keeping their existing user and group account > databases. This enables significant cost of ownership savings over a > Windows NT4 domain as a Samba 3.0 Domain Controller does not require > client access licenses. Existing Windows tools can be used to manage a > Samba PDC, allowing customer Windows expertise to be leveraged in a > domain migration. A choice of LDAP back-ends allows integration with > an existing customer directory service. > > Single Sign-on with Active Directory � Integration <-----<<< > > Samba 3.0 seamlessly integrates into a Microsoft Active Directory > domain in both native and mixed mode. Samba 3.0 provides single > sign-on for UNIX � / Linux � clients in an Active Directory > environment, allowing both servers and clients to transparently use > Active Directory as an authentication and account source. Domain trust > relationships are fully supported, allowing Samba 3.0 Controlled > Domains to integrate easily into any Active Directory environment. > > Complete Integration with Windows Security > > Samba 3.0 fully implements Kerberos 5 authentication, SMB signing for > tamper-proof file serving sessions, and SCHANNEL security for secure > remote procedure calls. Samba 3.0 works "out of the box" with the > improved security settings of Windows 2003 Domain Controllers. > ===================== > > It looks like the press release contradicts the documentation on at > least some points (BDC functionality), but then again the docs were > something like 6 months old.
No, there is no contradiction. No, the documentation is not 6 months old - they were updated immediately before 3.0.0 shipped. Your assumptions may extrapolate a little too far! > So, my fundamental question is: > > Can Samba 3.0 act as a Windows 2000 Domain Controller (i.e., an Active > Directory Domain Controller with Kerberos)? No! As stated in the HOWTO, Samba-3.0.0 can NOT act as a ADS DC. It can act as a member server in an AD environment, but Samba can not act as an ADS. Samba can also NOT act as an ADDC in an ADS environment. > I already have an MIT Kerberos 1.3 installation on my network that is > working fine with Mac OS X and Linux kerberos authentication, but I > seem to have discovered something rather important about Microsoft > Window XPP and kerberos authentication: it seems only to work with > Microsoft Windows 2000 Server and Microsoft Windows 2003 Server---not > with an MIT unix kerberos Key Distribution Center (KDC). Correct. MS XPP/200x all use proprietary protocol extensions for Kerberos and use LDAP over Kerberos - neither or which are supported by native MIT Kerberos, nor is the use of LDAP over Kerberos supported in OpenLDAP. > I actually found a Microsoft-authored howto on using Windows 2000 > Professional client computers to authenticate against an MIT Kerberos > KDC, so I just assumed that this functionality would also exist in > XPP, but I've hunted all over for guidance on how to do it, and I've > come to the (perhaps premature) conclusion that XPP will not do this. I am familiar with this MS Document. To say the very least, it aims to permit UNIX and Linux authentication to integrate with ADS. It is VERY messy, requires synchronization of /etc/passwd and /etc/group information (ie: you must have entries in each for all ADS accounts), and is extremely human resource intensive from an administration and maintenance perspsctive. > So I'm hoping that Samba 3.0 combined with a functional MIT Kerberos > 1.3 system _would_ allow me to use the wonderful kerberos protocol to > authenticate my Windows XPP client machines without investing the $$$$ > in a M$ Windows 2000 Server or 2003 Server with per client licensing > and all that stuff. This does NOT work today. This was clearly (I believe) stated in the HOWTO. > Is there any hope for doing this with Samba 3.0? If not... <sigh> > then I'll just make do with Samba 3.0 as my NT4 PDC for authenticating > my XPP client machines, but I'd really like to use kerberos if at all > possible (and not use M$ Windows 200x Server). I find necessity to repeat time and again: Samba-3.0.0, plus LDAP and Kerberos is NOT the same as Windows 200x ADS + DC operation. It can not be done. You can run Samba-3.0.0 only as a replacement for an NT4 PDC/BDC - but even then - NOT in admixture. ie: No Samba-3.0.0 PDC and NT4 BDC (or vica versa). Is that clear enough yet? > If this functionality _is_ built into Samba 3.0, can anyone point me > to documentation on setting it up? I find none in the ORA book, the > Samba-HOWTO-Collection (though they don't seem to accurately document > everything about the newest 3.0 stable release from just last > month---understandable as documentation must follow the coding > itself), etc. What is inaccurate please? I am ready to fix it! > Thanks in advance, and again, many thanks to the Samba Team for > creating a terrific software suite! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
