[CentOS] Re: Fix passwd/shadow/group files? -- Samba 3.0 v. ADS v. CIFS

Bryan J. Smith b.j.smith at ieee.org
Sun Jul 17 14:54:33 UTC 2005 

On Sun, 2005-07-17 at 22:29 +0800, Feizhou wrote:
> Since when did Samba manage to pull off become an ADS DC for Windows 
> 2000/XP workstations?

At this point, you're hopelessly lost.  I can keep talking about it, but
you won't get it until you have some "technical background."

First off, read up on Samba 3.0.  It is a set of "technologies" for
Windows interoperability.  To emulate an ADS DC, you have to add LDAP
and MS Kerberos into the mix.  It _only_ emulates it to a point.

At the _same_time_, read up on these "technologies" ...

1.  Naming Services:
DNS, UNIX resolver, DNS, Windows resolver modes, NetBIOS, WINS, SAP,
NLSP

2.  Network Authentication:
NT Security Accounts Manager (SAM), NT/LAN Manager (NTLM), NTLMv2, RSA,
DH/DSS Kerberos, MS Kerberos

3.  Directory Services:
X.500 DAP, LDAP, Common UNIX Schema, Common Windows Schema

4.  File Services:  
NFSv2, NFSv3, NFSv4, SMB (various, incompatible versions), NCP, AFS

Once you have a "grasp" on the "technologies", you can understand how:  
- MS CIFS (NetBIOS/WINS, network-SAM, NTLM, SMB) 
- MS ADS (DNS, LDAP-SAM, MS Kerberos, SMB)
- Novell Bindery (SAP, Bindery, RSA, NCP)
- Novell NDS aka "eDirectory" (NLSP/DNS, X.500 DAP, RSA, NCP)
- Sun NIS (UNIX resolver, flat-maps, UNIX local, NFS)
- Sun NIS+ (UNIX resolver, DAP-like, RSA, NFS)
- Sun One (DNS, LDAP, RSA, NFS)

_Everything_ is _always_ "piecemeal" in a network.  CIFS, ADS, Bindery,
NDS, Sun One, etc... just presents everything as "integrated."

A.  And also read up on client modifications like:  
- pGINA (replacement NT/200x/XP Graphical Login)
- NSSwitch (Linux, Solaris, others)
- PAM (Linux, Solaris, others)

You can use different client/server solutions in different networks,
_regardless_ of what the "real backend" may be.

The only "big issue" is what Microsoft is doing with ADS.  MS is
purposely tying its services to its own MS LDAP schema and interfaces
into that schema, in order to make all networks completely reliant on
its own, native ADS.  This will be a "moving target" for Samba.

The key is to _not_ adopt MS services that require those ADS-only schema
and interfaces -- e.g., MS Exchange, MS SQL Server, etc...  Enterprise
with 10,000+ nodes do _not_ because they do not scale.  In the worst
case, they limit their exposure to them -- "regionalize" or
"departmentalize" their deployment.


-- 
Bryan J. Smith                                     b.j.smith at ieee.org 
--------------------------------------------------------------------- 
It is mathematically impossible for someone who makes more than you
to be anything but richer than you.  Any tax rate that penalizes them
will also penalize you similarly (to those below you, and then below
them).  Linear algebra, let alone differential calculus or even ele-
mentary concepts of limits, is mutually exclusive with US journalism.
So forget even attempting to explain how tax cuts work.  ;->

More information about the CentOS mailing list