Bryan J. Smith wrote:
On Mon, 2005-07-18 at 08:41 +0800, Feizhou wrote:
Ok. Which ones? heimdal? MIT?
Both have some compatibility with MS Kerberos -- both its non-compliant with Kerberos 5 handshakes/datagrams as well as some extensions.
Can they act like a Windows ADS DC? Of course *NOT*! Why? Kerberos is just the authentication portion, it does not provide RPC services for Windows. Samba uses these newer Kerberos services, with its RPC capabilities, to provide those features at winlogon and other points.
Please don't cut out relevant stuff. This was purely about account management. I never asked whether heimdal or MIT kerberos can do ADS. The relevant stuff was:
------------------------
How do you get centralized user account management without MS Kerberos?
Again, MS Kerberos are just extensions to Kerberos, ones supported in
new, open source Kerberos 5 servers.
Ok. Which ones? heimdal? MIT?
------------------------
All I'm saying is that if you purposely put on the (actually _invalid_) constraint that Windows systems can only be managed by a combined set of services that act 100% like a MS ADS DC, then there's no point in even discussing this. The idea that every Microsoft administrative tools, schema extension and its tools, etc... will work with a 100% Samba 3.0 (_no_ MS ADS DCs) using Kerberos and LDAP for stores will simply be unlikely in the near future.
Forget administrative tools. Just the plain user account management regardless of administrative tool. Are you saying that a heimdal/MIT Kerberos server will be able to handle Windows 2000/XP clients without having to map kerberos principals to local accounts on each individual machine?
But can an set of "open systems" authentication, directory, naming and file services completely replace all the functionality you expect in a well-managed Windows network? Of course! But no, native MS ADS DCs aren't going to listen to it. But MS Windows 2000 Server and even Server 2003 _can_ be "member servers" under it -- just like Samba 3.0 can be a "member server" when true MS ADS DCs are "in charge."
It all depends on what you use.
So what do we use to do provide the single logon Kerberos environment for Windows 2000/XP clients for an enterprise (you seem to use this for environments where there are hundreds if not thousands of desktops, that is what i mean here)?