Bryan J. Smith wrote:
It can _replace_ a native W2K ADS DC as of Samba 3.0, or be its "bitch" -- i.e., a "member server" in a native W2K ADS domain. It can't, however, be a peer DC to a native W2K ADS DC, and it probably never will, at least
completely.
Feizhou feizhou@graffiti.net wrote:
Please explain this from the Samba Official Howto: "Samba-3 is not, and cannot act as, an Active Directory server. It cannot truly function as an Active Directory PDC"
The Samba documentation is saying the same thing I am.
What I'm clarifying in addition is that you do _not_ need ADS to authenticate Windows clients, use SMB services, etc...
*BUT* it cannot truly act as an ADS server, with all its services, compatibility, etc...
Are you saying that you can integrate Samba 3.0 with a Kerberos server implementation, a LDAP server
implementation
and dns to give a half-cooked (forget Exchange, blah) but functional ADS DC to host a ADS domain for Windows XP clients to logon to?
In what context?
First off, you _can_ authenticate Windows 2000+ clients against Kerberos for various services. Or you can use NTLMv2 instead. You can use SMB signing, or you can disable it. Etc...
But, more directly, if you expect a Windows XP client to work with Samba+Kerberos+LDAP "out-of-the-box" you are greatly _mistaken_. Let me say that again, the "Windows XP _client_ to work ... out-of-the-box."
GOLDEN INSIGHT:
Windows domains and domain controllers (DCs) aren't about the server, they are about the _assumptions_ clients make. Until ADS, the DC functionality was really little more than a network-wise SAM database and a few services. With ADS, there are rich stores.
At login, you're talking about the GINA.
I know that's what everyone wants the _client_ "out-of-the-box," and maybe some of those "most basic" of services that the native XP GINA for ADS will be reverse engineered to the point they will work with Samba+Kerberos+LDAP. But for now, they do not. And it's very likely Samba will _never_ offer the full ADS RPC suite, just enough for the native GINA will be all they can do.
And just in time for Microsoft to release Vista, which will make a whole new set of assumptions of services at the client. ;->