Bryan J. Smith wrote: > Bryan J. Smith wrote: > >>It can _replace_ a native W2K ADS DC as of Samba 3.0, or >>be its "bitch" -- i.e., a "member server" in a native W2K >>ADS domain. It can't, however, be a peer DC to a native >>W2K ADS DC, and it probably never will, at least > > completely. > > Feizhou <feizhou at graffiti.net> wrote: > >>Please explain this from the Samba Official Howto: >> "Samba-3 is not, and cannot act as, an Active >> Directory server. It cannot truly function as an >> Active Directory PDC" > > > The Samba documentation is saying the same thing I am. When you say replace a native W2K ADS DC, I get the impression that you mean it will do what a native W2K ADS DC does. >>Are you saying that you can integrate Samba 3.0 with a >>Kerberos server implementation, a LDAP server > > implementation > >>and dns to give a half-cooked (forget Exchange, blah) but >>functional ADS DC to host a ADS domain for Windows XP >>clients to logon to? > > > In what context? > > First off, you _can_ authenticate Windows 2000+ clients > against Kerberos for various services. Or you can use NTLMv2 > instead. You can use SMB signing, or you can disable it. > Etc... > > But, more directly, if you expect a Windows XP client to work > with Samba+Kerberos+LDAP "out-of-the-box" you are greatly > _mistaken_. Let me say that again, the "Windows XP _client_ > to work ... out-of-the-box." Well, when you say _native_, of couse we think 'out-of-the-box'. > > GOLDEN INSIGHT: > > Windows domains and domain controllers (DCs) aren't about the > server, they are about the _assumptions_ clients make. Until > ADS, the DC functionality was really little more than a > network-wise SAM database and a few services. With ADS, > there are rich stores. > > At login, you're talking about the GINA. > > I know that's what everyone wants the _client_ > "out-of-the-box," and maybe some of those "most basic" of > services that the native XP GINA for ADS will be reverse > engineered to the point they will work with > Samba+Kerberos+LDAP. But for now, they do not. And it's > very likely Samba will _never_ offer the full ADS RPC suite, > just enough for the native GINA will be all they can do. > > And just in time for Microsoft to release Vista, which will > make a whole new set of assumptions of services at the > client. ;-> > > Then please don't say 'replace a native Windows ADS DC'. It gives the wrong impression if you do not add, oh you can use a mysql server to authenticate if you change the GINA.