[CentOS] Re: SMB server with CentOS 4 -- native GINA login support

Wed Dec 7 18:03:45 UTC 2005
Feizhou <feizhou at graffiti.net>

Bryan J. Smith wrote:
> Bryan J. Smith wrote:
> 
>>It can _replace_ a native W2K ADS DC as of Samba 3.0, or
>>be its "bitch" -- i.e., a "member server" in a native W2K
>>ADS domain.  It can't, however, be a peer DC to a native
>>W2K ADS DC, and it probably never will, at least
> 
> completely.
> 
> Feizhou <feizhou at graffiti.net> wrote:
> 
>>Please explain this from the Samba Official Howto:
>>  "Samba-3 is not, and cannot act as, an Active
>>   Directory server. It cannot truly function as an
>>   Active Directory PDC"
> 
> 
> The Samba documentation is saying the same thing I am.

When you say replace a native W2K ADS DC, I get the impression that you 
mean it will do what a native W2K ADS DC does.
>>Are you saying that you can integrate Samba 3.0 with a
>>Kerberos server implementation, a LDAP server
> 
> implementation
> 
>>and dns to give a half-cooked (forget Exchange, blah) but
>>functional ADS DC to host a ADS domain for Windows XP
>>clients to logon to?
> 
> 
> In what context?
> 
> First off, you _can_ authenticate Windows 2000+ clients
> against Kerberos for various services.  Or you can use NTLMv2
> instead.  You can use SMB signing, or you can disable it. 
> Etc...
> 
> But, more directly, if you expect a Windows XP client to work
> with Samba+Kerberos+LDAP "out-of-the-box" you are greatly
> _mistaken_.  Let me say that again, the "Windows XP _client_
> to work ... out-of-the-box."

Well, when you say _native_, of couse we think 'out-of-the-box'.

> 
> GOLDEN INSIGHT:
> 
> Windows domains and domain controllers (DCs) aren't about the
> server, they are about the _assumptions_ clients make.  Until
> ADS, the DC functionality was really little more than a
> network-wise SAM database and a few services.  With ADS,
> there are rich stores.
> 
> At login, you're talking about the GINA.
> 
> I know that's what everyone wants the _client_
> "out-of-the-box," and maybe some of those "most basic" of
> services that the native XP GINA for ADS will be reverse
> engineered to the point they will work with
> Samba+Kerberos+LDAP.  But for now, they do not.  And it's
> very likely Samba will _never_ offer the full ADS RPC suite,
> just enough for the native GINA will be all they can do.
> 
> And just in time for Microsoft to release Vista, which will
> make a whole new set of assumptions of services at the
> client.  ;->
> 
> 

Then please don't say 'replace a native Windows ADS DC'. It gives the 
wrong impression if you do not add, oh you can use a mysql server to 
authenticate if you change the GINA.