[CentOS] Re: Fix passwd/shadow/group files? -- Samba is not an enterprise ? irectory solution ...

Bryan J. Smith

b.j.smith at ieee.org
Sun Jul 17 23:16:20 UTC 2005


From:  Feizhou 
> Yes, I was wondering whether you were trying to say that Samba
> could do the extra cruff MS threw into their
> Kerberos/LDAP/DNS thingamich.

?  Microsoft uses SRV records in DNS. 
That was actually a _good_ move.
Now their DNS-integrated ADS is another story.
Although I do have to say the current, split dhcpd, named, nmbd
strategy in the open source world is rather attrocious for private, enterprise network management.

But their extensions to Kerberos, that was questionable.
But _yes_, it has been documented, per their terms with MIT - even if delayed 2 years.
Kerberos implementations for UNIX/Linux, which Samba uses, _does_fully_ support the extensions.

This has *0* to do with Samba, although Samba 3.0 can integrate with late BIND8.2 and BIND9 w/SRV,
as well as KDCs that also do the MS Kerberos extensions.
I think you need to _stop_ attributing these things as Samba,
there are other, piecemeal efforts involved. 

> So not Samba 3.0 + non-MS Kerberos

New Kerberos/KDC implementations _support_ MS Kerberos.

> + non-MS LDAP

But what "MS LDAP"?
LDAP is simply but a store!
Saying LDAP is like saying XML.
It is _not_ an end-usable standard, but standard ways of representing/accessing things.
What is used, and if that is a standard, that's what matters.
Samba 3.0 _can_ represent many things via SMB RPC to Windows clients and servers as if native.
It all depends.

> but Samba directing all to an ADS DC.

Ah,I think your mega-oversimplifying things.
You do _not_ need to run a single native MS ADS server on your network to:
- Authenticate Windows clients via MS Kerberos (let alone with pGINA to standard Kerberos 5)
- Serve out SAM and other MS schema from its LDAP, the ones that have been documented
- Handle SMB signing and other protocol features (even ones that are  mega-buggy in MS' own implementations)

At this point, Samba 3.0 is a _better_ SMB service for Windows 2000 than Windows Server 2003.
Microsoft has attested that it recommends only Windows XP Pro clients for full ADS 2003 support.
Ziff-Davis testing has shown this to be true.
Samba automagically optimizes for the client that is connecting,
with Microsoft giving up on performance/features on anything pre-NT5.1 (XP/2003).



More information about the CentOS mailing list