[CentOS] Re: Fix passwd/shadow/group files? -- Samba 3.0 v. ADS v. CIFS

Feizhou feizhou at graffiti.net
Mon Jul 18 08:00:20 UTC 2005 

Bryan J. Smith wrote:
> On Mon, 2005-07-18 at 08:41 +0800, Feizhou wrote:
> 
>>Ok. Which ones? heimdal? MIT?
> 
> 
> Both have some compatibility with MS Kerberos -- both its non-compliant
> with Kerberos 5 handshakes/datagrams as well as some extensions.
> 
> Can they act like a Windows ADS DC?  Of course *NOT*!  Why?
> Kerberos is just the authentication portion, it does not provide RPC
> services for Windows.  Samba uses these newer Kerberos services, with
> its RPC capabilities, to provide those features at winlogon and other
> points.
> 

Please don't cut out relevant stuff. This was purely about account 
management. I never asked whether heimdal or MIT kerberos can do ADS. 
The relevant stuff was:

------------------------

 >> How do you get centralized user account management without
 >> MS Kerberos?
 >>
 >
 >
 > Again, MS Kerberos are just extensions to Kerberos, ones supported in 
new, open source Kerberos 5 servers.
 >
 >
Ok. Which ones? heimdal? MIT?

------------------------

> All I'm saying is that if you purposely put on the (actually _invalid_)
> constraint that Windows systems can only be managed by a combined set of
> services that act 100% like a MS ADS DC, then there's no point in even
> discussing this.  The idea that every Microsoft administrative tools,
> schema extension and its tools, etc... will work with a 100% Samba 3.0
> (_no_ MS ADS DCs) using Kerberos and LDAP for stores will simply be
> unlikely in the near future.

Forget administrative tools. Just the plain user account management 
regardless of administrative tool. Are you saying that a heimdal/MIT 
Kerberos server will be able to handle Windows 2000/XP clients without 
having to map kerberos principals to local accounts on each individual 
machine?
> 
> But can an set of "open systems" authentication, directory, naming and
> file services completely replace all the functionality you expect in a
> well-managed Windows network?  Of course!  But no, native MS ADS DCs
> aren't going to listen to it.  But MS Windows 2000 Server and even
> Server 2003 _can_ be "member servers" under it -- just like Samba 3.0
> can be a "member server" when true MS ADS DCs are "in charge."
> 
> It all depends on what you use.
> 
> 

So what do we use to do provide the single logon Kerberos environment 
for Windows 2000/XP clients for an enterprise (you seem to use this for 
environments where there are hundreds if not thousands of desktops, that 
is what i mean here)?

More information about the CentOS mailing list