[CentOS] Re: Fix passwd/shadow/group files? -- Samba 3.0 v. ADS v. CIFS

Sun Jul 17 14:22:18 UTC 2005
Bryan J. Smith <b.j.smith at ieee.org>

On Sun, 2005-07-17 at 09:13 -0500, Bryan J. Smith wrote:
> But no, Samba 3.0 cannot:  
> - Handle extensive, ADS-centric Schema (e.g., Exchange) and interfaces
> - Be a DC to other, native Windows DCs
> These are likely _never_ to happen (especially the first one).

But the good news with Samba 3.0 is that it _can_:  
- Be a BDC or PDC to native Windows NT 4.0 PDC or BDCs
- Completely emulate all CIFS/PDC functionality

In other words, you can replace _all_ NT 4.0 PDCs and/or BDCs with Samba
3.0.  You can even put in a Samba 3.0 instance as a BDCs, then promote
it as a PDC with virtually no issue -- getting rid of any NT 4.0
requirement on your network.

You can then enable the ADS functionality, and have a network that looks
like an ADS domain from the Windows clients and even native Windows
member servers.

But no, it won't work with Windows services that extend the schema
(e.g., Exchange) and not, it won't replicate with native Windows DCs.

How you address that -- either making your UNIX network native Windows
ADS' bitch, or segment the UNIX and Windows networks, and use facilities
to synchronize passwords, schema, etc... (be they free or various
commercial utilities) -- is up to you.

But Samba on its own is _not_ an "enterprise directory solution."  It is
just the facility by which various Windows interfaces and services are
supported.  Even it still relies on external LDAP and Kerberos
mechanisms for schemas/store and authentication/store, and you should
remember that those LDAP and Kerberos mechanisms can be used for _real_
UNIX capabilities outside of just Samba.  E.g., there are ways to store
various, former NIS maps in LDAP (such as NFS automounter maps), as well
as authentication UNIX systems _directly_ with Kerberos.

Sometimes people get so focused on Samba, and using 2nd or even 3rd
compounded services upon compounded services through Samba -- they
forget to use the native UNIX service.  E.g., authenticating UNIX/Linux
users with NTLM, instead of just using Kerberos.


-- 
Bryan J. Smith                                     b.j.smith at ieee.org 
--------------------------------------------------------------------- 
It is mathematically impossible for someone who makes more than you
to be anything but richer than you.  Any tax rate that penalizes them
will also penalize you similarly (to those below you, and then below
them).  Linear algebra, let alone differential calculus or even ele-
mentary concepts of limits, is mutually exclusive with US journalism.
So forget even attempting to explain how tax cuts work.  ;->