On Mon, 2005-07-18 at 08:41 +0800, Feizhou wrote: > Ok. Which ones? heimdal? MIT? Both have some compatibility with MS Kerberos -- both its non-compliant with Kerberos 5 handshakes/datagrams as well as some extensions. Can they act like a Windows ADS DC? Of course *NOT*! Why? Kerberos is just the authentication portion, it does not provide RPC services for Windows. Samba uses these newer Kerberos services, with its RPC capabilities, to provide those features at winlogon and other points. All I'm saying is that if you purposely put on the (actually _invalid_) constraint that Windows systems can only be managed by a combined set of services that act 100% like a MS ADS DC, then there's no point in even discussing this. The idea that every Microsoft administrative tools, schema extension and its tools, etc... will work with a 100% Samba 3.0 (_no_ MS ADS DCs) using Kerberos and LDAP for stores will simply be unlikely in the near future. But can an set of "open systems" authentication, directory, naming and file services completely replace all the functionality you expect in a well-managed Windows network? Of course! But no, native MS ADS DCs aren't going to listen to it. But MS Windows 2000 Server and even Server 2003 _can_ be "member servers" under it -- just like Samba 3.0 can be a "member server" when true MS ADS DCs are "in charge." It all depends on what you use. -- Bryan J. Smith b.j.smith at ieee.org --------------------------------------------------------------------- It is mathematically impossible for someone who makes more than you to be anything but richer than you. Any tax rate that penalizes them will also penalize you similarly (to those below you, and then below them). Linear algebra, let alone differential calculus or even ele- mentary concepts of limits, is mutually exclusive with US journalism. So forget even attempting to explain how tax cuts work. ;->