On 23/04/2008, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > This, if true, could propably handy for some developers or anybody else to > maybe improve the integration of oBSD into MS networks.
You can already fully emulate/replace Windows Primary Domain Controllers (and Backup DCs, and member servers) with OpenBSD, and interoperate with Windows servers: http://www.kernel-panic.it/openbsd/pdc/ Btw., I heartily recommend Kernel Panic. It is a very nice site, with a cool OpenBSD section: http://www.kernel-panic.it/openbsd.html What Samba AFAIK still cannot currently do is fully replace/emulate Windows Active Directory Domain Controllers. It can interoperate in an AD network, and even AD DC functionality is *partially* implemented, but the work remains incomplete. (Cf. http://samba.org/samba/news/articles/abartlet_thesis.pdf -- 3 years old, but AFAIK still essentially correct.) That said, IMHO there are less things wrong with using an OpenBSD/Samba-based NT4-style PCD/BDC domain than there are with using a Windows server-based AD domain. I once had to rebuild a compromised Windows Server 2003 AD DC. The trouble was, with the preexisting backups (and out-of-the-box backup solutions), there didn't seem to be a way to wipe and reinstall the machine without losing the entire domain. So we wiped the box and reinstalled Windows Server 2003, and promoted the thing to an AD DC again, and even after restoring the backups found that we had to remove every single client from its old domain and add it to the new one, because the AD DC still considered itself master of a new domain and even with the backed up data, there was no way to convince it to take over as the master of the old one. On top of that, all file shares were screwed, because there were now new GUIDs involved, and because the Windows boxen had had server based profiles, no one could log on even after we fixed the above. After manually applying permissions (which in Windows Server 2003) still aren't properly propagated/applied throughout all subfolders, which thus all need to be checked as well), it still barfed, and every single user had to create an entirely new profile and manually copy desired settings from the old to the new profile. In summary: Windows AD networks don't just suck, they deep-throat. If there's any possibility that all of your AD DCs may get compromised simultaneously, and unless you have a *strongly* Windows Server-quirk-aware backup/restore solution that can fully restore AD DCs (and I'm not aware of any), then you're really gambling your entire network. If you have a choice, wait till Samba becomes fully AD interoperable and in the meantime use OpenBSD/Samba PDCs, BDCs, and member servers. The above link should help you with that. Thanks and regards, --ropers
