On Tue, 11 Jun 2002, Paul Reilly wrote: > I've been reading about setting up Samba as a PDC with LDAP storage. > However if I am to do this it needs to co-exist with the exisitng windows > NT domain using windows NT PDC's. Everything I've read so far says you > can't have a Samba BDC unless it's in a Samba PDC controlled domain. Is this > correct? Is there *any_possible_way* of having a Samba BDC get SAM updates > from a windows NT PDC ? > > If not, is there any other way to sync an OpenLDAP server against a NT PDC ?
Might be possible, but first the disclaimer... Disclaimer: I have absolutely zero knowledge of PDC/BDC/NT internals. Zero, zilch, rein, nothing, nil, nowt, ... OK... At our site, we have just started dabbling with a thing called "Microsoft Services for UNIX" (hereinafter called "SFU") that our PC folk obtained. Until now, our service has been basically UNIX. Although most of the user-visible front-end (i.e. desktop machines) is a variant of W2K, the "real work" has hitherto been UNIX: the identifier and password the user gives is actually a UNIX pair, used to authenticate their Samba drive from UNIX. (Behind the scenes on W2K, there was simply a blanket guest-type login just before this.) Now... we are contemplating a migration to Active Directory ("AD") of these accounts: some 20,000 or them. (Gives me, as a UNIX person, the shudders, but that's another story...!) One reason is so that the id/pw pair can be a real Windows authentication, so they can do real Windozy things. We are very keen to preserve the "single authentication" model. Our plan is to set up accounts for all users in AD. We would then use UNIX password-aging mechanisms to "persuade" all users to change their password "at leisure, in their own time". But behind the scenes we would be using the UNIX PAM module from Microsoft's SFU to copy (synchronise) these password changes out from UNIX into AD. (We'll also be using SFU's corresponding "ssod" daemon for a small number of real-AD folk who might want to maintain synchronisation from AD towards UNIX.) Our initial, very small, tests look promising. I've no real idea whether that can map to your environment, but it might be worth looking at. Hope that helps. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. : -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba