On Tue, Jun 11, 2002 at 05:05:35PM +0100, David Lee wrote: > On Tue, 11 Jun 2002, Paul Reilly wrote:
> > I've been reading about setting up Samba as a PDC with LDAP storage. > > However if I am to do this it needs to co-exist with the exisitng windows > > NT domain using windows NT PDC's. Everything I've read so far says you > > can't have a Samba BDC unless it's in a Samba PDC controlled domain. Is this > > correct? Is there *any_possible_way* of having a Samba BDC get SAM updates > > from a windows NT PDC ? > > If not, is there any other way to sync an OpenLDAP server against a NT PDC ? > Might be possible, but first the disclaimer... > Disclaimer: I have absolutely zero knowledge of PDC/BDC/NT internals. > Zero, zilch, rein, nothing, nil, nowt, ... > At our site, we have just started dabbling with a thing called "Microsoft > Services for UNIX" (hereinafter called "SFU") that our PC folk obtained. > Until now, our service has been basically UNIX. Although most of the > user-visible front-end (i.e. desktop machines) is a variant of W2K, the > "real work" has hitherto been UNIX: the identifier and password the user > gives is actually a UNIX pair, used to authenticate their Samba drive from > UNIX. (Behind the scenes on W2K, there was simply a blanket guest-type > login just before this.) > Now... we are contemplating a migration to Active Directory ("AD") of > these accounts: some 20,000 or them. (Gives me, as a UNIX person, the > shudders, but that's another story...!) One reason is so that the id/pw > pair can be a real Windows authentication, so they can do real Windozy > things. We are very keen to preserve the "single authentication" model. > Our plan is to set up accounts for all users in AD. We would then use > UNIX password-aging mechanisms to "persuade" all users to change their > password "at leisure, in their own time". But behind the scenes we would > be using the UNIX PAM module from Microsoft's SFU to copy (synchronise) > these password changes out from UNIX into AD. (We'll also be using SFU's > corresponding "ssod" daemon for a small number of real-AD folk who might > want to maintain synchronisation from AD towards UNIX.) FWIW, what I'm hearing from the Kerberos world is that it's possible to store all of your actual accounts in a traditional Unix KDC, creating a trust relationship with your AD server, and still get most of the "Windozy" things out of the mix. There's also a PAM module called pam_krb5_migrate that can help with this as well, though I've never tested it in a Solaris environment. It does at least require an MIT-like KDC (Solaris probably qualifies) with matching client libraries (kadm5clnt). Synchronizing passwords via PAM has always been hairy. Migrating to a single unified backend such as Kerberos and using that for /all/ systems, Windows and Unix, is a much more promising long-term solution. Steve Langasek postmodern programmer
msg03982/pgp00000.pgp
Description: PGP signature