On 1/17/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
-- Original message --From: Paul Lussier
[EMAIL PROTECTED] Ben Scott [EMAIL PROTECTED] writes: Okay, but what does any of that Heimdal/Kerberos stuff have to do with authenticating NTLM clients?
Nothing, but
On 1/16/06, Bill McGonigle [EMAIL PROTECTED] wrote:
I read that as
saying, in order to be an AD DC, Samba would have to have all the
functionality it has now, plus all the functionality of an LDAP
server, plus all the functionality of a Kerberos server.
We have all those parts. It's unix.
Bill McGonigle [EMAIL PROTECTED] writes:
On Jan 16, 2006, at 11:26, Paul Lussier wrote:
Windows clients can not do resolution against one entity (LDAP) and
authentication against another (Kerberos) *unless* it's against Active
Directory.
AD does use LDAP and Kerberos for most of its heavy
Thomas Charron [EMAIL PROTECTED] writes:
True, however, it would seem Kenny seems to intend to not require
any auth traffic to have to go over the wire to the remote site. So
in reality, when authenticating via LDAP, he'd want to replicate the
LDAP server is TWO locations.
Not so! You
Ben Scott [EMAIL PROTECTED] writes:
Footnotes
-
[1] To the best of my knowledge, anyway. If someone know of a
working, stable Samba AD DC implementation, please let me know!
Currently it is non-existent.
[2] I understand work is underway to add AD control eventually, but
until
[EMAIL PROTECTED] writes:
The reason for this is that people will travel between here and
there quite often,
Yeah, so. Just set the ACLs up to allow anyone in 'ou=*, ou=corp,
dc=foo, dc=com' access to whatever you want everyone to access.
This is completely ineffectualy, since they will
On 1/17/06, Paul Lussier [EMAIL PROTECTED] wrote:
True, however, it would seem Kenny seems to intend to not require
any auth traffic to have to go over the wire to the remote site. So
in reality, when authenticating via LDAP, he'd want to replicate the
LDAP server is TWO locations.
Not
On 1/17/06, Paul Lussier [EMAIL PROTECTED] wrote:
[3] I expect that would include keeping the NTLM password hashes in
LDAP, but I don't really know.
That is correct, which is one of the reasons you can almost
approximate Kerberos authentication with Samba if you use the Heimdal
Kerberos
On 1/17/06, Paul Lussier [EMAIL PROTECTED] wrote:
You're lacking some ingenuity here. Every Samba server is the PDC for
it's local physical network, and a BDC for the remote network.
Ummm... I'm pretty sure that's completely wrong. An NTLM server can
only be one thing; either a member, a
[EMAIL PROTECTED] writes:
-- Original message -- From: Thomas
Charron [EMAIL PROTECTED]
On 1/16/06, Paul Lussier [EMAIL PROTECTED] wrote:
True, however, it would seem Kenny seems to intend to not require
any auth traffic to have to go over the wire to
On Jan 17, 2006, at 09:55, Paul Lussier wrote:
No, WinBind, from:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/
winbind.html
states that it does exactly the opposite of what is desired here. It
allows a random UNIX box to authenticate against a Windows NT domain
Ben Scott [EMAIL PROTECTED] writes:
-- Ben Scott
I want to move to theory. Everything works there. -- Unknown
Actually, I think that was me!
I say that rather frequently, and I *know* I've said at Martha's
before... Of course, I could have stolen it from someone else, but if
so, I don't
On 1/17/06, Bill McGonigle [EMAIL PROTECTED] wrote:
Hmmm. What I know empirically is that when I setup a linux server to
participate in an AD domain, to authenticate the AD users I need to
have k5 and winbind working on the linux machine. Without Kerberos,
you go nowhere fast.
Yes.
On 1/16/06, Dan Jenkins [EMAIL PROTECTED] wrote:
Thomas Charron wrote:Umm. Note the features in Samba 3.0:*1) Active Directory support. Samba
3.0 is now able to ** joina ADS realm as a member server and authenticate ** users usingLDAP/Kerberos. * I don't know if this is entirely acurate, as
On 1/17/06, Paul Lussier [EMAIL PROTECTED] wrote:
Thomas Charron [EMAIL PROTECTED] writes: He doesn't want 2 domains.He wants 1.
Then he can't do what he wants.What's the problem with two domains?Technically, they're *sub* domains, and for all intents and purposes,he manages them as one.The users
Ben Scott [EMAIL PROTECTED] writes:
Okay, but what does any of that Heimdal/Kerberos stuff have to do
with authenticating NTLM clients?
Nothing, but he keeps talking about AD authentication, which Kerberos
*would* be a component of if it would work. And at one point, there
was a more
Ben Scott [EMAIL PROTECTED] writes:
On 1/17/06, Paul Lussier [EMAIL PROTECTED] wrote:
You're lacking some ingenuity here. Every Samba server is the PDC for
it's local physical network, and a BDC for the remote network.
Ummm... I'm pretty sure that's completely wrong. An NTLM server can
Bill McGonigle [EMAIL PROTECTED] writes:
Hmmm. What I know empirically is that when I setup a linux server to
participate in an AD domain, to authenticate the AD users I need to
have k5 and winbind working on the linux machine. Without Kerberos,
you go nowhere fast.
Correct, but that's to
By coincidence I just now stumbled across this link and
thought I'd pass it along on the chance it's at least of
passing interest to those reading this thread:
http://www.linuxformat.co.uk/modules.php?name=Newsfile=articlesid=217
I didn't read more than a few paragraphs so apologies
in
-- Original message --
From: Paul Lussier [EMAIL PROTECTED]
Ben Scott [EMAIL PROTECTED] writes:
Okay, but what does any of that Heimdal/Kerberos stuff have to do
with authenticating NTLM clients?
Nothing, but he keeps talking about AD authentication,
On Jan 17, 2006, at 18:36, [EMAIL PROTECTED] wrote:
They allow users to only have one password, and it allows me to be
lazy.
And never underestimate the value of a Post-It-Note-free security
regime.
-Bill
-
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC
On 1/17/06, Michael ODonnell [EMAIL PROTECTED] wrote:
By coincidence I just now stumbled across this link and
thought I'd pass it along on the chance it's at least of
passing interest to those reading this thread:
http://www.linuxformat.co.uk/modules.php?name=Newsfile=articlesid=217
More
Samba PDC at the
home office, and a Samba BDC at the remote site, regular user
authentication traffic at the remote site should use the BDC at that
site. Password changes and account modifications (including machine
trust account auto-updates) will have to go to the PDC (over the WAN),
though
On 1/17/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I wasn't explicitely wanting roaming profiles (as I view them as evil).
May I ask why?
I've generally found they make things a lot better. Lock down the
workstations, no root access for the lusers, use domain
authentication and roaming
On 1/17/06, Paul Lussier [EMAIL PROTECTED] wrote:
Have every samba server be the PDC for local, and the BDC for the
remote domains.
Ahhh, okay. Yah, that makes sense.
And yes, this would require seperate instances of
Samba running on the same machine.
I believe you also need to bind
Ben Scott [EMAIL PROTECTED] writes:
In the case of a single NTLM domain, with a single Samba PDC at the
home office, and a Samba BDC at the remote site, regular user
authentication traffic at the remote site should use the BDC at that
site. Password changes and account modifications
, and you seem to know LDAP pretty
well, I've got a question: Assume the Samba PDC at the main office
passes the password change (or whatever) on to LDAP at the main
office, and that all succeeds and everything. How does the LDAP
server at the remote site know that the LDAP database at the home
on the subject, and you seem to know LDAP pretty
well, I've got a question: Assume the Samba PDC at the main office
passes the password change (or whatever) on to LDAP at the main
office, and that all succeeds and everything. How does the LDAP
server at the remote site know that the LDAP database
Tom Buskey [EMAIL PROTECTED] writes:
Samba as a PDC w/o any windows servers. Just clients.
Check out the Samba guides from the Bruce Perens series by PTR (which,
btw, are all downloadable in pdf from the side).
I don't remember the site, but googling for Bruce Perens PTR ought to
get you
On Jan 16, 2006, at 11:26, Paul Lussier wrote:
Windows clients can not do resolution against one entity (LDAP) and
authentication against another (Kerberos) *unless* it's against Active
Directory.
AD does use LDAP and Kerberos for most of its heavy lifting. Do we
know what the missing
On 1/16/06, Paul Lussier [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] writes: While I thouroughly enjoyed the well thought out LDAP plan, if you
notice, my question was more about the Samba set up. I already have LDAP set up in much that fashion. There are a few things that I did differently, but
-- Original message --
From: Paul Lussier [EMAIL PROTECTED]
[EMAIL PROTECTED] writes:
You seem to think there's a separation of components here. Not so.
Setting Samba up to use LDAP means to authenticate against LDAP.
Therfore, your LDAP configuration
These should get you started:
http://www.donour.com/prof/cifs2002.pdf.
http://info.ccone.at/INFO/Samba-2.2.12/Samba-PDC-HOWTO.html
http://www.dekart.com/support/howto/Howto-Logon-Samba/Samba_domain_controller/
FYI,
Kenny
-- Original message --
From: Tom Buskey
anything about LDAP. The LDAP server(s) speak LDAP to Samba, and
don't know anything about NTLM. Samba acts as a sort of gateway
between the two worlds.
NTLM password changes would have to go to the Samba PDC, which would
presumably push them to LDAP, which would then provide updated answers
to all
On 1/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
If the Windows client can't find it's authentication point, it creates a
temprary profile on the system to allow login and deletes the profile when
the user logs off (I hate myself for knowing this...).
What you are describing are
-- Original message --
From: Ben Scott [EMAIL PROTECTED]
On 1/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
If the Windows client can't find it's authentication point, it creates a
temprary profile on the system to allow login and deletes the profile when
On 1/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Yeah, I know. I was just demonstrating what happens when a laptop configured
as a
member of the HERE domain can't find it's DC. IOW, it doesn't try to
authenticate
against the DC for the THERE domain.
Ah. Yes.
To further expand
Apparently the magic pixie dust is some sort of RPC mechanism.
Found this here:
http://info.ccone.at/INFO/Samba/Samba-Guide/kerberos.html
-
Active Directory Replacement with Kerberos, LDAP, and Samba
The Microsoft networking protocols extensively make use of remote
procedure call
On 1/16/06, Bill McGonigle [EMAIL PROTECTED] wrote:
Apparently the magic pixie dust is some sort of RPC mechanism.Found this here:
http://info.ccone.at/INFO/Samba/Samba-Guide/kerberos.htmlAt this time, the integration of LDAP, Kerberos, and the missingRPCs is not on the Samba development roadmap.
On Monday 16 January 2006 05:48 pm, Thomas Charron wrote:
Umm. Note the features in Samba 3.0:
*1) Active Directory support. Samba 3.0 is now able to
** join a ADS realm as a member server and authenticate
** users using LDAP/Kerberos.
*
I don't know if this is entirely
Thomas Charron wrote:
On 1/16/06, Bill McGonigle [EMAIL PROTECTED] wrote:
At this time, the integration of LDAP, Kerberos, and the missing
RPCs is not on the Samba development roadmap. If it is not on the
published roadmap, it cannot be delivered anytime soon. Ergo, ADS
server support is
On 1/16/06, Bill McGonigle [EMAIL PROTECTED] wrote:
Apparently the magic pixie dust is some sort of RPC mechanism.
Found this here:
http://info.ccone.at/INFO/Samba/Samba-Guide/kerberos.html
I read that as a bit more then an RPC mechanism. I read that as
saying, in order to be an AD DC,
On Jan 16, 2006, at 18:24, Ben Scott wrote:
I read that as
saying, in order to be an AD DC, Samba would have to have all the
functionality it has now, plus all the functionality of an LDAP
server, plus all the functionality of a Kerberos server.
We have all those parts. It's unix. We link
Are there any good guides to this?I have an environment with several (6) Solaris 10 boxes w/ NIS and 2 Win XP Pro PCs. I have DNS only because the PCs don't do NIS for name resolution.Right now, I have Samba for home directories, but I want to do roaming profiles, etc so nothing is on the PC
Hi All,
I am in the process of replacing a Windows AD Domain controller with Samba and
LDAP. I have another office elsewhere in the world that is connected via an
IPSEC VPN. I want to create a secondary Samba/LDAP server in that office so
that they can authenticate against a local server
Hi All,
This is a simple one I am replacing a Windows AD Domain controller with a
Samba PDC and LDAP. I have Samba and LDAP set up using a different windows
domain name so that I can test things out. However, I want to pre-poulate the
Samba PDC with machine accounts, users, etc. while
one I am replacing a Windows AD Domain controller
with a Samba PDC and LDAP. I have Samba and LDAP set up using a different
windows domain name so that I can test things out. However, I want to
pre-poulate the Samba PDC with machine accounts, users, etc. while the
Windows AD PDC is running
Domain controller
with a Samba PDC and LDAP. I have Samba and LDAP set up using a different
windows domain name so that I can test things out. However, I want to
pre-poulate the Samba PDC with machine accounts, users, etc. while the
Windows AD PDC is running. When I am ready to make
48 matches
Mail list logo