Samba PDC/BDC

klussier at comcast.net klussier at comcast.net
Mon Jan 16 09:06:00 EST 2006 

 -------------- Original message ----------------------
From: Paul Lussier <p.lussier at comcast.net>
> klussier at comcast.net writes:

> I wouldn't do it quite like that.  I would set up a multi-tiered
> environment.  Have a "corporate" PDC/LDAP/SAMBA controller which does
> not much more than deal with replication.  Then have 2 secondary
> servers which are local to each network.  Have these be sub-domains of
> the corporate.
> 
> For example:                   ou=corp, dc=foo, dc=com
>                                       /        \
>        ou=here, ou=corp, dc=foo, dc=com        ou=there,ou=corp,dc=foo,dc=com
> 
[SNIP]

While I thouroughly enjoyed the well thought out LDAP plan, if you notice, my question was more about the Samba set up. I already have LDAP set up in much that fashion. There are a few things that I did differently, but mostly it's the same. My question, however, was on the "Windows Domain". Can I have the same Windows Domain in both places (regardless of where they actually authenticate). The reason for this is that people will travel between here and there quite often, and they would need to re-configure their laptops for a different domain every time in order to access the same information. Having the same Windows domain makes life easier for them, the user, and therefore, me, since I won't have to listen to the whining...

> etc.  I would recommend reading the O'Reilly book on LDAP, it gives a
> decent overview of this type of thing, as do the articles in LJ last
> year on LDAP Everywhere (actually, these articles were very good on
> the design architecture considerations, but light on the
> implementation details, but the O'Reilly book makes up for that.)

I read it. It was a while back, but it's a good book.

> LJ has also had a somewhat decent series of articles lately on LDAP,
> Samba, and Kerberos. The O'Reilly Kerberos book is a pretty decent
> gentle introduction to Kerberos, but the manuals from MIT are far
> better for actuall configuration, installation, and administration
> info.

The Paranoid Penguin series on " Single Sign-On and the Corporate Directory". For anyone that hasn't read it, it is a great 3-part series (Dec.-Feb.) on using Samba, LDAP, and Kerberos to create a centralized single-sign-on authentication system for corporate environments. I considered doing this, but I just don't have the time to play with Kerberos. 

[SNIP]
> Unfortunately, unless you
> use Active Directory, Windows is completely incapable of retrieving ns
> info from one location and authenticating somewhere else.  Samba is
> also the week point here, since Samba isn't currently capable of
> authenticating against Kerberos on behalf of the client.  In order to
> do so, you'd need to have the client send passwords over the wire in
> cleartext.  Ideally, Samba and Windows would be able to connect to
> each other over an SSL/TLS connection, but don't believe that's
> possible either.  So, what you're left with is probably a Rube
> Goldberg option of using IPSec and configuring windows to use that in
> order to securely send it's passwords in cleartext to the Samba
> server, which could then authenticate against Kerberos.

You should read the Paranoid Penguin in LJ. They explain how to pull the Windows systems into single sign-on environment. Something about MIT Kerberos for Windows.

> Or, you could store all passwords in LDAP, which I believe is
> possible, but not overly desirable from a security perspective.

Not a good idea. Not horrible is the server itself is somewhat secure. But it's still not great. 
 
> The real solution is to ditch anything related to Windows, and use
> AFS, Kerberos, and LDAP (Macs can handle this just fine, as can every
> Linux or BSD variant that I know of :)

I'll get there someday. Firefox is the default web browser for everyone, Thunderbird is the default e-mail client for Windows users, and OpenOffice is on every system. I don't buy PC's installed with Windows, and I have to order boxed product if I need Windows for something. Unfortunately, there are still some hold outs, and some valid reasons to Run Windows (The only one I know of is to run Visio). But, that is a different debate :-)

C-Ya,
Kenny

More information about the gnhlug-discuss mailing list