Samba PDC/BDC

Paul Lussier p.lussier at comcast.net
Mon Jan 16 11:27:00 EST 2006


klussier at comcast.net writes:

> While I thouroughly enjoyed the well thought out LDAP plan, if you
> notice, my question was more about the Samba set up. I already have
> LDAP set up in much that fashion. There are a few things that I did
> differently, but mostly it's the same.

You seem to think there's a separation of components here.  Not so.
Setting Samba up to use LDAP means to authenticate against LDAP.
Therfore, your LDAP configuration plays an extremely important part in
your Samba configuration, since it becomes the authenticating agent
for the clients.  Your samba server is going to hand off all
authentication and authorization requests from the client to the LDAP
server!

> My question, however, was on the "Windows Domain". Can I have the
> same Windows Domain in both places (regardless of where they
> actually authenticate).

A member of a Windows Domain authenticates against it's Domain
Controller.  Hence, my answer to set it up hierarchically using LDAP.
LDAP becomes you're authenticating agent in your scheme, since there
is no "DC" per se, just a Samba server configured to hand off requests
to an LDAP server.  Have local DCs which authenticate users configured
such that either DC will allow users from both "domains" to access
everything via LDAP.

> The reason for this is that people will travel between here and
> there quite often,

Yeah, so.  Just set the ACLs up to allow anyone in 'ou=*, ou=corp,
dc=foo, dc=com' access to whatever you want everyone to access.

> I read it. It was a while back, but it's a good book.

Read it again.

> I considered doing this, but I just don't have the time to play with
> Kerberos.

Kerberos is about 20 min. to install and configure by my estimates.
(I've not actually installed kerberos, but after managing it for 2.5
years, I can't see what would take much more than that.  Installing
the OS will take longer than setting up Kerberos.)  I'll concede, you
need to first understand what kerberos is, but reading the
installation manual from MIT pretty much walks you through this and
gets you set up fairly quickly.

Of course, this still doesn't get you single sign-on completely.

> You should read the Paranoid Penguin in LJ. They explain how to pull
> the Windows systems into single sign-on environment.

I did, they don't, you can't.

Windows clients can not do resolution against one entity (LDAP) and
authentication against another (Kerberos) *unless* it's against Active
Directory.  Samba can not authenticate against Kerberos.

> Something about MIT Kerberos for Windows.

Yep, MIT Kerberos for Windows works great.  Still doesn't get you
single sign-on.

By the way, my definition of single sign-on is rather strict.  Not
only must the user be able to use the same username and passphrase
everywhere, but I as the administrator must have only and exactly *1*
location in which to manage *everything*.  This is not possible today
in a heterogeneous environment which includes products from Microsoft.
-- 

Seeya,
Paul



More information about the gnhlug-discuss mailing list