Samba PDC/BDC

Thomas Charron twaffle at gmail.com
Mon Jan 16 12:39:01 EST 2006 

On 1/16/06, Paul Lussier <p.lussier at comcast.net> wrote:
>
> klussier at comcast.net writes:
> > While I thouroughly enjoyed the well thought out LDAP plan, if you
> > notice, my question was more about the Samba set up. I already have
> > LDAP set up in much that fashion. There are a few things that I did
> > differently, but mostly it's the same.
> You seem to think there's a separation of components here.  Not so.
> Setting Samba up to use LDAP means to authenticate against LDAP.
> Therfore, your LDAP configuration plays an extremely important part in
> your Samba configuration, since it becomes the authenticating agent
> for the clients.  Your samba server is going to hand off all
> authentication and authorization requests from the client to the LDAP
> server!


  True, however, it would seem Kenny seems to intend to not require any auth
traffic to have to go over the wire to the remote site.  So in reality, when
authenticating via LDAP, he'd want to replicate the LDAP server is TWO
locations.

  His primary question, however, is if he can have 2 Samba servers providing
authentication for one single Active Directory domains.  This way both sites
would acknowledge the users authentication within the domain.

  Am I right here Kenny, or did I misread the question?


> > My question, however, was on the "Windows Domain". Can I have the
> > same Windows Domain in both places (regardless of where they
> > actually authenticate).

A member of a Windows Domain authenticates against it's Domain
> Controller.  Hence, my answer to set it up hierarchically using LDAP.


  But he wants to know if he can have multiple domain controllers
distributed accross two physical locations, authing off of their own copies
of the LDAP tree.

  It answers his question, but not clearly..  ;-)


> LDAP becomes you're authenticating agent in your scheme, since there
> is no "DC" per se, just a Samba server configured to hand off requests
> to an LDAP server.  Have local DCs which authenticate users configured
> such that either DC will allow users from both "domains" to access
> everything via LDAP.


  He doesn't want 2 domains.  He wants 1.


> > The reason for this is that people will travel between here and
> > there quite often,
> Yeah, so.  Just set the ACLs up to allow anyone in 'ou=*, ou=corp,
> dc=foo, dc=com' access to whatever you want everyone to access.


  That would work, but still require maintaining two seperate directories.
Seems it'd be much easier to just have one and replicate the LDAP server.


> > I considered doing this, but I just don't have the time to play with
> > Kerberos.
> Kerberos is about 20 min. to install and configure by my estimates.
> (I've not actually installed kerberos, but after managing it for 2.5
> years, I can't see what would take much more than that.  Installing
> the OS will take longer than setting up Kerberos.)  I'll concede, you
> need to first understand what kerberos is, but reading the
> installation manual from MIT pretty much walks you through this and
> gets you set up fairly quickly.


  Not only that, but alot of the wizards out there make it relatively
painless.  Untill it breaks somewhere..  ;-)

  Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20060116/1c1c5e1f/attachment.html

More information about the gnhlug-discuss mailing list