Samba PDC/BDC

[Ben Scott]

On 1/16/06, klussier at comcast.net <klussier at comcast.net> wrote:
> Yeah, I know. I was just demonstrating what happens when a laptop configured as a
> member of the "HERE" domain can't find it's DC. IOW, it doesn't try to authenticate
> against the DC for the "THERE" domain.

  Ah.  Yes.

  To further expand upon that (for the benefit of you or others):
Suppose we have two SMB domains, FLINSTONE and RUBBLE.  Each has one
DC: FRED is the DC for FLINSTONE; BARNEY is the DC for RUBBLE.  We
have a client, PEBBLES, which is a member of the FLINSTONE domain. 
The two domains trust each other.

  PEBBLES will only contact FRED for authentication services.   Even
if someone with a user account from the RUBBLE domain tries to log on
to PEBBLES, PEBBLES will *not* contact BARNEY directly.  PEBBLES still
passes the authentication request on to FRED.  The client is not
responsible, or even much aware, of domain trusts.

  Since the FLINSTONE domain has a trust relationship with RUBBLE,
FRED will pass the authentication request from PEBBLES on to BARNEY. 
Assuming the request succeeds, BARNEY will return a token to FRED, who
in turn passes it on to PEBBLES for the user's logon session.

  Note that any or all of the above can take place with Samba, so this
isn't necessarily a doze-only scenario.  (Although why you'd use SMB
in a homogeneous nix environment, I don't know.)

  Hmmm, wait, come to think of it, I don't actually know if
Samba-as-a-DC lets you create trusts between the Samba-controlled
domain and other domains.  But the rest is all there.  (Samba will
definitely recognize a trust relationship created in other domains.)

> ... most people really don't care how it all works (when it works, that is :-)

  Isn't it always that way?  :-)

-- Ben Scott
"I want to move to theory.  Everything works there." -- Unknown