Samba PDC/BDC
Paul Lussier
p.lussier at comcast.net
Tue Jan 17 09:56:01 EST 2006
Bill McGonigle <bill at bfccomputing.com> writes:
> On Jan 16, 2006, at 11:26, Paul Lussier wrote:
>
>> Windows clients can not do resolution against one entity (LDAP) and
>> authentication against another (Kerberos) *unless* it's against Active
>> Directory.
>
> AD does use LDAP and Kerberos for most of its heavy lifting. Do we
> know what the missing magic pixie dust is to tie this together?
Yes, the proprietary extensions to Kerberos that MS added. Also, it
is incorrect to claim that AD uses LDAP and Kerberos. AD is *based*
on LDAP, Kerberos, and several other components, like DHCP and DNS.
AD is an all-encompassing Directory Services server, and you can turn
off certain components like DNS or DHCP. However, an AD server wants
to be it's own DNS server, in it's own domain, etc. A Windows client
resolves queries and authenticates against an AD system *NOT* using
the standard LDAP or Kerberos protocols, but rather a special,
proprietary protocol. Therefore, a windows client uses LDAP and
Kerberos together only when directed towards an AD server and has no
way of knowing how to separate the LDAP query from the Kerberos
authentication query. As far as the Windwos client is concered, there
is on an AD query which may or may not include an LDAP, Kerberos, DNS,
or DHCP component.
>> Samba can not authenticate against Kerberos.
>
> Doesn't winbind accomplish this?
No, WinBind, from:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
states that it does exactly the opposite of what is desired here. It
allows a random UNIX box to authenticate against a Windows NT domain
controller.
I guess, if you wanted all your account management in one place, and
you didn't mind the management of said accounts being done on a
Windows system, then *might* get you the Holy Grail of single sign-on.
My dream is to ultimately have Windows be "just another OS" in an
environment which is managed from a central UNIX environment. I can
already do this with all variants of UNIX/Linux, and MacOS. Windows
is the last hold out (as usual).
Unfortunately, until MS either decides it's in their best interests to
allow us to do what we want, or someone reverse-engineers AD
queries, we're stuck.
--
Seeya,
Paul
More information about the gnhlug-discuss
mailing list