Samba PDC/BDC

Ben Scott dragonhawk at gmail.com
Tue Jan 17 11:20:01 EST 2006 

On 1/17/06, Paul Lussier <p.lussier at comcast.net> wrote:
>>   True, however, it would seem Kenny seems to intend to not require
>> any auth traffic to have to go over the wire to the remote site.  So
>> in reality, when authenticating via LDAP, he'd want to replicate the
>> LDAP server is TWO locations.
>
> Not so! You have an LDAP server in both locations, both of which are
> children of the ou=corp,ou=foo,ou=bar domain and allow *any member* of
> that super-domain access.

  You keep speaking in terms of LDAP servers and LDAP domains and
such.  Kenny's ultimate goal is to let Windows clients authenticate
using NTLM.  It would probably help the discussion to put things in
that context.

  In particular, if the goal is to have a single NTLM domain, I don't
know if or how that might affect the LDAP directory design. 
Certainly, a single NTLM domain would not be able to cope with LDAP's
concept of common names made unique only by domain contexts.  I would
guess one would have to have some sort of directory-wide, flat, unique
name attribute in that case.

  Something just occurred to me: If one wants to maintain a clean
separation of systems between the two sites, the logical way to do
this would be with two separate NTLM domains which trust each other. 
Create corresponding NTLM domains for each context in the LDAP tree. 
Have the Samba server(s) at each site be DC(s) for the the NTLM
domains of the local site.  Have Samba authenticate the domain to a
particular context in LDAP.

  In this scenario, NTLM members which visit the other site (laptops)
would generally want to send their authentication requests over the
inter-site link.  You should be able to use another Samba instance
running as a BDC at the alternate site to help reduce that.

  I just checked the Samba HOWTO, and it claims Samba 3 does fully
support the creation and maintenance of inter-domain trust
relationships.  See: http://tinyurl.com/bbkt4

  Keep in mind that I've never tried any of the above.  :-)

> Then he can't do what he wants.  What's the problem with two domains?

  Two LDAP domains or two NTLM domains?

-- Ben "Who's on first?" Scott

More information about the gnhlug-discuss mailing list