Samba PDC/BDC

[Paul Lussier]

klussier at comcast.net writes:

>  -------------- Original message ---------------------- From: Thomas
> Charron <twaffle at gmail.com>
>> On 1/16/06, Paul Lussier <p.lussier at comcast.net> wrote: >
>> 
>>   True, however, it would seem Kenny seems to intend to not require
>> any auth traffic to have to go over the wire to the remote site.  So
>> in reality, when authenticating via LDAP, he'd want to replicate the
>> LDAP server is TWO locations.
>
> Exactly. Replicate LDAP via slurpd to the remote site. The remote site
> has a Samba server pointing to the local replicated LDAP server.

Except that the authentication traffic transiting to the remote site
is a whole lot less of a probem than the roaming profiles transiting
the wire.  Unless you're planning on replicating the Samba
configuration to both places as well, which is a *LOT* more work than
just running slurpd.

>>   His primary question, however, is if he can have 2 Samba servers
>> providing authentication for one single Active Directory domains.

If that's the case, then no.  Samba can not provide authentication for
Active Directory Domains.  As Ben pointed out, Samba, at the current
time is strictly limited to serving and approximating the controller
for an NT domain, which is NTLM and *DISTINCTLY DIFFERENT* than an
Active Directory domain.

> This is exactly what I want to do. I want to have the Windows domain
> of "CORP" (why does Windows do everything in uppercase, anyway?!) in
> both places, each Samba server authenticating against it's local LDAP
> tree. I don't see any reason that this shouldn't work, since NetBIOS
> won't traverse the VPN, but there could be issues with SID's or RID's

This should work fine, in theory...

> or whatever AD has these days.

except YOU CAN'T SERVE AD DOMAINS WITH ANYTHING BUT A WINDOWS AD SERVER!!!!!

You can serve up an NT-style NTLM domain, but not AD.

-- 

Seeya,
Paul