Samba PDC/BDC

klussier at comcast.net klussier at comcast.net
Tue Jan 17 18:37:01 EST 2006 

 -------------- Original message ----------------------
From: Paul Lussier <p.lussier at comcast.net>
> Ben Scott <dragonhawk at gmail.com> writes:
> 
> >   Okay, but what does any of that Heimdal/Kerberos stuff have to do
> > with authenticating NTLM clients?
> 
> Nothing, but he keeps talking about AD authentication, which Kerberos
> *would* be a component of if it would work.  And at one point, there
> was a more generic single-sign on discussion which included this as
> well, but has since gotten lost in the noise.

*HE* has been in meetings most of the day and hasn't said much of anything :-) What I originally said was that I am replacing an AD server. I inherited a Windows server that is acting as an AD domain controller. It is a terrible POS and is constantly having problems. So, I am replacing it with a Samba server. I am going to use an LDAP back end for many, many reasons. All of this is happening in the main office.

We also have a branch office in another country. They want to be able to access everything here. So, the easiest way is centralized authentication. I don't want them logging into a server over there and have the auth traffic traversing the VPN every time, so I will replicate the LDAP database to a local LDAP server over there (which is really easy once you get slurpd to actually work!!). 

My question was originally "Can I have a Samba server over there act as a PDC for them using the same Windows Domain". That question came about because it was brought to my attention that there will be traveling between here and there quite often, and re-configuring their laptops for a different windows domain is a PITA. 

The roaming profile thing was merely an example of the authentication process. I wasn't explicitely wanting roaming profiles (as I view them as evil). I am also not a fan of SSO. It is a human security hole. However, centralized authentication and centralized administration are good. They allow users to only have one password, and it allows me to be lazy. I see nothing wrong with this :-) 

But, for those of you just joining the thread, the answer so far is:

1) Yes, you can do that.

2) No, you can't do that.

3) You might be able to do that, but only if you do something completely different then what you originally wanted to do.

4)42

C-Ya,
Kenny

More information about the gnhlug-discuss mailing list