CentOS - Jul 2005 - Re: Fix passwd/shadow/group files? -- Samba 3.0 v. ADS v. CIFS

From:  Feizhou 
> You assume too much and you are not clear enough in what
> you post.
You didn't even know what a KDC was, so my assumptions were pretty easy to
make.
You keep saying "Samba, Samba, Samba" over and over like Samba does it
all.
It does _not_.
> Geez....I've been trying to get whether you are saying there was a way 
> to do the whole ADS DC thing without a MS-Kerberos in the mix.
And I've been trying to tell you that:
1)  MS Kerberos extensions are now part of UNIX/Linux Kerberos 5 implementations
2)  Hence why Samba 3.0 does _not_ provide this, it merely uses it.

So _yes_, you _can_ bypass the need for a native Windows ADS DC on your network!
But _no_, Samba 3.0 does not provide functionality for sync'ing Samba DC to
MS ADS DC.

It's an "all Samba" or "all MS DC" choice.
> How do you get centralized user account management without
> MS Kerberos?
Again, MS Kerberos are just extensions to Kerberos, ones supported in new, open
source Kerberos 5 servers.
If they hadn't, then Samba 3.0 would not be able to act as either a member
server in a MS ADS network,
or emultate a MS Kerberos KDC without one.
This has *0* to do with Samba.

There are thousands upon thousands of enterprises running with Novell
eDirectory, NsDS, Sun One, etc.. using their own management suite for Windows
clients.
In many cases, a few are vastly more experienced, featured and superior IMHO.

I think what you're looking for is an experience where all the interfaces
and schema are emulated to you can run any Microsoft management tools,
tools written explicitly for undocumented MS schema and interfaces.
You're looking at the problem from an impossible solution standpoint.

That's the problem.

>>How do you get centralized user account management without
>>MS Kerberos?
>>    
>>
>
>Again, MS Kerberos are just extensions to Kerberos, ones supported in new,
open source Kerberos 5 servers.
>  
>
Ok. Which ones? heimdal? MIT?

>If they hadn't, then Samba 3.0 would not be able to act as either a
member server in a MS ADS network,
>or emultate a MS Kerberos KDC without one.
>This has *0* to do with Samba.
>  
>
Yeah, I know. But you say Samba could emulate a MS Kerberos and I don't 
remember see anything about open source Kerberos V implementations such 
as heimdal or MIT supporting MS Kerberos extensions. So that makes me 
wonder whether you are trying to say the Samba team is doing their own 
LDAP and KDC.
>There are thousands upon thousands of enterprises running with Novell
eDirectory, NsDS, Sun One, etc.. using their own management suite for Windows
clients.
>  
>
and by installing their own GINA?
>In many cases, a few are vastly more experienced, featured and superior
IMHO.
>
>I think what you're looking for is an experience where all the
interfaces and schema are emulated to you can run any Microsoft management
tools,
>  
>
No. I don't care too much about Microsoft management tools so long as 
there is one under Unix.
>tools written explicitly for undocumented MS schema and interfaces.
>You're looking at the problem from an impossible solution standpoint.
>
>That's the problem.
>  
>
Could be. That's why I am trying to understand just what part of MS 
Kerberos can be found in open source Kerberos servers as you say.