We are looking at implementing a Windows Domain structure very soon and I
have been asked to evaluate/investigate the differences between using Samba
as a DC vs a true Win2k DC. We run TCP/IP and Appletalk on a 100Base-T
network.
I'm the main Microsoft person in the group and have a lot of Windows
experience (9x - XP).
We currently have a primary NT 4 domain controller mainly acting as a print
and software install server. 99% of workstations are in workgroup mode.
We have a contingent of Mac users (OS 9 and above) who also utilize the DC
for printing and software installation.
I know the full capabilities of a Win2K DC, and have just read the Samba
2.2 FAQ from the samba.org web site, so I am generally familiar with what
I'll get.
Some of the functionality I want include:
- Roaming profiles (Samba FAQ says this can be done)
- Magically add printers to workstations which become domain members (maybe
through a policy or template?)
- Permit an account to be used for registration-only so users can make
themselves domain members on their own
- Enable full auditing with Tripwire so I am kept fully up-to-date on
changes (machine adds/removals/changes)
- Permit seemless password changes between our UNIX and Windows world
- Permit Mac users seemless access to shared printers and file storage
(using Services for Mac on an existing NT 4 server)
- Implement policies to permit patch pushing or service changes to clients
Our model will likely end up being having an external machine (Linux most
likely) doing just LDAP. We may authenticate to it, or we may try to
implement Kerberos. We'll see how much pain is involved in setting and
maintaining our own Kerberos server/realm. Being on the MIT campus, we
know how Kerberos works ;-)
Thus, we might authenticate to a separate Kerberos server and have the
remaining info in a separate LDAP database on its own server.
Now, if we have a dedicated LDAP server with possibly also a Kerberos
server (neither will be the Win2K Domain Controller), how will I/we get the
Windows functionality we want knowing the DC uses LDAP plus some
proprietary additions to LDAP, and that the DC wants to be a KDC?
It almost looks like the Mac, Linux, and Solaris clients will have no
problems, but the Windows world is the obstacle.
Can LDAP and Kerberos be disabled/separated/modified to permit even
pass-through authentication to the dedicated server(s), thus permitting a
domain world, the Windows clients think they are talking to a true DC, and
the DC thinks it is the boss, yet it gets its info from external sources?
Does this make any sense?
Thanks in advance.
Scott
