samba - Mar 2003 - Samba 3.0 - a bunch of really high level questions

Hello everyone... I am a long time samba user (3 or 4 years), though I
never ventured into the alpha stages until recently (alpha 21, I'll move
to 22 in the near future once I get a better idea of what's going on). I
am very interested in Samba being part of a ADS domain, but I have been
a little frustrated due to the lack of documentation. Specifically, I've
read the HOWTO's from the University of Navarre and idealx, and I've
gotten to the stage where I have all users on my machine authenticating
through LDAP, samba is using LDAP to authenticate, etc. And I've gotten
it to act as what appears to be an NT4 PDC.
 
Reading through the available documentation, the WHATSNEW.TXT, etc. I am
reading all these entries like "Active Directory support. This release
is able to join a ADS realm as a member server and authenticate users
using LDAP/kerberos." etc. but I have found very little guides on how to
implement this, or even what is meant by "member server". I am
assuming
this means that the 3.0 branch cannot yet act as an AD server in a
native mode (i.e., non mixed mode) 2000 domain. Well what exactly CAN it
do?
 
These may sound like stupid questions, but I've found very little on
exactly:
    1) what ./configure options I should be compiling samba with in
order to use as much of the active directory member features 
available. 
    2) whether I need to have a kerberos kdc installed on the smb
server, or anywhere on the network, or not at all. 
    3) I know that ADS realms utilize special SRV records in the DNS,
should I implement these, how?
    4) trust relationships in 2000 environment. Is it possible, what
needs to be done.
 
Basically, I have a reasonable amount of free time, am very interested
in the project, have minimal coding skills but a pretty firm grasp on
the technologies, have a basement full of linux, XP, and 2000 machines
with a VPN into a "pure win2000 domain" for comparative testing, and
want to help you people test this puppy out... just need a little more
specific guidance on what it can do, and how to implement it.
 
Cheers and keep up the fabulous work,
 
th0th
 
"go bravely with th0th"

On Wed, 26 Mar 2003 th0th@th0th.com wrote:
> Hello everyone... I am a long time samba user (3 or 4 years), though I
> never ventured into the alpha stages until recently (alpha 21, I'll
move
> to 22 in the near future once I get a better idea of what's going on).
I
> am very interested in Samba being part of a ADS domain, but I have been
> a little frustrated due to the lack of documentation. Specifically,
I've
> read the HOWTO's from the University of Navarre and idealx, and
I've
> gotten to the stage where I have all users on my machine authenticating
> through LDAP, samba is using LDAP to authenticate, etc. And I've gotten
> it to act as what appears to be an NT4 PDC.
Welcome to alpha releases! We are still working on Documentation, you will
find the most up to date Samba-HOWTO in PDF format in the Samba HEAD
branch CVS Code tree. Periodically we update the 3.0.0 code tree from the
HEAD branch.
> Reading through the available documentation, the WHATSNEW.TXT, etc. I am
> reading all these entries like "Active Directory support. This release
> is able to join a ADS realm as a member server and authenticate users
> using LDAP/kerberos." etc. but I have found very little guides on how
to
> implement this, or even what is meant by "member server". I am
assuming
> this means that the 3.0 branch cannot yet act as an AD server in a
> native mode (i.e., non mixed mode) 2000 domain. Well what exactly CAN it
> do?
This is still being documented. Any pointers anyone discovers that may
help other users should be reported to jht@samba.org (at least while I
am working on documentation updates). In other words - your help is much
appreciated - and Yes, even you can help. As you spot errors or incomplete
information, please let me know. I will be working on updates throughout
this week.
> These may sound like stupid questions, but I've found very little on
> exactly:
>     1) what ./configure options I should be compiling samba with in
> order to use as much of the active directory member features
> available.
It is best to use the binary packages made available by the Samba-Team on
the samba FTP sites. These are usually built with maximum available
functionality for your platform.
>     2) whether I need to have a kerberos kdc installed on the smb
> server, or anywhere on the network, or not at all.
See the ADS-Howto in the samba HEAD branch docs area.
>     3) I know that ADS realms utilize special SRV records in the DNS,
> should I implement these, how?
Ditto above.
>     4) trust relationships in 2000 environment. Is it possible, what
> needs to be done.
This is undocumented at this time. Sorry, we will get around to it soon.
>
> Basically, I have a reasonable amount of free time, am very interested
> in the project, have minimal coding skills but a pretty firm grasp on
> the technologies, have a basement full of linux, XP, and 2000 machines
> with a VPN into a "pure win2000 domain" for comparative testing,
and
> want to help you people test this puppy out... just need a little more
> specific guidance on what it can do, and how to implement it.
Hope this helps a little.

- John T.
-- 
John H Terpstra
Email: jht@samba.org

>> >     4) trust relationships in 2000 environment. Is it possible,
what
>> > needs to be done.
>> 
>> This is undocumented at this time. Sorry, we will get around to it
soon.
>Trust relationships behave exactly as for NT4 - modulo bugs, for the member
>server.  For the PDC, we only provide an NT4 PDC, and have not yet
compleated
>all that is required to trust other domains.  
I am using 3.0alpha21.  Trusts in a win2k domain (ADS mode) seem to work, but 
I do not see any trusted domain if join the domain using NT4 mode.  This is 
fixed in HEAD, but I do need to fix my 3.0a21 version for it. 

abartlet and jht, any hint for me of where to look at?

On Wed, 26 Mar 2003, Chere Zhou wrote:
>
> >> >     4) trust relationships in 2000 environment. Is it
possible, what
> >> > needs to be done.
> >>
> >> This is undocumented at this time. Sorry, we will get around to it
soon.
>
> >Trust relationships behave exactly as for NT4 - modulo bugs, for the
member
> >server.  For the PDC, we only provide an NT4 PDC, and have not yet
compleated
> >all that is required to trust other domains.
>
> I am using 3.0alpha21.  Trusts in a win2k domain (ADS mode) seem to work,
but
> I do not see any trusted domain if join the domain using NT4 mode.  This is
> fixed in HEAD, but I do need to fix my 3.0a21 version for it.
>
> abartlet and jht, any hint for me of where to look at?
In samba-HEAD/docs/Samba-HOWTO-Collection.pdf might help you.

- John T.
-- 
John H Terpstra
Email: jht@samba.org