Errol.Fouquet@mms.gov
2003-Oct-15 14:53 UTC
[Samba] QUESTION: security=ads vs. security=domain
Can someone explain to me what "ADS" buys me over "Domain" for a member server? We just started implementing Samba 3.0 and want to understand what the new ADS security buys us. Errol Fouquet - UNIX SysAdmin Minerals Management Service, DOI
Andrew Smith-MAGAZINES
2003-Oct-15 15:47 UTC
[Samba] QUESTION: security=ads vs. security=domain
It gives native membership to Windows 2K (Active Directory) domains which is required to participate in a W2k domain if you are not running in mixed mode. Also gives kerberised authentication to Samba shares which is nice for security and single sign-on. -----Original Message----- From: Errol.Fouquet@mms.gov [mailto:Errol.Fouquet@mms.gov] Sent: 15 October 2003 15:53 To: samba@lists.samba.org Subject: [Samba] QUESTION: security=ads vs. security=domain Can someone explain to me what "ADS" buys me over "Domain" for a member server? We just started implementing Samba 3.0 and want to understand what the new ADS security buys us. Errol Fouquet - UNIX SysAdmin Minerals Management Service, DOI -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
On Wed, 15 Oct 2003 Errol.Fouquet@mms.gov wrote:> Can someone explain to me what "ADS" buys me over "Domain" for a member > server? > We just started implementing Samba 3.0 and want to understand what the new > ADS security buys us.Have you read the Samba-HOWTO-Collection.pdf that ships with Samba-3.0.x? It might answer your question. Quote: 4.3.4 ADS Security Mode (User Level Security) Both Samba-2.2, and Samba-3 can join an Active Directory domain. This is possible if the domain is run in native mode. Active Directory in native mode perfectly allows NT4-style Domain Members. This is contrary to popular belief. Active Directory in native mode prohibits only the use of Backup Domain Controllers running MS Windows NT4. If you are using Active Directory, starting with Samba-3 you can join as a native AD member. Why would you want to do that? Your security policy might prohibit the use of NT-compatible authentication protocols. All your machines are running Windows 2000 and above and all use Kerberos. In this case Samba as an NT4-style domain would still require NT-compatible authentication data. Samba in AD-member mode can accept Kerberos tickets. - John T. -- John H Terpstra Email: jht@samba.org
Errol.Fouquet@mms.gov
2003-Oct-17 19:41 UTC
[Samba] QUESTION: security=ads vs. security=domain
Thanks a lot ... I had read Chapter 7 (Domain Membership) thoroughly and was confused as to the difference. I appreciate you pointing this out to me ... although I do admin that "RTFM!!" would have been a fair response :-) -----Original Message----- From: John H Terpstra [mailto:jht@samba.org] Sent: Friday, October 17, 2003 2:03 PM To: Fouquet, Errol Cc: samba@lists.samba.org Subject: Re: [Samba] QUESTION: security=ads vs. security=domain On Wed, 15 Oct 2003 Errol.Fouquet@mms.gov wrote:> Can someone explain to me what "ADS" buys me over "Domain" for a > member server? We just started implementing Samba 3.0 and want to > understand what the new ADS security buys us.Have you read the Samba-HOWTO-Collection.pdf that ships with Samba-3.0.x? It might answer your question. Quote: 4.3.4 ADS Security Mode (User Level Security) Both Samba-2.2, and Samba-3 can join an Active Directory domain. This is possible if the domain is run in native mode. Active Directory in native mode perfectly allows NT4-style Domain Members. This is contrary to popular belief. Active Directory in native mode prohibits only the use of Backup Domain Controllers running MS Windows NT4. If you are using Active Directory, starting with Samba-3 you can join as a native AD member. Why would you want to do that? Your security policy might prohibit the use of NT-compatible authentication protocols. All your machines are running Windows 2000 and above and all use Kerberos. In this case Samba as an NT4-style domain would still require NT-compatible authentication data. Samba in AD-member mode can accept Kerberos tickets. - John T. -- John H Terpstra Email: jht@samba.org