samba - Oct 2003 - Samba 3.0 as NT4 PDC with MIT kerberos 1.3 (v5) for authentication?

Hi All-

Please pardon my repost of my usenet article in this list.

Previously, I asked if Samba 3.0 could be an Active Directory Domain
Controller (ADDC).  I have the feeling that the answer is no.  If so, then 
I have this other question:

Can I use Samba as an NT4 PDC for making a Windows NT4 domain that
would host several M$ Windows XPP client computers as domain
clients/members, but have these client computers (and their users)
actually do their authentication not against the PDC, but rather,
against an MIT kerberos 1.3 (v5) Key Distribution Center (KDC) or
kerberos server?

I've now read one or two cases of educational institutions using
similar arrangements, but in their circumstances, they often had a M$
Windows 2000 Server machine that was the ADDC for a domain, then they
established trust between the ADDC and their MIT kerberos v5 KDC, and
then their client computers did pass-through authentication not
against the ADDC, but rather, against the KDC.  To be more specific,
the client computers were domain members of a domain hosted by the
ADDC (perhaps could also be an NT4 PDC?), and their authentication
requests apparently did a pass-through of the ADDC and then were
checked against the kerberos database on the KDC.  If the
authentication was successful, then the users ended up with a
single-sign-on (SSO) onto their Win2k/WinXP boxes, got kerberos
tickets for services from the KDC, and then obtained access to
authorized services (apparently, services that were a part of the
domain that they logged into, thus Samba would provide), and also
(possibly) services that were made available by unix machines that
were not necessarily a part of the ADDC (or NT4) domain, but that did
have service principals in the kerberos database.  Does that make
sense?

So, does anyone know if such a scheme would work with no ADDC (since I
don't have and don't want a M$ server), but rather, with Samba 3.0
acting as the PDC in an NT4 domain rather than an ADS domain?  Since,
as I said above, I get the impression that Samba 3.0 cannot be an
ADDC, using it to provide an NT4 domain seems like the next best
alternative---if it will work.

Thanks in advance for any thoughts, suggestions, advice on whether
this will or will not work and, if the former (it will work), then any
tips/tricks or gotchas on actually implementing the plan.

Thanks again, Samba Team, for your terrific suite of software!

-Jane

On Sun, 12 Oct 2003, Jane Deer wrote:
> Hi All-
>
> Please pardon my repost of my usenet article in this list.
>
> Previously, I asked if Samba 3.0 could be an Active Directory Domain
> Controller (ADDC).  I have the feeling that the answer is no.  If so, then
> I have this other question:
Correct. The answer is NO.
> Can I use Samba as an NT4 PDC for making a Windows NT4 domain that
> would host several M$ Windows XPP client computers as domain
> clients/members, but have these client computers (and their users)
> actually do their authentication not against the PDC, but rather,
> against an MIT kerberos 1.3 (v5) Key Distribution Center (KDC) or
> kerberos server?
No. The protocols you will be using do not allow that.
> I've now read one or two cases of educational institutions using
> similar arrangements, but in their circumstances, they often had a M$
> Windows 2000 Server machine that was the ADDC for a domain, then they
> established trust between the ADDC and their MIT kerberos v5 KDC, and
> then their client computers did pass-through authentication not
> against the ADDC, but rather, against the KDC.
That is possible, though not a recommended arrangement.
> To be more specific, the client computers were domain members of a
> domain hosted by the ADDC (perhaps could also be an NT4 PDC?), and their
You can not configure NT4 to operate in this mode, except it be made a
member of an AD Domain that is running in mixed mode.
> authentication requests apparently did a pass-through of the ADDC and
> then were checked against the kerberos database on the KDC.  If the
> authentication was successful, then the users ended up with a
> single-sign-on (SSO) onto their Win2k/WinXP boxes, got kerberos tickets
> for services from the KDC, and then obtained access to authorized
> services (apparently, services that were a part of the domain that they
> logged into, thus Samba would provide), and also (possibly) services
> that were made available by unix machines that were not necessarily a
> part of the ADDC (or NT4) domain, but that did have service principals
> in the kerberos database.  Does that make sense?
The design of the old NT4 style domain as with that of the Win2Kx style
ADS are not principally designed to permit intergration with the industry
standard protocols for Kerberos and LDAP. They are designed to lock
customers into a Microsoft centric world. Microsoft are working on
solutions for better integration, but today these require commercial
solutions. If you care to write to me personally I can point you at this
work, but I do not wat this list to be used for blatently commercial
purposes.

PS: All the commercial solutions I know of are premediated around use of
MS ADS.
> So, does anyone know if such a scheme would work with no ADDC (since I
> don't have and don't want a M$ server), but rather, with Samba 3.0
> acting as the PDC in an NT4 domain rather than an ADS domain?  Since,
> as I said above, I get the impression that Samba 3.0 cannot be an
> ADDC, using it to provide an NT4 domain seems like the next best
> alternative---if it will work.
Use Samba-3.0.0 as your NT4 style PDC/BDC. This is a solution that works.
Combined with LDAP for the account backend this gives you a very scalable
solution.
> Thanks in advance for any thoughts, suggestions, advice on whether
> this will or will not work and, if the former (it will work), then any
> tips/tricks or gotchas on actually implementing the plan.
I hope my reply does help.
> Thanks again, Samba Team, for your terrific suite of software!
Can I count on some patches to the documentation from you. Just to make
sure that this type of question is more fully and clearly answered for the
next person who wants to try the same things you have in mind?

Users like you are ultimately the people who make Samba and its
documentation valuable. You will contribute won't you?

- John T.
-- 
John H Terpstra
Email: jht@samba.org