Greg Adams wrote:> I've been reading some documentation and can't find an answer to my
> question...
>
> I work in an environment where we have a bunch of Solaris 2.8 servers and
> a bunch of developers using Windows 2000 and XP desktops. We support a
> client using a Windows 2000 Server ADS PDC, and they need to map some of
> the NFS drives on our Solaris 2.8 servers. Currently we run a PCNetLink
> PDC (don't worry much about that, it's basically the same as a
Samba 2 NT4
> PDC), and our PCNetLink PDC has a trust relationship to the Windows 2000
> Server ADS PDC that our client has. Additionally our internal development
> staff uses the PCNetLink PDC for user authentication, netlogon services,
> file sharing, etc.
>
> Fairly soon the corporation that both our development group and our client
> belong to is going to disallow all NT4 domain services, including
> PCNetLink and legacy mode operations, so we are looking at switching to
> Samba 3, as we have heard that it can communicate with ADS servers.
>
> Here's my question: I would like to move to an OpenLDAP/Kerberos
> authentication scheme for our Solaris machines and have a Samba 3 PDC
> using this OpenLDAP/Kerb5 backend for authentication as the PDC for our
> Windows 2000 and XP workstations. Additionally, I would like to be able to
> have the same Samba 3 PDC interact with the Windows 2000 ADS Server that
> our client runs in either a trust relationship or as a member server to
> allow the customer clients to use the filesharing services on our Solaris
> servers. From my reading, it seems that the trust relationship is not
> possible (something about NT4 trusts vs. ADS trusts, and Samba 3 only
> supporting NT4 trusts). Is it possible to have one samba 3 PDC also be an
> ADS member server? Is there some better way to achieve what I've
> described?
>
> Thanks for any help. Greg
I don't know if I understood you right, but you can either make your
samba server work as a PDC or keep your Windows 2000 Server as the
primary one. The advantage of keeping Windows as the boss is that you
can use group policy rights assignment to your windows machines; if you
intend to use Samba as a PDC you should consider, if you want to have
group policies, http://www.nitrobit.com/Index.html.
In case you want Windows as the boss you can use the implemented LDAPv3
and the MIT Kerberos of the Windows 200x Server editions. Making your
users visible on Unix you can use either nssldap (depends on: pam_ldap,
openldap, [openssl, cyrus-sasl]) or winbind to map Windows to Unix
users. I don't know if nssldap works on Solaris, but take look here:
http://www.padl.com/download. You have to extend your Windows Server
Schema with the MKSADPlugins.msi, which adds a "Unix Settings" tab
creating new users or groups, or download the Services for Unix 3.0
which are free from Microsoft. If you use nssldap you just need to
install the SFU at minimum, just to extend your schema, nothing more.
For a Samba 3 PDC you have to use a passdb backend, while many of them
are supported by samba, like the pdb, the smbpasswd or ldap. They are
described very well in the samba documentation or in the examples book
from John Terpstra.
For some more infos about using Windows as the boss, take a look at
http://forums.gentoo.org/viewtopic.php?t=114837. Instead of emerge do
your Solaris compiles.
-markus