On Mon, 2012-12-17 at 20:54 +0100, Admin wrote:> Hi,
> i have to deploy a integrated services platform consisting of a samba3,
> web-groupware and email (exim+cyrus) service, which has very limited
> options for user management. This new server is to replace a windows
> 2008 server. I am free to create all users anew.
> I'll try to configure it to use an external source as a single source
of
> authentication and join the samba3 to a samba4-Domain but i'm unsure
> about the mail and webservices: should i/can i use samba4's build in
> ldap server? Or would it be better to use the kerberos service? Or winbind?
> I would appreciate any advice for the most standard conformant way to
> get things working.
When deployed as an AD DC, all of these will work, and work well. You
can do 'ldap authentication' as a simple bind, you can get a kerberos
ticket (even better is to accept a kerberos ticket, from
kerberos-enabled clients, but I know that's probably not what you are
after), or you can use pam and winbind via a domain join.
The more secure options are kerberos (as long as you actually validate
the ticket you get back) and winbind (which will perform the
authentication across the secure channel).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org