[ILUG] ldap/PDC

[Paul Jakma]

On Fri, 26 Nov 2004, Nils wrote:

> At the moment there is a samba file server working already via winbind.
> (no shares on the nt4 machine).
>
> A few question.
> 1. Do i need kerberos.

What do you want to provide? Replacement for the NT4 PDC? Samba will 
act as NT4 domain PDC/BDC fine, which doesnt need kerberos at all.

If you want to provide Active Directory then, AFAIK, you're stuck. 
MIT krb5kdc can not act as an MS AD KDC because it lacks proprietary 
MS extensions to Kerberos - extensions which MS clients refuse to 
recognise KDC's as Active Directory without (ISTR).

(unless the samba people have gone and implemented an AD compatible 
KDC in samba.. doubt it - but dont know).

> 2. Do i need a dns server/ldap (Active directory) or will a ldap server
> work.

For AD you need LDAP, but see above. Unless Samba now can act as an 
AD KDC, nothing but an MS Windows server can act as an AD 'server'.

For NT4 domains, you dont need LDAP, but LDAP is one of the things 
you could store user information in.

> 3. Is it a good ideas for having the same password for both user logon
> to a win box and email account.( i could have two different directory
> trees)

The fewer passwords users have, the easier it is to enforce strong 
password policies (which both PAM and MIT Krb5 can do). If the 
password they use to access company data that they dont really care 
about is the same password that protects their email (which they 
might well care about protecting) then they're less likely to 
scribble the passwords on post-it notes on monitors and/or share the 
passwords with colleagues.

> whats the most sane way to set up this, so administration doesn't take a
> rocket scientist to understand.

I suggest you read the Samba docs ;)

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
I can't decide whether to commit suicide or go bowling.
 		-- Florence Henderson