paul at clubi.ie
Fri Nov 26 15:42:14 GMT 2004
On Fri, 26 Nov 2004, Nils wrote:
> At the moment there is a samba file server working already via winbind.
> (no shares on the nt4 machine).
> A few question.
> 1. Do i need kerberos.
What do you want to provide? Replacement for the NT4 PDC? Samba will
act as NT4 domain PDC/BDC fine, which doesnt need kerberos at all.
If you want to provide Active Directory then, AFAIK, you're stuck.
MIT krb5kdc can not act as an MS AD KDC because it lacks proprietary
MS extensions to Kerberos - extensions which MS clients refuse to
recognise KDC's as Active Directory without (ISTR).
(unless the samba people have gone and implemented an AD compatible
KDC in samba.. doubt it - but dont know).
> 2. Do i need a dns server/ldap (Active directory) or will a ldap server
For AD you need LDAP, but see above. Unless Samba now can act as an
AD KDC, nothing but an MS Windows server can act as an AD 'server'.
For NT4 domains, you dont need LDAP, but LDAP is one of the things
you could store user information in.
> 3. Is it a good ideas for having the same password for both user logon
> to a win box and email account.( i could have two different directory
The fewer passwords users have, the easier it is to enforce strong
password policies (which both PAM and MIT Krb5 can do). If the
password they use to access company data that they dont really care
about is the same password that protects their email (which they
might well care about protecting) then they're less likely to
scribble the passwords on post-it notes on monitors and/or share the
passwords with colleagues.
> whats the most sane way to set up this, so administration doesn't take a
> rocket scientist to understand.
I suggest you read the Samba docs ;)
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
I can't decide whether to commit suicide or go bowling.
-- Florence Henderson
More information about the ILUG