[linux-l] samba als domain Member in einer Active Domain
Guenther Frick
gfrick at gmx.net
Mi Mai 5 23:23:04 CEST 2004
Peter Ross wrote:
> On Tue, 4 May 2004, Guenther Frick wrote:
>>Samba arbeitet zur Zeit nur in Mixed-Mode Domains. Siehe Samba Howto
>>Collection. Versuche zwecklos. Kommt vieleicht in Samba 4.
> Ganz sicher? Wo genau steht das in den HowTos? (Habe sie schon gelesen,
> ohne die Info irgendwo gefunden zu haben)
>
> Zumindest mit Kerberos-Authentifizierung haben sich einige befasst. Stimmt
> denn die Zuordnung
> Active-Directory = Kerberos
> NT Domain = NTLM
> Mixed Mode = Beides
> ?
z.B. hier:
http://de.samba.org/samba/docs/man/howto/ServerType.html#id2517226
ADS Security Mode (User Level Security)
Both Samba-2.2, and Samba-3 can join an Active Directory domain. This is
possible if the domain is run in native mode. Active Directory in native
mode perfectly allows NT4-style Domain Members. This is contrary to
popular belief. Active Directory in native mode prohibits only the use
of Backup Domain Controllers running MS Windows NT4.
If you are using Active Directory, starting with Samba-3 you can join as
a native AD member. Why would you want to do that? Your security policy
might prohibit the use of NT-compatible authentication protocols. All
your machines are running Windows 2000 and above and all use Kerberos.
In this case Samba as an NT4-style domain would still require
NT-compatible authentication data. Samba in AD-member mode can accept
Kerberos tickets.
Example Configuration
realm = your.kerberos.REALM
security = ADS
The following parameter may be required:
password server = your.kerberos.server
Please refer to Domain Membership and Samba ADS Domain Membership for
more information regarding this configuration option.
http://de.samba.org/samba/docs/man/howto/samba-pdc.html#id2519604
Samba ADS Domain Control
Samba-3 is not, and cannot act as, an Active Directory Server. It cannot
truly function as an Active Directory Primary Domain Controller. The
protocols for some of the functionality of Active Directory Domain
Controllers has been partially implemented on an experimental only
basis. Please do not expect Samba-3 to support these protocols. Do not
depend on any such functionality either now or in the future. The Samba
Team may remove these experimental features or may change their
behavior. This is mentioned for the benefit of those who have discovered
secret capabilities in Samba-3 and who have asked when this
functionality will be completed. The answer is maybe or maybe never!
To be sure, Samba-3 is designed to provide most of the functionality
that Microsoft Windows NT4-style Domain Controllers have. Samba-3 does
not have all the capabilities of Windows NT4, but it does have a number
of features that Windows NT4 domain controllers do not have. In short,
Samba-3 is not NT4 and it is not Windows Server 200x, it is not an
Active Directory server. We hope this is plain and simple enough for all
to understand.
Mehr Informationen über die Mailingliste linux-l