[windows2000] Re: Samba or Win2K Server as Domain Controller?
- From: "Joe Shonk" <JShonk@xxxxxxxxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Tue, 22 Oct 2002 07:59:08 -0700
Your digging too deep... The time that it took research and compare =
would have paid for the Windows 2000 OS... Why is it a big deal if it's =
Microsoft or Linux? 95% of the world uses Microsoft... Perhaps that =
should be where you look. Schools should be preparing their students =
for the real world, not a fantasy.
Joe
-----Original Message-----
From: Scott Ehrlich [mailto:scott@xxxxxxxxxx]
Sent: Tuesday, October 22, 2002 7:50 AM
To: windows2000@xxxxxxxxxxxxx; samba@xxxxxxxxxxxxxxx
Subject: [windows2000] Samba or Win2K Server as Domain Controller?
We are looking at implementing a Windows Domain structure very soon and =
I=20
have been asked to evaluate/investigate the differences between using =
Samba=20
as a DC vs a true Win2k DC. We run TCP/IP and Appletalk on a 100Base-T =
network.
I'm the main Microsoft person in the group and have a lot of Windows=20
experience (9x - XP).
We currently have a primary NT 4 domain controller mainly acting as a =
print=20
and software install server. 99% of workstations are in workgroup =
mode.
We have a contingent of Mac users (OS 9 and above) who also utilize the =
DC=20
for printing and software installation.
I know the full capabilities of a Win2K DC, and have just read the Samba =
2.2 FAQ from the samba.org web site, so I am generally familiar with =
what=20
I'll get.
Some of the functionality I want include:
- Roaming profiles (Samba FAQ says this can be done)
- Magically add printers to workstations which become domain members =
(maybe=20
through a policy or template?)
- Permit an account to be used for registration-only so users can make=20
themselves domain members on their own
- Enable full auditing with Tripwire so I am kept fully up-to-date on=20
changes (machine adds/removals/changes)
- Permit seemless password changes between our UNIX and Windows world
- Permit Mac users seemless access to shared printers and file storage=20
(using Services for Mac on an existing NT 4 server)
- Implement policies to permit patch pushing or service changes to =
clients
Our model will likely end up being having an external machine (Linux =
most=20
likely) doing just LDAP. We may authenticate to it, or we may try to=20
implement Kerberos. We'll see how much pain is involved in setting and=20
maintaining our own Kerberos server/realm. Being on the MIT campus, we =
know how Kerberos works ;-)
Thus, we might authenticate to a separate Kerberos server and have the=20
remaining info in a separate LDAP database on its own server.
Now, if we have a dedicated LDAP server with possibly also a Kerberos=20
server (neither will be the Win2K Domain Controller), how will I/we get =
the=20
Windows functionality we want knowing the DC uses LDAP plus some=20
proprietary additions to LDAP, and that the DC wants to be a KDC?
It almost looks like the Mac, Linux, and Solaris clients will have no=20
problems, but the Windows world is the obstacle.
Can LDAP and Kerberos be disabled/separated/modified to permit even=20
pass-through authentication to the dedicated server(s), thus permitting =
a=20
domain world, the Windows clients think they are talking to a true DC, =
and=20
the DC thinks it is the boss, yet it gets its info from external =
sources?
Does this make any sense?
Thanks in advance.
Scott
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
