Your digging too deep... The time that it took research and compare = would have paid for the Windows 2000 OS... Why is it a big deal if it's = Microsoft or Linux? 95% of the world uses Microsoft... Perhaps that = should be where you look. Schools should be preparing their students = for the real world, not a fantasy. Joe -----Original Message----- From: Scott Ehrlich [mailto:scott@xxxxxxxxxx] Sent: Tuesday, October 22, 2002 7:50 AM To: windows2000@xxxxxxxxxxxxx; samba@xxxxxxxxxxxxxxx Subject: [windows2000] Samba or Win2K Server as Domain Controller? We are looking at implementing a Windows Domain structure very soon and = I=20 have been asked to evaluate/investigate the differences between using = Samba=20 as a DC vs a true Win2k DC. We run TCP/IP and Appletalk on a 100Base-T = network. I'm the main Microsoft person in the group and have a lot of Windows=20 experience (9x - XP). We currently have a primary NT 4 domain controller mainly acting as a = print=20 and software install server. 99% of workstations are in workgroup = mode. We have a contingent of Mac users (OS 9 and above) who also utilize the = DC=20 for printing and software installation. I know the full capabilities of a Win2K DC, and have just read the Samba = 2.2 FAQ from the samba.org web site, so I am generally familiar with = what=20 I'll get. Some of the functionality I want include: - Roaming profiles (Samba FAQ says this can be done) - Magically add printers to workstations which become domain members = (maybe=20 through a policy or template?) - Permit an account to be used for registration-only so users can make=20 themselves domain members on their own - Enable full auditing with Tripwire so I am kept fully up-to-date on=20 changes (machine adds/removals/changes) - Permit seemless password changes between our UNIX and Windows world - Permit Mac users seemless access to shared printers and file storage=20 (using Services for Mac on an existing NT 4 server) - Implement policies to permit patch pushing or service changes to = clients Our model will likely end up being having an external machine (Linux = most=20 likely) doing just LDAP. We may authenticate to it, or we may try to=20 implement Kerberos. We'll see how much pain is involved in setting and=20 maintaining our own Kerberos server/realm. Being on the MIT campus, we = know how Kerberos works ;-) Thus, we might authenticate to a separate Kerberos server and have the=20 remaining info in a separate LDAP database on its own server. Now, if we have a dedicated LDAP server with possibly also a Kerberos=20 server (neither will be the Win2K Domain Controller), how will I/we get = the=20 Windows functionality we want knowing the DC uses LDAP plus some=20 proprietary additions to LDAP, and that the DC wants to be a KDC? It almost looks like the Mac, Linux, and Solaris clients will have no=20 problems, but the Windows world is the obstacle. Can LDAP and Kerberos be disabled/separated/modified to permit even=20 pass-through authentication to the dedicated server(s), thus permitting = a=20 domain world, the Windows clients think they are talking to a true DC, = and=20 the DC thinks it is the boss, yet it gets its info from external = sources? Does this make any sense? Thanks in advance. Scott =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm