On Fri, 2004-11-26 at 15:42 +0000, Paul Jakma wrote:
> On Fri, 26 Nov 2004, Nils wrote:
>> > At the moment there is a samba file server working already via winbind.
> > (no shares on the nt4 machine).
> > A few question.
> > 1. Do i need kerberos.
>> What do you want to provide? Replacement for the NT4 PDC? Samba will
> act as NT4 domain PDC/BDC fine, which doesnt need kerberos at all.
Thats good to know. (doesn't all version of windows use a single sign on to a domain)
will the user have to be auth against the ldap server everytime the user
need access the samba shares/PDC.
> If you want to provide Active Directory then, AFAIK, you're stuck.
> MIT krb5kdc can not act as an MS AD KDC because it lacks proprietary
> MS extensions to Kerberos - extensions which MS clients refuse to
> recognise KDC's as Active Directory without (ISTR).
I'm Not really after an Active Directory setup.
> (unless the samba people have gone and implemented an AD compatible
> KDC in samba.. doubt it - but dont know).
>> > 2. Do i need a dns server/ldap (Active directory) or will a ldap server
> > work.
>> For AD you need LDAP, but see above. Unless Samba now can act as an
> AD KDC, nothing but an MS Windows server can act as an AD 'server'.
The only reason i said about dns/ldap as it was one of the options in
the samba docs.
> For NT4 domains, you dont need LDAP, but LDAP is one of the things
> you could store user information in.
Thats what it will mainly be used for.
> > 3. Is it a good ideas for having the same password for both user logon
> > to a win box and email account.( i could have two different directory
> > trees)
>> The fewer passwords users have, the easier it is to enforce strong
> password policies (which both PAM and MIT Krb5 can do). If the
> password they use to access company data that they dont really care
> about is the same password that protects their email (which they
> might well care about protecting) then they're less likely to
> scribble the passwords on post-it notes on monitors and/or share the
> passwords with colleagues.
Ok so it better to have one secure password than many weaker ones ?
> > whats the most sane way to set up this, so administration doesn't take a
> > rocket scientist to understand.
>> I suggest you read the Samba docs ;)
I have read the samba docs; but as i stated, there is a number of ways to
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!