PhxBUG - Phoenix BSD User Group
Daemons in the Desert
PhxBUG -- User Group Meeting Discussion and Presentation TopicsNavigationUser loginPost This Page toWho's onlineThere are currently 0 users and 1 guest online.
Who's new
Syndicate Search |
Most wanted presentation topicOpenSSH 25% (1 vote) OpenBSD IPsec VPNs 25% (1 vote) OpenBSD HA Firewalls 0% (0 votes) OpenBSD on the Soekris 0% (0 votes) Hybrid Intrusion Detection 25% (1 vote) LDAP directory authentication 25% (1 vote) Total votes: 4 login to post comments
In the past I've done SambaIn the past I've done Samba 3 backended against LDAP. All in all it was smooth and just used a couple of shell utilities to do the user management, although you could technically manage several of the account attributes directly e.g. via a LDAP web interface for convenience. Didn't ever do any Kerberos integration on that project, and not certain really how that would fit in; maybe instead of direct authentication against Samba from the workstations, you could check for GSSAPI support in Samba which would allow it to interop with KerberosV. Great idea for a topic though. ;) By sancho at 2006/02/09 - 12:11pm | login to post comments
samba and kerberosyea ... the missing part is that samba can't be an AD domain controller. it can be a member server, which is what i sort of accomplished yesterday, but that's not what i need heimdal can use ldap as a backend, but openbsd's heimdal in base is behind quite a bit ... plus, i'd have to mess around with telling it to link against openldap for the windows boxes, did you just install pgina and go that route? right now, i'm looking at apple's open directory. it seems like they've managed to get it all integrated ... By marco at 2006/02/09 - 5:05pm | login to post comments
The mode we used Samba inThe mode we used Samba in was more or less NT4 domain controller (PDC) mode, which worked for what we were doing. It worked for a login server so we could handle centralized account management in LDAP. Honestly, I came out of the project with the feeling that while it was neat, it was needlessly re-engineering something that Active Directory or did well already, and if the company needed it done, they might want to drop a few bones on it and do it right. Part of this feeling came from not having enough time to devote to managing it, and that every service pack Microsoft released for the OSes we were running (2000/XP at the time) crippled some piece of functionality, either forcing us to find creative ways to work around issues, disable functionality, or just give in and roll back to a native ADS domain. YMMV... By sancho at 2006/02/09 - 5:42pm | login to post comments
Past Samba experiencesI worked with Samba years ago and thought it was thoroughly cool. Funny, but at that time I came to some of the same conclusions you did. Almost a decade later, with tons of good stuff added to Samba, and we're still in the same boat. Now, I think it's pretty much a waste of time. Interoperating with a closed, moving target like MS is a constant battle you'll never win. They don't even have to try tactics like embrace and extend. They just do normal, closed source work, and it breaks older stuff. Why would they worry about it? It's their standard and updates take care of the Windows clients. Lots of people use Samba, and it's a good product. If you choose that route then best of luck! By dwc at 2006/02/09 - 6:12pm | login to post comments
|
Upcoming eventsEvents
OpenBSD ErrataOpenBSD JournalOpenBSD in the NewsRecent comments
|
|||||||||||||||||||||||||||||||||||||||||||||||||
need to vote for a combination of things ...
5 & 7
we're needing to find a replacement for our NT4 domain at work, and are really trying to avoid AD. i have been tinkering with a mix of samba/kerberos/ldap but haven't been pleased so far (i am trying to avoid having to use 3rd party stuff)