Winsync Problem with NT4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Donnerstag, 1. Dezember 2005 17:53 schrieb David Boreham:
> >But what exactly happens at the NT PDC???
>
> This is documented a little in the admin guide:
                                  ^^^^^     exactly ;)
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859334
>
Yes I know it and it doesn't tell me much about how it works. So I'm messed up 
a little when dealing with problems. :(

> How it works may give you some better insight:
>
> NT4, unlike AD, does not support LDAP. It does however have an API
> that allows an application running on the PDC to read and write the NTLM
> user database. This is called the 'NetXXX api' because many of the
> functions have names like 'NetUserEnum()'.
> What the NTDS does is to 'reflect' that API as an LDAP
> server. It does this using ApacheDS (chosen because it gives us a working
> LDAP server that can be quickly customized, and because it will run without
> huge testing effort on an old platform like NT4), and a custom ApacheDS
> back-end.
> The back-end provides a shim between the ApacheDS internal database
> interface
> and the NetXXX api. It does this using a combination of C++ to talk
> directly to the API, and then a swig-generated shim to JNI which in turn is
> driven by a simple Java class in the custom back end.
So it is not a login, but a service-to-service-talk. Then the ApacheDS doesn't 
have to know the account (uid and pw), because it is running as a privileged 
service - is this right?

>
> The top level goal for the NTDS is to 'emulate' AD on NT4.
> The idea was to code the winsync part of FDS to speak to
> AD alone, and do all the NT4 weirdness on the NT side.
> It turns out to be hard/impossible to do that 100% (some schema
> is quite different for example). So you will see some 'if (nt4) ... '
> code in FDS winsync, but not a whole lot.
Ok thats quite elegant. I see. 

So the only uid/pw combination I need to know and to have (create) at the PDC 
side is in fact the ApacheDS Directory Manager (uid=admin,ou=system) ? And it 
has nothing to do with any existing account in the windows domain (user or 
admin)... did I get this right?

Wau, great explanation, thank you... please put something similar to the 
manual - I think a lot of people will need it, or at least want to know how 
it works.

See U 
Hartmut

-- 
===========================================

    Hartmut Woehrle
    EMail: hartmut.woehrle at mail.pcom.de
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux