Bryan J. Smith wrote:
> On Mon, 2005-07-18 at 08:41 +0800, Feizhou wrote:
>
>>Ok. Which ones? heimdal? MIT?
>
>
> Both have some compatibility with MS Kerberos -- both its non-compliant
> with Kerberos 5 handshakes/datagrams as well as some extensions.
>
> Can they act like a Windows ADS DC? Of course *NOT*! Why?
> Kerberos is just the authentication portion, it does not provide RPC
> services for Windows. Samba uses these newer Kerberos services, with
> its RPC capabilities, to provide those features at winlogon and other
> points.
>
Please don't cut out relevant stuff. This was purely about account
management. I never asked whether heimdal or MIT kerberos can do ADS.
The relevant stuff was:
------------------------
>> How do you get centralized user account management without
>> MS Kerberos?
>>
>
>
> Again, MS Kerberos are just extensions to Kerberos, ones supported in
new, open source Kerberos 5 servers.
>
>
Ok. Which ones? heimdal? MIT?
------------------------
> All I'm saying is that if you purposely put on the (actually _invalid_)
> constraint that Windows systems can only be managed by a combined set of
> services that act 100% like a MS ADS DC, then there's no point in even
> discussing this. The idea that every Microsoft administrative tools,
> schema extension and its tools, etc... will work with a 100% Samba 3.0
> (_no_ MS ADS DCs) using Kerberos and LDAP for stores will simply be
> unlikely in the near future.
Forget administrative tools. Just the plain user account management
regardless of administrative tool. Are you saying that a heimdal/MIT
Kerberos server will be able to handle Windows 2000/XP clients without
having to map kerberos principals to local accounts on each individual
machine?
>
> But can an set of "open systems" authentication, directory, naming and
> file services completely replace all the functionality you expect in a
> well-managed Windows network? Of course! But no, native MS ADS DCs
> aren't going to listen to it. But MS Windows 2000 Server and even
> Server 2003 _can_ be "member servers" under it -- just like Samba 3.0
> can be a "member server" when true MS ADS DCs are "in charge."
>
> It all depends on what you use.
>
>
So what do we use to do provide the single logon Kerberos environment
for Windows 2000/XP clients for an enterprise (you seem to use this for
environments where there are hundreds if not thousands of desktops, that
is what i mean here)?
