On Tue 05 Dec, Christopher Dawkins wrote:
I was hoping to avoid this kind of solution...duplicating of passwords, etc. and the problems of keeping them syncronised.
If it came to replacing our NT domain with it - I would want to consider the loss of redunancy as we currently have two Backup Domain controllers (not yet supported by SAMBA/LINUX) in different locations around the school campus so that in the evern of network failure/server failure logon can still be accomplished.
I'd love to know more about this can of worms. We have only one password file for all systems, all email, web, servers, platforms etc. The only place where passwords are replicated are on the local hard drives of w95 and w98 machines where it seems to be necessary for "mount network drive" to work, and this need to log onto the desktop with the same username and password as that used on the Unix system is very tedious and a serious security hole. NT clients don't need it. w98 and NT clients need "EnablePlainTextPassword".
I can't see why it is necessary to replicate usernames/passwords to W95/98. I'm not keen on the same username/password for NT as UNIX. NT clients don't need "EnablePlainTextPassword" in recent (or even not so recent) versions of SAMBA - as I understand it. I don't enable them. But I do add 'encrypt passwords = Yes' to the global part of smb.conf ...now that I am beginning to make sense of this. I'm not clear about how I intend to manager linux/NT passwords with smbpasswd yet. Perhaps the answer is go all the way to an LDAP server.
The "browsing" feature of Windows, that "network neighbourhood" thingy, is something that seems completely unnecessary, and here it works in fits and starts, browse lists are never the same, but luckily they seem to perform no function apart from enabling pupils to copy mp3 files between each other's machines.
Copying Mp3 files is a pain. They do their best to hide them (rename extensions..bury them in zip files...split them up..... Eventually I redrew battle plans and resorted to putting up a 'shared' common directory - which was to be the ONLY place for work 'not created' by them. I have to say our Network Neighborbood works fine. But we do have a PDC and BDCs which run 24x7 and therefore ensure they are browse masters. Without such a designation you may find that browse master moves from station to station with elections...and if its turned off..you may loose sight of stations - temporarily.
One of our Samba servers is configured, I think, as a PDC, but it and the whole domain concept seems here to be an issue only to my Windows technician, who keeps on muttering that he can't see various machines on network neighbourhood and can't understand why not. I can't understand that or why, either, I say just put the server name in the "mount network drive" box and forget about whether or not you can see it.
It does look as if SAMBA will now do NT domain stuff almost completely - lacking replication and BDC support. I'm not ready to go all this way - yet. You may need to 'make it' a browse master in the 'global' part of smb.conf
To summarise, we have about 150 Windows machines here accessing Samba, and I have made no deliberate provision for PDC's or BDC's and have not yet seen a need to do so. It seems unnecessary. For what would I need it?
A Domain is a workgroup where authentication is carried out on behalf of clients by the PDC/BDCs. This is even for shares which may exist on clients, and printers which exist on clients - without needing to create users/passwords on local machines. Of course its a bit more than that...roaming/mandatory profiles, directory replication (particularly of policy files) - I didn't mention policies..., UserDB redunancy, logon scripts, and other bits that tend to get handled by the Domain. There is also quite a useful feature of local and Domain wide groups...and Domains can be made to 'trust' one another either one or both ways allowing for (in our case for staff administration) multiple domains. Whether or not the whole thing is worth the effort in another thing... And to think that I have to get to grips with Active directories of W2000 next... -- Alan Davies Head of Computing Birkenhead School