Welcome to the world of Windows, Unix and Linux under one IT roof. This tip reviews key factors in the interoperability between the host platform that Samba is running on, which is typically Linux, and the Microsoft Windows environment.
In part one,
NT4 domain replacement
Microsoft has been sending out notifications over a number of years that it NT4 operating system support will cease. Now, it's official, and Microsoft will provide no further updates. This has caused many businesses to seriously consider either replacement of NT4 with Active Directory or else with Samba-3 operating as an NT4-style domain controller.
Sites that require NT4 domain controllers will typically require a primary domain controller (PDC), as well as one or more backup domain controllers (BDCs). At this time, the only reliable method for implementing Samba-3 domain controllers (PDC plus BDCs) involves use of LDAP to store the user, group and machine account information.
The use of LDAP with Samba-3 domain control provides a more scalable NT4 domain architecture than was ever possible with Microsoft Windows NT4 itself. Samba-3 can be configured to use multiple concurrent LDAP directories, each of which can perform directory redirection and/or referrals.
An example that demonstrates the deployment of Samba-3 with an LDAP directory based account backend is given in chapter 6 of the book, Samba-3 by Example.
Samba-3 domain member servers in a Samba-3 domain may be configured to use winbind or to use LDAP to provide the IDMAP facility and resources. Examples are provided in chapter 9 of Samba-3 by Example.
Squid integration with Windows networking
Squid is a popular web and FTP proxy server that has support for server-side plug-in modules. One such plug-in module provides transparent authentication to restrict user access from Windows clients that use Microsoft Internet Explorer.
The protocol used is known as ntlm_auth and provides the NTLMSSP (NT LanManager Security Service Protocol). This module uses Samba's winbind to perform NT/LM authentication. Detailed information regarding the protocol can be found at Squid's web site.
An example that demonstrates use of this facility is given in chapter 11 of Samba-3 by Example. It should be noted that this module effectively only validates that the user is a member of a single domain that is specified in the Squid configuration file. The administrator should refer to the man page for the ntlm_auth module for specific additional configuration examples.
Samba has many features that are specifically directed at providing interoperability beyond the immediate purposes of file and print sharing. The foregoing discussion provides helpful references to assist the Windows network administrator to find information that will help in the selection of features that may be useful as well as how to use them.
Go back to part one.
About the author: John H. Terpstra is CTP of IT an consulting firm, Primastasys Inc., as well as author of several IT books and Ask the Expert advisor for SearchEnterpriseLinux.com.
This was first published in February 2005