1
0
mirror of https://github.com/samba-team/samba.git synced 2025-08-04 08:22:08 +03:00

Rolling in VL's changes.

(This used to be commit 02244dac83)
This commit is contained in:
John Terpstra
2003-05-11 19:57:51 +00:00
parent 0710bab071
commit 03589cf994

View File

@ -342,17 +342,21 @@ in this HOWTO collection.
<title>ADS Security Mode (User Level Security)</title>
<para>
Samba-2.2.x could join and Active Directory domain so long as the Active Directory domain
controller is configured for mixed mode operation, and is running NetBIOS over TCP/IP. MS
Windows 2000 and later can be configured to run without NetBIOS over TCP/IP, instead it
can run SMB natively over TCP/IP.
Both Samba 2.2 and 3.0 can join an active directory domain. This is
possible even if the domain is run in native mode. Active Directory in
native mode perfectly allows NT4-style domain members, contrary to
popular belief. The only thing that Active Directory in native mode
prohibits is Backup Domain Controllers running NT4.
</para>
<para>
The ability to natively join an Active Directory domain requires the use of Kerberos
based authentication. The Kerberos protocols have been extended by Microsoft so that
a plain MIT Kerberos, or a Heimdal client is not sufficient. Samba-3 now has the ability
to be a native Active Directory member server.
If you are running Active Directory starting with Samba 3.0 you can
however join as a native AD member. Why would you want to do that?
Your security policy might prohibit the use of NT-compatible
authentication protocols. All your machines are running Windows 2000
and above and all use full Kerberos. In this case Samba as a NT4-style
domain would still require NT-compatible authentication data. Samba in
AD-member mode can accept Kerberos.
</para>
<sect3>