summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2005-06-19 05:37:39 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:46:50 -0500
commit9c183bae31587c9ed40dbdae0660c2c408bdb648 (patch)
tree7494400f2fd00ea4e63ee33b02a99fcc31b06302 /docs
parente2e8575da9277b0b67ac789461f4a91826c7c0eb (diff)
downloadsamba-9c183bae31587c9ed40dbdae0660c2c408bdb648.tar.gz
samba-9c183bae31587c9ed40dbdae0660c2c408bdb648.tar.bz2
samba-9c183bae31587c9ed40dbdae0660c2c408bdb648.zip
Another partial update. More to follow.
(This used to be commit af8ad4d3f8c93a1fd40399253ba621d54ec3070a)
Diffstat (limited to 'docs')
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-BDC.xml36
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-PDC.xml34
2 files changed, 54 insertions, 16 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-BDC.xml b/docs/Samba3-HOWTO/TOSHARG-BDC.xml
index 353683478c..5a62de8e86 100644
--- a/docs/Samba3-HOWTO/TOSHARG-BDC.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-BDC.xml
@@ -29,26 +29,36 @@ we will do our best to provide a solution.
<para>
<indexterm><primary>SAM backend</primary><secondary>LDAP</secondary></indexterm>
-Samba-3 can act as a Backup Domain Controller (BDC) to another Samba Primary Domain
-Controller (PDC). A Samba-3 PDC can operate with an LDAP account backend. The LDAP backend can be
-either a common master LDAP server or a slave server. The use of a slave LDAP server has the
-benefit that when the master is down, clients may still be able to log onto the network.
-This effectively gives Samba a high degree of scalability and is an effective solution
-for large organizations. If you use an LDAP slave server for a PDC,
-you will need to ensure the master's continued availability &smbmdash; if the
-slave finds its master down at the wrong time, you will have
-stability and operational problems.
+<indexterm><primary>PDC</primary></indexterm>
+<indexterm><primary>BDC</primary></indexterm>
+<indexterm><primary>LDAP</primary><secondary>slave</secondary></indexterm>
+<indexterm><primary>scalability</primary></indexterm>
+Samba-3 can act as a Backup Domain Controller (BDC) to another Samba Primary Domain Controller (PDC). A
+Samba-3 PDC can operate with an LDAP account backend. The LDAP backend can be either a common master LDAP
+server or a slave server. The use of a slave LDAP server has the benefit that when the master is down, clients
+may still be able to log onto the network. This effectively gives Samba a high degree of scalability and is
+an effective solution for large organizations. If you use an LDAP slave server for a PDC, you will need to
+ensure the master's continued availability &smbmdash; if the slave finds its master down at the wrong time,
+you will have stability and operational problems.
</para>
<para>
+<indexterm><primary>two-way</primary><secondary>propagation</secondary></indexterm>
<indexterm><primary>replication</primary><secondary>SAM</secondary></indexterm>
+<indexterm><primary>non-LDAP</primary><secondary>backend</secondary></indexterm>
While it is possible to run a Samba-3 BDC with a non-LDAP backend, that
backend must allow some form of "two-way" propagation of changes
from the BDC to the master. Only LDAP has such capability at this stage.
</para>
<para>
+<indexterm><primary>non-LDAP</primary><secondary>backend</secondary></indexterm>
<indexterm><primary>SAM backend</primary><secondary>non-LDAP</secondary></indexterm>
+<indexterm><primary>domain</primary><secondary>member</secondary><tertiary>server</tertiary></indexterm>
+<indexterm><primary>BDC</primary></indexterm>
+<indexterm><primary>PDC</primary></indexterm>
+<indexterm><primary>trust account password</primary></indexterm>
+<indexterm><primary>domain trust</primary></indexterm>
The use of a non-LDAP backend SAM database is particularly problematic because domain member
servers and workstations periodically change the Machine Trust Account password. The new
password is then stored only locally. This means that in the absence of a centrally stored
@@ -60,14 +70,14 @@ breakage of the domain trust.
</para>
<para>
-Considering the number of comments and questions raised concerning how to configure a BDC,
-let's consider each possible option and look at the pros and cons for each possible solution.
-<link linkend="pdc-bdc-table">The Domain Backend Account Distribution Options table below</link> lists
-possible design configurations for a PDC/BDC infrastructure.
<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
<indexterm><primary>SAM backend</primary><secondary>ldapsam</secondary></indexterm>
<indexterm><primary>SAM backend</primary><secondary>tdbsam</secondary></indexterm>
<indexterm><primary>replication</primary><secondary>SAM</secondary></indexterm>
+Considering the number of comments and questions raised concerning how to configure a BDC,
+let's consider each possible option and look at the pros and cons for each possible solution.
+<link linkend="pdc-bdc-table">The Domain Backend Account Distribution Options table below</link> lists
+possible design configurations for a PDC/BDC infrastructure.
</para>
<table frame="all" id="pdc-bdc-table"><title>Domain Backend Account Distribution Options</title>
diff --git a/docs/Samba3-HOWTO/TOSHARG-PDC.xml b/docs/Samba3-HOWTO/TOSHARG-PDC.xml
index 9639221a2a..7518dd6edc 100644
--- a/docs/Samba3-HOWTO/TOSHARG-PDC.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-PDC.xml
@@ -243,13 +243,41 @@ Information Databases</link>.
</sect1>
<sect1>
+<title>Comparison of Single Sign-on and Domain Security</title>
+
+<para>
+When network administrators are asked to describe the benefits of Windows NT4 and active directory networking
+the most often mentioned feature is that of SSO. Many companies have implemented SSO solutions. The mode of
+implementation of a single sign-on solution is an important factor in the practice of networking in general,
+and is critical in respect of Windows networking. Where a company may have a wide variety of information
+systems, each of which require some form of user authentication and validation it is not uncommon that users
+may need to remember more than a dozen login IDs and passwords. The problem will be compounded when the
+password for each system must be changed at regular intervals, and particularly so where password uniqueness
+and history limits are applied.
+</para>
+
+<para>
+There is a wide perception that SSO is the answer to the problem of users having to deal with too many
+information system access credentials. Many elaborate schemes have been devised to make it possible to deliver
+a user-friendly SSO solution. The trouble is that if this implementation is not done correctly, the site may
+end up paying dearly by way of complexity and management overheads. Simply put, many SSO solutions are an
+administrative nightmare.
+</para>
+
+<para>
+SSO implementations may involve centralization of all user account information in one repository. Depending on
+... add stuff here JHT!
+</para>
+
+</sect1>
+
+<sect1>
<title>Basics of Domain Control</title>
<para>
<indexterm><primary>domain control</primary></indexterm>
-Over the years, public perceptions of what domain control really is has taken on an
-almost mystical nature. Before we branch into a brief overview of domain control,
-there are three basic types of domain controllers.
+Over the years, public perceptions of what domain control really is has taken on an almost mystical nature.
+Before we branch into a brief overview of domain control, there are three basic types of domain controllers.
</para>
<sect2>