On Fri, 2005-07-15 at 16:27 -0500, Les Mikesell wrote: > The replacement is going to be an AD, but run by a group at another > location that doesn't like unix. > > > Furthermore, you can even setup true UNIX/Linux NIS "slave" servers > > to SFU, just like you can setup UNIX/Linux BIND "secondary" DNS > > servers to MS ADS-integrated DNS. That way if your MS ADS DC > > tanks, you're not down, because you still have UNIX/Linux DNS/NIS. > > We will probably have an AD server at this location with AD replication. > Can it do SFU if the master doesn't? Les- You can always use the AD PDCs as source in krb5.conf in conjunction with pam_krb5, and then use a little bit of middleware to fish your user's directory info out of AD via LDAP queries and either build nis dbs or with pam_ldap/nss_ldap set up your own LDAP server for your Unix machine's consumption. You can even add the samba.schema to your servers and add in the Idmap support using the user's objectSID from AD (you have to convert this from binary to character string for samba). Python- Ldap works pretty nicely to talk to AD. You just have to bind as a user (or machine account :) as AD usually doesn't permit anonymous binds. We have been looking at using our campus AD to handle all/most of our user info, but the AD folks here are pretty responsive to our queries and are willing to delegate full control of sub-Ous to us. -- Sean