On Sat, 2005-07-16 at 10:40, Bryan J. Smith wrote: > > The replacement is going to be an AD, but run by a group at another > > location that doesn't like unix. > > That right there is the problem. Any IT organization that "doesn't like > unix" is not about "servicing users" but "mandating arrogance." 9 times > out of 10 when I come into a shop, it's that arrogant, oblivious > attitude that causes _all_ the problems. I said that to keep it short, but it is really much more complicated. In fact the people involved are all reasonable and cooperative and even if they wanted to be arrogant, everyone knows that management will insist on making things work together if it comes to that. The problem is that no one knows how to integrate different technology and it may not even be possible to know. There are hundreds of books and classes on Windows networking and about the same for at least some flavors of unix, but there is really nothing published about integrating heterogeneous systems and even if there were, it would change with every samba release and every windows service pack. The seemingly arrogant attitude comes from having to stick to what you know works and there isn't much overlap. > > We will probably have an AD server at this location with AD replication. > > Can it do SFU if the master doesn't? > > Yes. DCs are peers. In fact, I highly recommend you setup _true_ > UNIX/Linux secondary DNS and slave NIS servers to the ADS-integrated > primary DNS (I assume they made your DNS ADS' bitch with ADS-integrated > DNS) and ADS SFU master NIS server. The AD is being added as a new domaim with users moved over as testing proceeds. I have added slave zones to my unix dns to accomodate it. > My recent favorite "Samba issue" was when Windows Server 2003 / Windows > XP Pro re-introduced an old, _broken_ handshake. In a nutshell, 2003/XP > skipped a step in the handshake. Because this violates the security > protocol, Samba refused to allow access. But 2003/XP went right through > the handshake. It made Samba "look bad," but in actuality, Microsoft > violated their own security protocols! I think that's about the 4th time they have done that with service packs that you are forced to install because of other security issues. I'm sure making samba look bad was not accidental - and that it wasn't the last time either. > > No, nobody cares if my job is hard or easy - or how many places I > > have to copy a file to make things work. > > And if the UNIX/Linux network goes down? I keep spare parts... > I feel for you dude. I've come in several times and seen people just > like you in your position. It took me only 1 day before I had the > Windows admins and their managers realizing how much their business > relies on the UNIX/Linux services. Oh, they do understand that here - and the new management even has a good handle on how much it would save to run more things on Linux. But, everyone has their hands more than full already trying to integrate the companies without making additional infrastructure changes or re-writing apps. > > I've always thought that the worst possible thing you could do is to > > have someone come in and set up something you don't understand yourself. > > Then you haven't been hiring the right type of architects/consultants. > > A _good_ architect/consultant spends the _majority_ of his/her time > doing "knowledge transfer," giving you options, feedback and then > explaining what options are available to you, how they work, etc... And > after he/she helps you implement them, you have a full set of > documentation of _your_ operations to follow in case you forget > something. Yes, if you are lucky you might get that. But it's a snapshot of what you can do today. What you need is to understand how you should plan for a few years out, and an outsider won't know enough about a business (at least if it is an unusual business...) to do that. And in our case, nothing we could have planned two years ago would have matched our situation now, trying to integrate into a completely different company. > > But, regardless of any global scheme, the set of valid logins on each > > of these boxes is unique so specifying it in some network setup is > > going to be just about the same amount of work as doing it directly > > on each one. > > I think Netgroups would be a "fire and forget" setup on each system. > You do it just once on each system, and then you only have to change the > Netgroup membership on the NIS master from then on. The reason for unique sets of people on these machines is generally for ownership of files and stuff in their home directories, so that part of the account setup has to be done individually anyway. Other than personnel turnover the only things that change later are the passwords which are taken care of with simple SMB authentication against a PDC now. If the AD can emulate that, I may keep it the same for simplicity. The one thing that would be worth the trouble to fix would be CVS - it is about the only thing left that doesn't use PAM and the number of users is increasing. I know there are patches but there is a tradeoff in making a version that doesn't match the distribution. -- Les Mikesell lesmikesell@xxxxxxxxx