Hi, I'd like to raise some questions that are specifically relevant to this list, but at the risk of appearing off topic, I'm going to mention some larger interoperability issues that arise naturally in the course of implementing unified user authentication and administration across operating systems. First, does anyone on the list have experience using pam_krb5 and Services for UNIX (SFU) 2.0 for windows 2000? Here's my setup: I have a test setup with a domain controller for Windows 2000, which will function as my kerberos KDC. I also have another W2K server acting as my DNS for that domain. I also have two Redhat LINUX 7.1 clusters (the number of nodes on each is irrelevant), each with a file server. One of the file servers runs NIS. The W2K domain controller has SFU 2.0 installed and configured as a client of the cluster NIS domain. SFU 2.0 has extended active directory on the W2k domain controller. Since the domain comtroller is a member of the cluster NIS domain, it has access to the NIS maps, so that one can assign a UNIX UID/GID pair to a user defined in the NIS passwd map, and automatically translate that pair to a W2K SID for that user. One can also NFS export the user's share, among other things. What I'd like is to avoid SFU's password synchronization mechanism, which can't work wth MD5 passwords, and use pam_krb5 to authenticate users instead. Ultimately, I'd like to move the NIS server for the cluster domain to SFU's NIS server on the W2K domain controller, in the hope that I could maintain all accounts in W2K in active directory. With the NIS master on one of the cluster file servers, I have to create parallel entries for each user in the NIS maps, and program the UID/GID pairs identically in active directory. The next issue isn't for the pam list per se, but it arises immediately once I get pam_krb5 working with W2k. Even assuming that once the NIS server is migrated to the domain controller, so that I'll never have to update another NIS map from LINUX whenever I add a new user (from now on this is done only in W2k and never under LINUX, except fpor local accounts) and that krb5 authentication is working in lieu of password synchronization, there are still questions one has about account creation. What about default configuration files? Under RH LINUX, the user account creation utilities copy default configuration files from /etc/skel, but it's not clear whether SFU handles configuration files at all, if the administration of user accounts are now being handled under active directory. I'm curious to know how others have approached this question, even in other situations... Regards, Florian Lengyel CUNY Graduate Center 325 Fifth Avenue New York, NY 10016
