I'm not sure I understand what you're doing. Are you trying to slave AD to an existing NIS domain? Or are you trying to have AD support NIS with data from AD? I would choose the latter approach, if SFU gives you a choice at all. Now, as for pam_krb5, yes, there are a number of versions available, and at least one reportedly works fine with AD as the KDC. And the password synchronization issue is easy to deal with: just use Kerberos for password validation and forgo NIS (i.e., install PAM_KRB5 on all your *nix hosts, upgrade all your Windows systems to 2000 or XP, when it comes out). Then there's no password sync issue. As for home directory skeleta for account creation, I'm afraid you'll have to script that as a task to be done *after* creating the user account in AD. You can actually automate such tasks as there is an API for listening to all replication and local transaction updates on an AD controller, but that's probably a tall order and I doubt many AD users have gone or would go that far. Also, I recommend you look into using nss_ldap on the *nix side so as to replace NIS with LDAP. Yes, LDAP is yucky, but NIS is worse. This might be worth doing even if you were not using AD as NIS is not secure (I suppose someone could work RPCSEC_GSS support into some NIS implementation, but I doubt anyone ever will -- NIS is legacy). I wonder if there's a HOW-TO anywhere for mixing *nix, nss_ldap, cyrus sasl, OpenLDAP (or whatever client-side libraries) and ActiveDirectory, and get it all to work. Cheers, Nico On Wed, Aug 15, 2001 at 05:57:30PM -0400, Lengyel, Florian wrote: > Hi, > > I'd like to raise some questions that are specifically relevant to this > list, > but at the risk of appearing off topic, I'm going to mention some larger > interoperability issues that arise naturally in the course of implementing > unified user authentication and administration across operating systems. > > First, does anyone on the list have experience using pam_krb5 and > Services for UNIX (SFU) 2.0 for windows 2000? > > Here's my setup: > > I have a test setup with a domain controller for Windows 2000, which will > function as my kerberos KDC. I also have another W2K server acting as my DNS > for that domain. I also have two Redhat LINUX 7.1 clusters (the number of > nodes on each is irrelevant), each with a file server. One of the file > servers runs NIS. The W2K domain controller has SFU 2.0 installed and > configured as a client of the cluster NIS domain. > > SFU 2.0 has extended active directory on the W2k domain controller. Since > the domain comtroller is a member of the cluster NIS domain, it has access > to the NIS maps, so that one can assign a UNIX UID/GID pair to a user > defined in the NIS passwd map, and automatically translate that pair to a > W2K SID for that user. One can also NFS export the user's share, among other > things. > > What I'd like is to avoid SFU's password synchronization mechanism, which > can't work wth MD5 passwords, and use pam_krb5 to authenticate users > instead. Ultimately, I'd like to move the NIS server for the cluster domain > to SFU's NIS server on the W2K domain controller, in the hope that I could > maintain all accounts in W2K in active directory. With the NIS master on one > of the cluster file servers, I have to create parallel entries for each user > in the NIS maps, and program the UID/GID pairs identically in active > directory. > > The next issue isn't for the pam list per se, but it arises immediately once > I get pam_krb5 working with W2k. > > Even assuming that once the NIS server is migrated to the domain controller, > so that I'll never have to update another NIS map from LINUX whenever I add > a new user (from now on this is done only in W2k and never under LINUX, > except fpor local accounts) and that krb5 authentication is working in lieu > of password synchronization, there are still questions one has about account > creation. What about default configuration files? Under RH LINUX, the user > account creation utilities copy default configuration files from /etc/skel, > but it's not clear whether SFU handles configuration files at all, if the > administration of user accounts are now being handled under active > directory. I'm curious to know how others have approached this question, > even in other situations... > > Regards, > Florian Lengyel > CUNY Graduate Center > 325 Fifth Avenue > New York, NY 10016 > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list -- . Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
