[olug] System management tools

Phil Brutsche phil at brutsche.us
Mon Nov 29 04:53:49 UTC 2004 

Sean Kelly wrote:
> On Sat, Nov 27, 2004 at 07:52:14PM -0600, Phil Brutsche wrote:
> 
>> It's important to note that Microsoft's freeware Services for Unix 
>> includes a component that will turn any AD DC into an NIS master or
>> slave server.  Dunno if it does NIS+.
> 
> 
> Right. I am aware of this but am not sure convincing the Windows 
> cadre that this is a good path to take. It will take some 
> experimentation.

Well, if you can't convince the Windows admins to go along with it, you
will forever be stuck with 2 authentication systems (1 for Windows, 1
for everything else).

That goes for any other system that allows cross-platform
authentication, such as Novell's eDirectory (or whatever they call it
these days).

>> Also remember that one of the technologies AD is based on is 
>> Kerberos. That's probably your most cross-platform option.
> 
> The key term here is "based on." Have you successfully done krb5 
> against AD before? It is on my ever-growing list of things to try, 
> but I haven't gotten there yet. I'll let you know what results I end
> up with, though.

Yes, it's required for Samba 3 to join an AD domain natively (as opposed
to NT4 compatibility mode).  Depending on which krb5 library you use 
(MIT or Heimdal) all you need to do is specify the AD DNS domain as your 
kerberos realm - I forget which I used at the time.  It basically looked 
up the AD SRV records to find out the hostname of the KDC.

A google search on "active directory kdc" will give you some good
examples for several different systems.

> NIS is pretty meh, in my opinion. FreeBSD 5's PAM/NSS abilities make 
> FreeBSD 4 not worth hassling with.

You didn't mention you were using FreeBSD 5, which is why I mentioned NIS :)

>> {mention of pGina)
> There are better chances for snow in Hell than that happening. Neat, 
> though. I might do that to my machines just for entertainment.

You would have better luck getting the Windows admins to install
SFU.

> Another solution to look at is http://www.padl.com/Products/XAD.html.
> It seems to do it all. PADL has some very useful things.

The commercial package I mentioned previously is called VAS (Vintela
Authentication System), created by a company called Vintela.

The web site is http://www.vintela.com/products/vas/.

-- 

Phil Brutsche
phil at brutsche.us

More information about the OLUG mailing list