On Wed, Jun 18, 2008 at 06:40:05PM -0400, Kyle McDonald wrote:
> >So, what are you trying to do?
> >
> I need to setup a new farm of software build servers. They'll consist of
> all different versions of Linux (multiple versions of RHEL, and SLES)
> and a few S10 for building our software.
> I also need to setup a bunch of NFS fileservers to support this build
> Farm. The Developers all have indows desktops that are clients of the IT
> 'CORP' AD domain, and they'll also want access to the files on the
> servers through CIFS, so I really want to setup sNV servers ith ZFS and
> CIFS. So for the most part, it's Solaris to Windows with CIFS, and
> Solaris to Solaris and Linux with NFS. There might be a fe Linux
> machines that end up with filesystem to share via NFS and/or SAMBA, but
> I think those will be 'nice to haves' that I can work around if it can't
> be made to work.
I'm glad I asked :)
OK then the prescription is:
- setup a Unix nameservice for the Solaris and Linux systems
- AD SFU *will* do if you can get Linux's nss_ldap to use it (I'm
sure you can). And AD SFU *will* make admistration easier for
you.
- setup either directory-based name mapping or name-based mapping rules
for the Solaris file servers.
- Make sure that for every Windows user and group that will be
referenced by the Windows clients (when talking CIFS to the Solaris
servers) there exists a user and group in the Unix nameservice and
corresponding mappings.
- Keep in mind that Windows groups can own files, so you may need to
ensure that each Windows group (and even users) maps to a Unix
user and a Unix group.
> I just don't want to be in the bussiness of creating and managing user
> accounts. Today, the IT dept has several separate user databases, that
> they create accounts for new employees in when they join the company.
As long as you intend to use NFSv3 you have little choice.
> Changin passords is a problem, and is rare. Currently one of the places
> they create an account (in addition to AD) is a linux NIS server (with
> only passwd and group maps) they run - Basically this is the only UNIX
> machine in the company they've agreed to setup, manage and support.
Make sure that your Linux and Solaris clients can use Kerberos to
authenticate users via AD. If you can make sure that AD usernames can
be used as Unix usernames (keep them short and free of funny characters)
then this is trivial.
> Currently most of the linux machines either use no Name service (most of
> them are like this) or a few join that NIS domain.
That's going to have to change.
> Thus, I'd be willing to pay money to install a sun nss_something, or
> pam_something modules, plus any other software needed to get a
> compatible mapping mechanism on linux as you have on Nevada.
There are third party offerings out there. Also, Samba has solutions in
this space too.
Nico
--
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
