Hi all: I'm looking for a solution to integrate 150+ existing linux sysems into an Active Directory (Win Server 2003) domain. These systems are currently using NIS for directory/authenitication services, and all users (2000+) have existing UIDs/GIDs that need to be maintained (due to being spread out all over the place; we don't think we could do any kind of controlled migration of this data, etc). Our directory schema already has the msSFU30 schema added.
I've done extensive research, and it seems my options are: 1) implement services for unix on a windows server 2) use straight LDAP auth (LDAP NSS, LDAP pam) 3) use LDAP in NSS and kerb in pam 4) use LDAP in NSS and winbind in pam >From what I undrestand, there is no feesable way of implementing winbind in NSS and maintaining existing UID/GID mappings. #1 doesn't really work for us (we want to ditch NIS for a number of reasons and we can't adequately secure NIS running under SFU). #2 doesn't really work due to security constraints and strikes me as a BadThing in general. My first real question to the list is what does #4 get me over #3? Some other requirements for our environment: We need group membership to work (e.g, have users as members of groups on the unix side) We also need a mechanism for restricting login on workstations to a specific list of users (on workstation a, only users b,c, and d can log in, on workstation b, members of group alpha can log in, etc). Currently we implement this through netgroups on NIS. The implementation is not important as long as it "does the job". In the perfect world, all these services would be provided in a way where our helpdesk staff could create/maintain accounts and workstation access lists using only Active Directory Users and Computers or other windows managment tools. This is not a requirement, just a preference. Now into the truely unkown relm: We are investagating means for offering strong protection on our network shares. By this, I mean enforcing permissions to the point where if a user has not logged into that station with a username and password, then they do not get to access any remote files belonging to that username. For example, user A logs into a workstation. She can access all her files on our network filer and other network shares. Then this user su's to root, and then to user B. While we can't stop her from obtaining user B's credentials for local file access, she has not authenticated as user B, and thus doesn't have a ticket for user B, etc. If she tries to do anything requring user B's credentials on the network (i.e, delete user B's files from his home directory), she will be unable to do so (permission denied). By default, windows gives this protection. Their kerberos ticket authorizes all netowrk shares, and logging on as "local administrator" or any other local user will not authorize them to access any network resources without authenticating as a domain user. We would like to implement something like this on our linux stations. We don't really know how to; we're in the brainstorming phase. One possibility I had was mount their home directory via CIFS; another was NFSv4 with kerberos. Does anyone have any suggestions? Are there any cool ways to do this with samba/winbind/samba tools? Thanks in advance! --Jim Kusznir Unix System Admin Washington State University, School of EECS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba