Re: [lopsa-tech] AD integration with Unix

they had a tool that resolved UID/GID conflicts. Adam - Original Message - From: "Richard Chycoski" To: "Edward Ned Harvey" Cc: "LOPSA Technical Discussions" Sent: Friday, January 9, 2009 11:36:16 AM GMT -07:00 US/Canada Mountain Subject: Re: [lopsa-

Re: [lopsa-tech] AD integration with Unix

> >> Again, we're an engineering shop and the users move lots of data >> around, so NFS sucks over the WAN, though it's honestly tolerable for >> home dirs. >> >> > > OOooohhh... I would caution against that idea. You might not know how much > your home dir gets used. Every new shell runs

Re: [lopsa-tech] AD integration with Unix

> Again, we're an engineering shop and the users move lots of data > around, so NFS sucks over the WAN, though it's honestly tolerable for > home dirs. > OOooohhh... I would caution against that idea. You might not know how much your home dir gets used. Every new shell runs another .bashrc, ev

Re: [lopsa-tech] AD integration with Unix

> > NIS Master in US. > > NIS Slaves scattered about the world. > > (No LDAP.) > > (No AD, although it might be a possibility) > > > > WAN goes down, nobody cares. (Well, all the systems stay up and > usable.) > > No separation of which-password-where. > > Create a user here, it appears everywh

Re: [lopsa-tech] AD integration with Unix

On Wed, 2009-01-07 at 16:59 -0500, Edward Ned Harvey wrote: > Call me crazy, but I do all of what you've described below as follows: > > NIS Master in US. > NIS Slaves scattered about the world. > (No LDAP.) > (No AD, although it might be a possibility) > > WAN goes down, nobody cares. (Well, a

Re: [lopsa-tech] AD integration with Unix

:tech-boun...@lopsa.org] On Behalf >> Of John Stoffel >> Sent: Friday, January 02, 2009 1:24 PM >> To: Christophe Kalt >> Cc: LOPSA Technical Discussions >> Subject: Re: [lopsa-tech] AD integration with Unix >> >> >> This has been a great discuss

Re: [lopsa-tech] AD integration with Unix

Edward Ned Harvey wrote: > Call me crazy, but I do all of what you've described below as follows: > > NIS Master in US. > NIS Slaves scattered about the world. > (No LDAP.) > (No AD, although it might be a possibility) > > WAN goes down, nobody cares. (Well, all the systems stay up and usable.)

Re: [lopsa-tech] AD integration with Unix

y. Up for about 18 months now. > -Original Message- > From: tech-boun...@lopsa.org [mailto:tech-boun...@lopsa.org] On Behalf > Of John Stoffel > Sent: Friday, January 02, 2009 1:24 PM > To: Christophe Kalt > Cc: LOPSA Technical Discussions > Subject: Re: [lopsa

Re: [lopsa-tech] AD integration with Unix

Ryan Dorman wrote: > The instructions here: > > http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ > > Have been very helpful to me... obviously they are Linux specific but are a > good jumping off point for Samba/Kerberos > > Watch how the pam files are setup on your distribut

Re: [lopsa-tech] AD integration with Unix

] AD integration with Unix Leon> On Jan 2, 2009, at 10:24 AM, John Stoffel wrote: >> I just don't want to have to support LDAP on Solaris 8 if I can >> avoid it, though I guess it could be ok. Esp if we can easily >> tweak and restrict access in various ways. >>

Re: [lopsa-tech] AD integration with Unix

Leon> On Jan 2, 2009, at 10:24 AM, John Stoffel wrote: >> I just don't want to have to support LDAP on Solaris 8 if I can >> avoid it, though I guess it could be ok. Esp if we can easily >> tweak and restrict access in various ways. >> >> Should I look at the Padl.com stuff again? I looked at

Re: [lopsa-tech] AD integration with Unix

>> Which OS still limits NIS passwords to 8 characters and/or weak >> encryption? >> > Any system that uses the old standard 'crypt' password encoder. > Solaris > 8 was certainly this way (the man pages specifically indicate that > only > the first 8 characters of the password are significant

Re: [lopsa-tech] AD integration with Unix

Christophe Kalt wrote: > On Wed, Dec 31, 2008 at 3:16 PM, Richard Chycoski > wrote: > >> This is actually more dangerous (security-wise) because with NIS you are >> exposing the encrypted passwords via NIS, which can then be used to crack >> the passwords. NIS passwords are also limited to ei

Re: [lopsa-tech] AD integration with Unix

On Jan 2, 2009, at 10:24 AM, John Stoffel wrote: > I just don't want to have to support LDAP on Solaris 8 if I can avoid > it, though I guess it could be ok. Esp if we can easily tweak and > restrict access in various ways. > > Should I look at the Padl.com stuff again? I looked at it a while >

Re: [lopsa-tech] AD integration with Unix

I'm running Centrify in a pretty mixed environment. It's a bit pricey, but worth it. Weighing the cost of developing in-house AD/Kerb/Ldap integration plus the cost of software development for AIX, Solaris, Mac OS X, every flavor of linux, and a few others that I forgot. Centrify's pretty simple

Re: [lopsa-tech] AD integration with Unix

This has been a great discussion about Unix/AD integration, esp the part where the unix and AD admins need to coordinate well. I've got a related, but different issue. We have distributed engineering sites, and each site has it's own NIS domain, so that if/when the WAN links go down, they can co

Re: [lopsa-tech] AD integration with Unix

On Wed, Dec 31, 2008 at 3:16 PM, Richard Chycoski wrote: > This is actually more dangerous (security-wise) because with NIS you are > exposing the encrypted passwords via NIS, which can then be used to crack the > passwords. NIS passwords are also limited to eight characters, and if you > sync

Re: [lopsa-tech] AD integration with Unix

Edward Ned Harvey wrote: > Oh boy - you've touched on a fun topic. One that I've worked on a lot (and > I'm sure a lot of other people here have as well.) > > There are several options available - Each one has its strengths and > weaknesses. What I describe here is by no means a complete list.

Re: [lopsa-tech] AD integration with Unix

> Here's a big difference, which may be common to many other *nix > admins...in > my $WORK there's a substantial AD infrastructure (about 3~4K user > accounts) > which is managed by a separate group. There is very limited interaction > with > the AD administrators, and little or no chance of gettin

Re: [lopsa-tech] AD integration with Unix

Am Dienstag, den 30.12.2008, 23:40 +0100 schrieb Brandon S. Allbery KF8NH: > On 2008 Dec 30, at 5:48, Christoph Maser wrote: > > Why not? It works like a charm for me. It gives you SSO via kerberos. > > Also service principals work perfectly for me with an easy keytab > > frontend (net ads keytab).

Re: [lopsa-tech] AD integration with Unix

Various notes on configuring RHEL5, Solaris 10 and OSX 10.5 clients for AD kerberos authentication and LDAP lookup. RHEL5: first attempt at an /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults]

Re: [lopsa-tech] AD integration with Unix

berg...@merctech.com wrote: Easy. Comfigure your UNIX systems as kerberos clients, and point your krb5.conf files at the AD PDC and BDC(s). Depending on your UNIX, you may have to muck around to get it to support kerberos for login credentials (solaris and mlinux require PAM modifications) --

Re: [lopsa-tech] AD integration with Unix

On Tue, Dec 30, 2008 at 6:32 PM, wrote: > My goal is limited: > >I want to allow Unix (Linux) users to login to the Linux (Unix) >servers with their AD password. SSO is not a goal--existing login >mechanisms (ssh, primarily) will continue, and creditials or domain >

Re: [lopsa-tech] AD integration with Unix

In the message dated: Mon, 29 Dec 2008 11:57:08 MST, The pithy ruminations from Neil Neely on <[lopsa-tech] AD integration with Unix> were: => We're looking at integrating our *nix machines with our AD servers and => are trying to find the "Best" way to

Re: [lopsa-tech] AD integration with Unix

On 2008 Dec 30, at 5:48, Christoph Maser wrote: > Why not? It works like a charm for me. It gives you SSO via kerberos. > Also service principals work perfectly for me with an easy keytab > frontend (net ads keytab). It is free, it is open source. It even > supports logon caching (for laptops like

Re: [lopsa-tech] AD integration with Unix

I've used MS' UNIX services and NIS and for the most part it worked as advertised. My one recommendation would be to front end it with a number of Linux NIS slave servers. As my environment grew the MS NIS service would frequently crash. After adding the Linux slaves, it was mostly stable. My o

Re: [lopsa-tech] AD integration with Unix

> I'd really like a solution that is relatively painless to install/ > configure so I can train puppet how to take care of this for me (Still > learning puppet). Failing that I'm looking for a recipe that I can > hand to a junior admin. In that case, your best solution is probably the MS built-i

Re: [lopsa-tech] AD integration with Unix

m: tech-boun...@lopsa.org [mailto:tech-boun...@lopsa.org] On Behalf > Of Neil Neely > Sent: Monday, December 29, 2008 1:57 PM > To: LOPSA Technical Discussions > Subject: [lopsa-tech] AD integration with Unix > > We're looking at integrating our *nix machines with our AD se

Re: [lopsa-tech] AD integration with Unix

On Dec 29, 2008, at 5:33 PM, John Jasen wrote: > Are you looking for any sort of single sign on, are you just looking > at > centralizing account information and passwords, or are you looking at > something else that requires kerberos? Really just centralizing account information. SSO would be

Re: [lopsa-tech] AD integration with Unix

Am Dienstag, den 30.12.2008, 03:28 +0100 schrieb Leon Towns-von Stauber: > On Dec 29, 2008, at 10:57 AM, Neil Neely wrote: > > > We're looking at integrating our *nix machines with our AD servers and > > are trying to find the "Best" way to do this. In this case I'm > > finding my google-fu isn't

Re: [lopsa-tech] AD integration with Unix

On Dec 29, 2008, at 10:57 AM, Neil Neely wrote: > We're looking at integrating our *nix machines with our AD servers and > are trying to find the "Best" way to do this. In this case I'm > finding my google-fu isn't working in my favor... there is no shortage > of information. Every time I think

Re: [lopsa-tech] AD integration with Unix

On Mon, 29 Dec 2008, Richard Chycoski wrote: > For Open packages, look at Luke Howard's PADL products > . When I was last working on this (a couple of > years ago), PADL didn't have caching, but I believe that this has been > done since then. Luke is very dedicated to the work

Re: [lopsa-tech] AD integration with Unix

Neil Neely wrote: > We're looking at integrating our *nix machines with our AD servers and > are trying to find the "Best" way to do this. In this case I'm > finding my google-fu isn't working in my favor... there is no shortage > of information. Every time I think I have a complete grasp o

Re: [lopsa-tech] AD integration with Unix

--- On Mon, 12/29/08, Neil Neely wrote: > We're looking at integrating our *nix machines with our > AD servers and are trying to find the "Best" way to do this. You might benefit from looking at how Neil Waybright described it working in this recent talk at UUASC-LA. http://www.waybright.org/ne

Re: [lopsa-tech] AD integration with Unix

Neil Neely wrote: > Relevant background details: > ~50 production servers that are centrally managed (unified UID and > passwords) using homegrown syncing - we would like to move these to AD You would need to install the Services for UNIX extensions on your Win2K server, where Win2k >= Windows

Re: [lopsa-tech] AD integration with Unix

You should also take a look at: OpenLdap w/ Kerberos Since Active Directory is, at it's heart, LDAP with Kerberos this /should/ be a fairly straight forward implementation. ( I haven't actually done this yet, but I've been looking into it for a while. I currently run an OpenLdap infrastructure. )

Re: [lopsa-tech] AD integration with Unix

For Unified Login, security and auditing I would recommend you take a look at Centrify. In other arenas I am not very well versed yet but I will be watching this thread as I am interested as well. On Mon, Dec 29, 2008 at 10:57 AM, Neil Neely wrote: > We're looking at integrating our *nix machines

[lopsa-tech] AD integration with Unix

We're looking at integrating our *nix machines with our AD servers and are trying to find the "Best" way to do this. In this case I'm finding my google-fu isn't working in my favor... there is no shortage of information. Every time I think I have a complete grasp of ways this can be done