Neil Neely wrote: > Relevant background details: > ~50 production servers that are centrally managed (unified UID and > passwords) using homegrown syncing - we would like to move these to AD
You would need to install the Services for UNIX extensions on your Win2K server, where Win2k >= Windows 2003. Note: R2 and Win2K8 have them already. You'll also need to install the NIS server (and DON'T run it!) to get the tab under AD Users and Computers to manipulate UNIX attributes via a GUI. > Already have AD infrastructure in place authenticating staff work > stations (~50 workstations) > The servers exist to support our customers (not staff in general) > These servers do not require shared home directories for staff. > Staff accessing these servers are all performing some task relating to > "administration", though at different levels (tech support through sys > admin). > * primary concern is not securing these machines against it's > legitimate users (so NIS may be acceptable in this environment). > This economy stinks and doing this without any capital expenses is > very important. Are you looking for any sort of single sign on, are you just looking at centralizing account information and passwords, or are you looking at something else that requires kerberos? Single sign on will be entertaining with UNIX systems, as AD doesn't understand service principal names in the expected way. Centralizing user info in AD can be done with tools that come relatively native with solaris (10), Redhat (4 and 5), and Ubuntu (at least the last three versions). What are you aiming for? I'll be happy to pass along my notes and/or my adventures in AD versus UNIX versus NFS. > Combinations we are seriously considering (in no particular order): > > NIS w/Kerberos (via SFU) Yuck .... > Winbind UIDs and GIDS may stop matching up. > (sidenote: AD is being chosen because it is existing established > infrastructure here that looks like it will do the job we need, > nothing at all against openldap, this is just using the tool that > we've got so we can focus on solving other challenges.) I pushed for using AD because the alternative here was Sun's Iplanet^WOne^WJava^WNewName2009 Directory Server, and getting it to use kerberos as a password repository seemed sub-optimal. -- -- John E. Jasen ([email protected]) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
