Edward Ned Harvey wrote: > Without any modification at all, you can use Kerberos or LDAP (preferably > Kerberos) for authentication. With minimal modification (enabling UNIX > services) you could support a very basic NIS or LDAP setup for posix stuff > ... but you can't get full NIS capabilities out of Windows without extensive > modifications. You can't have a groupname that matches a username. You > can't have a bunch of the other "advanced" features too. > > At $WORK, I use kerberos for authentication, and NIS for everything else. > Passwords are all unified and single-sign on, controlled by AD. POSIX stuff > all comes from a system that's natively designed for that purpose (NIS). > (You could also substitue LDAP instead of NIS.) > > When we eval'd LDAP as an alternative to NIS, it was tougher to configure > right, and less effective at failover, so we opted for NIS. Security is not > a concern as it's all on a LAN and doesn't contain any password information. > > AD has excellent failover characteristics - much better than NIS's slave server concept. You can have replicas all over the world, all containing the same data, and AD will manage replication and failover quite transparently. And cached tables mean that even if the AD servers go away for a while, you usually get no interruptions (except that you can only log in to IDs that have have been logged into on that server recently). It even works for laptops and other disconnected devices, just like with a Windows device. If you have logged in to the domain while connected, you can pull the machine off the net, take it elsewhere, and you can still log into it. NIS - if you lose contact for more than three seconds at a critical time, the transaction will fail and your calling process will usually abort.
You can choose to use Kerberos and LDAP as separate services via AD, but using the combination to make your machines part of the AD domain (sometimes called 'Kerberised LDAP') brings (IMNSHO) the most reliable and seamless result for the users. You can have groups with the same name as your users, you just have to put them in different OUs or containers. What you can't have is a machine (hostname) that is the same as a username. Machine accounts are a variation on a user account, and user account names must be unique across the domain. This also means that you also can't have two different users with the same username in different OUs or containers within a given domain. - Richard _______________________________________________ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
