On Mon, 2005-07-18 at 01:08 -0500, Les Mikesell wrote:
This sounds promising. Is there some way to transition gracefully? The AD is being added as a new domain with users moving over piecemeal. At the moment it doesn't have most of the users I would need but it should soon.
You can always setup NIS users in SFU that don't exist on the ADS side yet, then later link them to ADS users as they are created.
I think long ago I avoided NIS because it had a reputation for security issues.
So does Windows. Microsoft has this marketing paper that compares "ideal" ADS (which is _never_ implemented for compatibility) to "1980s" NIS. It's not even remotely accurate (including the facts on password hashes).
If you enable null sessions and NTLM (which is basically what you need _prior_ to 100% Windows Server 2003 with 100% Windows XP Pro clients), then it is _worse_ than most NIS as implemented today. Plus you can avoid many security issues by deploying Kerberos as your authentication.
I've actually been doing a presentation at my local UNIX User's Group on all the "false security" Microsoft has in its solutions. I'm currently covering the SAM tie-in with NTFS, and why Windows domains really exist (so NTFS doesn't self-destruct without a SAM, long story ;-).
And I played with an earlier version of SFU and wasn't impressed. The current version may be OK.
SFU is less-than-idea. A much better solution is to have a real UNIX/Linux network architecture. But SFU 3.x does the job, especially when your enterprise IT doesn't know anything but ADS, and forces everyone to comply.
OK, if it can make CVS logins automatically track the Windows passwords,
Yepper! ;->
Anything that needs a UNIX login will work. And you can limit per-system access with Netgroups.
that gives me a reason to use it. The group of people needing CVS access is still growing - and soon those people will already have AD accounts.
I think everyone here was only trying to help you avoid extra work. The small, initial work will go a long way as you have to add users.
Remember, NIS was merely designed over 2 decades ago to distribute local UNIX files to all systems in its domain. In reality, old NT 4.0 domains aren't much different (distribute the SAM and a few other things to all systems in its domain).