Right, but you got me interested in whether an actual open source solution to native Windows MS-Kerberos account management exists when you say that Samba 3.0 could be an ADS DC.
To a point. You do _not_ have to have any MS ADS DC on your network to do a lot, trust me. The problem is that most people assume the only way. It's quite the opposite -- it's putting MS in charge, and that's something you want to avoid or segment.
I just want Kerberos. I am not interested in the LDAP part of ADS.
and native MS account management on Unix?
By "native" -- what do you mean?
centralized Kerberos account management that Windows 2000/XP clients will accept in domain mode.
You mean 100% MS schema in their LDAP?
Forget LDAP.
Again, that's going to be awhile.
Yes, i know the openldap guys have not shown much interest in adding MS-LDAP rpc stuff.
Now the Samba team has their own, both CLI (net) and additional projects are out there. But that's still looking at it "narrow-mindedly."
eh?
Consider, for a moment, an entire Windows enterprise that relies on an open-backend, like NsDS, Sun One, etc...? Heck, even Novell eDirectory. Novell has a lot of management tools for Windows, some work pretty damn good too (like Xen).
That requires a different GINA right?
But even that aside, you can do quite a bit with NsDS (or OpenLDAP), Samba 3.0's added schema and RPC functions, and SASL/Kerberos for the password store. But if you expect it to support all the nuiances and all the little schema that are in all sorts of MS services (like MS SQL, Exchange, etc...), that's going to be a _long_time_.
But don't think you have to have a native MS ADS DC to manage Windows clients -- not at all!
Right, so what open source option(s) do we have to single-logon Kerberos? (please assume apps are also kerberosized)