On 11/25/11 4:50 PM, Alan McKay wrote:
Hmmm, I probably know what the answer will be, but I could always ask the hospital to let me connect it to the domain. Though that could present security risks that I don't want to deal with.
yes, that is the answer, and actually, no, there's no security risks. your server will just be using the domain to authenticate windows users, and they'll see it as a 'single signon' same as any other "windows" server. other authentication, like local unix administration, NFS users will proceed the same as before.
to 'join the domain', the windows domain admins will just need to create a computer account for your server, and then it 'joins' the domain, this involves an automated private key exchange sequence... it can be done several different ways, at the whims of your windows domain admins. one method, a domain admin needs to enter his domain credentials (domainname\username, password) once into your server, and it joins (the admin credentials are only used once and not saved). the other method, they precreate the computer account on the domain, and you then join your host and it exchanges those keys previously mentioned.
this establishes a limited 'trust' relation, where basically your server trusts the domain server(s) to do windows user authentication, and the domain servers allow your windows server to do this. nothing else. its actually all quite well thought out, based on Kerberos and LDAP.