Ugo Bellavance ugob@camo-route.com wrote:
I know, but I don't want to manage users on 2 servers... What helps with that? Winbind?
PREABMLE: The fact that you have chosen Exchange 2000 means you are _stuck_ with Active Directory Services (ADS). Unless you want to chuck Exchange, you are _stuck_ with keeping your ADS.
- Winbind
Winbind is a naming service for UNIX/Linux clients to Windows servers. You only need it if you are going to maintain your objects in a Windows server store (be it legacy SAM domains or newer ADS), and then have your UNIX/Linux clients authenticate, etc... from it. In your case, with Exchange 2000, this is most likely what you're stuck with.
- Simultaneous ADS and NsDS
This is probably what you need to do, since
- ADS-NsDS Synchronization
Another option is to setup Netscape Directory Server (NsDS) and sychronize its LDAP (and optional GSSAPI-Kerberos) to ADS' LDAP stores, including user, group and other objects. Once they are UID/GIDs in the UNIX-space, you can serve them up via NFS, SMB, etc... services. This is what a lot of enterprises do.
[ NOTE: I have _never_ done this with Fedora Directory Server, but it appears to have all that you need to do it. ]
NOW, if you didn't have Exchange ...
You wouldn't need to maintain your objects on the UNIX/Linux side, then you don't need it.
If you do the latter, you need to decide how you will serve the Windows clients. There are countless ways to do this, both Samba-centric and others that only use Samba for the SMB and SMB-related RPC services (largely file).
- Migrating from ADS, Samba as a BDC
A Windows 2000 domain is ADS, and Samba doesn't support replication with ADS. Samba only supports replication to leagcy CIFS (SAM) domains. Now you _could_ configure your Windows 2000 domain to be a PDC, and setup Samba as a BDC to it. Then after Samba has all the SAM objects, shut off the Windows 2000 domain and make Samba the PDC.
Understand the difference between a legacy CIFS (SAM) PDC and an ADS (SAM in LDAP) DC is not much at all. It's all the services built around ADS (MS SQL, MS Exchange, etc...) that's the problem. This _includes_ making Windows 2000 _Servers_ as "member servers" in the Samba-run domain.
- Migrating from ADS, NsDS as a peer LDAP
As before, setup Netscape Directory Server (NsDS) and sychronize its LDAP (and optional GSSAPI-Kerberos) to ADS' LDAP stores. Once you have all the objects over, then turn off your Windows 2000 domain.
You can then either decide to use Samba to service the Windows clients natively, using Samba SMB/RPC (tieing into NsDS), or replace Windows' GINA with Pluggable GINA (pGINA) which uses NsDS (or Kerberos) directly for authentication. You then tie the NsDS groups to Samba groups, etc... There's a lot of flexibility and options, and almost too much if you're used to "this is how you must do it" coming from Microsoft.
NOTE: These are just a SAMPLE of all your options.