[CentOS] Re: Fix passwd/shadow/group files? -- network architecture is always piecemeal

[Feizhou]

>>Right, but you got me interested in whether an actual open source 
>>solution to native Windows MS-Kerberos account management exists when 
>>you say that Samba 3.0 could be an ADS DC.
> 
> 
> To a point.  You do _not_ have to have any MS ADS DC on your network to
> do a lot, trust me.  The problem is that most people assume the only
> way.  It's quite the opposite -- it's putting MS in charge, and that's
> something you want to avoid or segment.

I just want Kerberos. I am not interested in the LDAP part of ADS.
> 
> 
>>and native MS account management on Unix?
> 
> 
> By "native" -- what do you mean?

centralized Kerberos account management that Windows 2000/XP clients 
will accept in domain mode.
> You mean 100% MS schema in their LDAP?

Forget LDAP.
> Again, that's going to be awhile.

Yes, i know the openldap guys have not shown much interest in adding 
MS-LDAP rpc stuff.
> 
> Now the Samba team has their own, both CLI (net) and additional projects
> are out there.  But that's still looking at it "narrow-mindedly."

eh?
> 
> Consider, for a moment, an entire Windows enterprise that relies on an
> open-backend, like NsDS, Sun One, etc...?  Heck, even Novell eDirectory.
> Novell has a lot of management tools for Windows, some work pretty damn
> good too (like Xen).

That requires a different GINA right?
> 
> But even that aside, you can do quite a bit with NsDS (or OpenLDAP),
> Samba 3.0's added schema and RPC functions, and SASL/Kerberos for the
> password store.  But if you expect it to support all the nuiances and
> all the little schema that are in all sorts of MS services (like MS SQL,
> Exchange, etc...), that's going to be a _long_time_.
> 
> But don't think you have to have a native MS ADS DC to manage Windows
> clients -- not at all!
> 

Right, so what open source option(s) do we have to single-logon 
Kerberos? (please assume apps are also kerberosized)