[CentOS] Re: Fix passwd/shadow/group files? -- network architecture is always piecemeal

Mon Jul 18 03:19:45 UTC 2005
Bryan J. Smith <b.j.smith at ieee.org>

On Mon, 2005-07-18 at 08:54 +0800, Feizhou wrote:
> Well, MS made extensions to its LDAP implementation by giving it new RPC 
> calls for its special MS Kerberos data did it not?

In a nutshell, yes you are correct in that Samba handles the "winlogon"
process and other RPC services.  I'm just saying there's a lot that
Samba does not have to handle.

I think you keep mixing the fact that there _are_ other ways to manage
Windows clients _other_ than with 100% emulated Windows RPC.  If you
want 100% full MS ADC DC emulation, it's going to be quite awhile.

> Right, but you got me interested in whether an actual open source 
> solution to native Windows MS-Kerberos account management exists when 
> you say that Samba 3.0 could be an ADS DC.

To a point.  You do _not_ have to have any MS ADS DC on your network to
do a lot, trust me.  The problem is that most people assume the only
way.  It's quite the opposite -- it's putting MS in charge, and that's
something you want to avoid or segment.

> and native MS account management on Unix?

By "native" -- what do you mean?
You mean 100% MS schema in their LDAP?
Again, that's going to be awhile.

Now the Samba team has their own, both CLI (net) and additional projects
are out there.  But that's still looking at it "narrow-mindedly."

Consider, for a moment, an entire Windows enterprise that relies on an
open-backend, like NsDS, Sun One, etc...?  Heck, even Novell eDirectory.
Novell has a lot of management tools for Windows, some work pretty damn
good too (like Xen).

But even that aside, you can do quite a bit with NsDS (or OpenLDAP),
Samba 3.0's added schema and RPC functions, and SASL/Kerberos for the
password store.  But if you expect it to support all the nuiances and
all the little schema that are in all sorts of MS services (like MS SQL,
Exchange, etc...), that's going to be a _long_time_.

But don't think you have to have a native MS ADS DC to manage Windows
clients -- not at all!

-- 
Bryan J. Smith                                     b.j.smith at ieee.org 
--------------------------------------------------------------------- 
It is mathematically impossible for someone who makes more than you
to be anything but richer than you.  Any tax rate that penalizes them
will also penalize you similarly (to those below you, and then below
them).  Linear algebra, let alone differential calculus or even ele-
mentary concepts of limits, is mutually exclusive with US journalism.
So forget even attempting to explain how tax cuts work.  ;->