[CentOS] Re: Fix passwd/shadow/group files?

Fri Jul 15 21:39:17 UTC 2005
Sean O'Connell <oconnell at soe.ucsd.edu>

On Fri, 2005-07-15 at 16:27 -0500, Les Mikesell wrote:

> The replacement is going to be an AD, but run by a group at another
> location that doesn't like unix.
> 
> > Furthermore, you can even setup true UNIX/Linux NIS "slave" servers
> > to SFU, just like you can setup UNIX/Linux BIND "secondary" DNS
> > servers to MS ADS-integrated DNS.  That way if your MS ADS DC
> > tanks, you're not down, because you still have UNIX/Linux DNS/NIS.
> 
> We will probably have an AD server at this location with AD replication.
> Can it do SFU if the master doesn't?

Les-

You can always use the AD PDCs as source in krb5.conf in conjunction
with pam_krb5, and then use a little bit of middleware to fish your
user's directory info out of AD via LDAP queries and either build nis
dbs or with pam_ldap/nss_ldap set up your own LDAP server for your Unix
machine's consumption. You can even add the samba.schema to your servers
and add in the Idmap support using the user's objectSID from AD (you
have to convert this from binary to character string for samba). Python-
Ldap works pretty nicely to talk to AD. You just have to bind as a user
(or machine account :) as AD usually doesn't permit anonymous binds. We
have been looking at using our campus AD to handle all/most of our user
info, but the AD folks here are pretty responsive to our queries and are
willing to delegate full control of sub-Ous to us.

-- 
Sean