On Mon, 2005-07-18 at 01:08 -0500, Les Mikesell wrote: > This sounds promising. Is there some way to transition gracefully? > The AD is being added as a new domain with users moving over > piecemeal. At the moment it doesn't have most of the users I > would need but it should soon. You can always setup NIS users in SFU that don't exist on the ADS side yet, then later link them to ADS users as they are created. > I think long ago I avoided NIS because it had a reputation for > security issues. So does Windows. Microsoft has this marketing paper that compares "ideal" ADS (which is _never_ implemented for compatibility) to "1980s" NIS. It's not even remotely accurate (including the facts on password hashes). If you enable null sessions and NTLM (which is basically what you need _prior_ to 100% Windows Server 2003 with 100% Windows XP Pro clients), then it is _worse_ than most NIS as implemented today. Plus you can avoid many security issues by deploying Kerberos as your authentication. I've actually been doing a presentation at my local UNIX User's Group on all the "false security" Microsoft has in its solutions. I'm currently covering the SAM tie-in with NTFS, and why Windows domains really exist (so NTFS doesn't self-destruct without a SAM, long story ;-). > And I played with an earlier version of SFU and wasn't impressed. The > current version may be OK. SFU is less-than-idea. A much better solution is to have a real UNIX/Linux network architecture. But SFU 3.x does the job, especially when your enterprise IT doesn't know anything but ADS, and forces everyone to comply. > OK, if it can make CVS logins automatically track the Windows passwords, Yepper! ;-> Anything that needs a UNIX login will work. And you can limit per-system access with Netgroups. > that gives me a reason to use it. The group of people needing CVS > access is still growing - and soon those people will already have > AD accounts. I think everyone here was only trying to help you avoid extra work. The small, initial work will go a long way as you have to add users. Remember, NIS was merely designed over 2 decades ago to distribute local UNIX files to all systems in its domain. In reality, old NT 4.0 domains aren't much different (distribute the SAM and a few other things to all systems in its domain). -- Bryan J. Smith b.j.smith at ieee.org --------------------------------------------------------------------- It is mathematically impossible for someone who makes more than you to be anything but richer than you. Any tax rate that penalizes them will also penalize you similarly (to those below you, and then below them). Linear algebra, let alone differential calculus or even ele- mentary concepts of limits, is mutually exclusive with US journalism. So forget even attempting to explain how tax cuts work. ;->