On Fri, Mar 18, 2011 at 10:42 AM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote: > On Fri, 18 Mar 2011, Nico Kadel-Garcia wrote: > >> It can otherwise be done manually, but the data entry time wasted for >> your engineers well justifies the price of a Centrify license or two. > > What do you mean by manually? Can't this all be done with ypcat, ldapmodify > and a shell script? After which, you are entirely liberated from NIS. > > jh In theory, yes. In practice........ I've done that. Getting the buy-in from the Active Directory owners to manually run ldapmodify against their hosts can be politically painful. The nice GUI from Centrify, that has the NIS import facility, does a pretty good job, and can be very helpful to remind you that mixed case groups and usernames are problematic, that some systems don't deal well with non-alphanumeric characters such as '_' or '-', that the default maximum group or username is 8 characters, that there's a maximum number of characters in an NIS or POSIX compatible line such as a group membership list and they need to be split up to multiple entries with the same gid, etc., etc., etc. It gets very expensive in engineering time, very fast, especially if people have been "clever" and already created correspondence between AD groups and NIS groups or users of various sorts, but weren't consistent about their naming schemes.